Merge pull request dev-sec#267 from jbronn/moduli-when-hardening

Only manage moduli when hardening server
divialth · Mar 10, 2020 · 787356e · 787356e
2 parents f74b7c0 + bc8bda8
commit 787356e
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -55,12 +55,15 @@
   register: sshd_register_moduli
   changed_when: false
   check_mode: no
+  when: ssh_server_hardening | bool
 
 - name: remove all small primes
   shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
          [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
   notify: restart sshd
-  when: sshd_register_moduli.stdout
+  when:
+    - ssh_server_hardening | bool
+    - sshd_register_moduli.stdout
 
 - name: include tasks to setup ca keys and principals
   include_tasks: ca_keys_and_principals.yml