I'm trying to use the replace module to update SSL ciphers and seem to be
running into a Unicode issue.
The code:
---
- hosts: all
gather_facts: False
become: True
vars:
text_for_EL6:
- { regexp: '^KexAlgorithms', line: 'KexAlgorithms
diffie-hellman-group-exchange-sha256' }
- { regexp: '^MACs', line: 'MACs hmac-sha2-512,hmac-sha2-256' }
- { regexp: '^Ciphers', line: 'Ciphers
aes256-ctr,aes192-ctr,aes128-ctr' }
text_for_EL7:
- { regexp: '^KexAlgorithms', line: 'KexAlgorithms
curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
}
- { regexp: '^Ciphers', line: 'Ciphers
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
}
- { regexp: '^MACs', line: 'MACs
hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com'
}
tasks:
- name: check and store ssh version
shell: rpm -qa openssh
register: ssh_version_result
- name: Set ciphers for EL6 - OpenSSL 5.3
replace:
backup: yes
path: /etc/ssh/sshd_config
regexp: '{{ item.regexp }}'
replace: '{{ item.line }}'
when: ssh_version_result.stdout.find('openssh-5') != -1
with_items:
- "{{text_for_EL6}}"
notify: restart sshd
- name: Set ciphers for EL7 - OpenSSL > 6.7
replace:
backup: yes
path: /etc/ssh/sshd_config
regexp: '{{ item.regexp }}'
replace: '{{ item.line }}'
when: ssh_version_result.stdout.find('openssh-7') != -1
with_items:
- "{{text_for_EL7}}"
notify: restart sshd
handlers:
- name: restart sshd
service: name=sshd state=restarted
...
The result:
$ ansible-playbook update_sshd_ciphers.yml --limit my_server
SUDO password:
PLAY [all]
TASK [check ssh versions]
*
[WARNING]: Consider using yum, dnf or zypper module rather than running rpm
changed: [my_server]
TASK [Set ciphers for EL6 - OpenSSL 5.3]
**
skipping: [my_server] => (item={u'regexp': u'^KexAlgorithms', u'line':
u'KexAlgorithms diffie-hellman-group-exchange-sha256'})
skipping: [my_server] => (item={u'regexp': u'^MACs', u'line': u'MACs
hmac-sha2-512,hmac-sha2-256'})
skipping: [my_server] => (item={u'regexp': u'^Ciphers', u'line': u'Ciphers
aes256-ctr,aes192-ctr,aes128-ctr'})
TASK [Set ciphers for EL7 - OpenSSL > 6.7]
ok: [my_server] => (item={u'regexp': u'^KexAlgorithms', u'line':
u'KexAlgorithms
curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'})
ok: [my_server] => (item={u'regexp': u'^Ciphers', u'line': u'Ciphers
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'})
ok: [my_server] => (item={u'regexp': u'^MACs', u'line': u'MACs
hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com'})
PLAY RECAP
my_server : ok=2changed=1unreachable=0failed=0
I am not certain but I think the prepended 'u' is the problem.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/2cd76763-1ad7-4aed-9143-ade59f9d649c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.