From aac6f60c7e7a5f2041150ecc1a6db6ab3e2a6200 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <Sebastian.Gumprich@t-systems.com>
Date: Thu, 2 Mar 2017 13:32:25 +0100
Subject: [PATCH 1/3] Remove small dh primes

Thanks to debops!
https://github.com/debops/ansible-sshd/
---
 defaults/main.yml |  2 ++
 tasks/main.yml    | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4cd4f22e..513f7569 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -140,3 +140,5 @@ ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffi
 
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
+
+sshd_moduli_minimum: 2048
diff --git a/tasks/main.yml b/tasks/main.yml
index c3aa756e..ac87aa79 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -15,6 +15,18 @@
   template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner=root group=root
   when: ssh_client_hardening
 
+- name: Check if /etc/ssh/moduli contains weak DH parameters
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
+  register: sshd_register_moduli
+  changed_when: false
+  always_run: True
+
+- name: remove all small primes
+  shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+         [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+  notify: restart sshd
+  when: sshd_register_moduli.stdout
+
 - name: test to see if selinux is running
   command: getenforce
   register: sestatus

From f8b8dfe85dfb1cf1064b793f39b85dce560acd9e Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <Sebastian.Gumprich@t-systems.com>
Date: Thu, 2 Mar 2017 14:11:38 +0100
Subject: [PATCH 2/3] update travis to test debian 8

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 601cc21e..077192ea 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,6 +39,7 @@ env:
 
   - distro: debian8
     version: latest
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     init: /sbin/init
 
   - distro: debian9

From bff281300b503568a3d56f934e09c62aeee7ab70 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@38.de>
Date: Thu, 9 Mar 2017 20:23:58 +0100
Subject: [PATCH 3/3] update readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 41f1efaa..ba065158 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_enabled` | false | true to enable sftp configuration|
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
+|`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
 
 ## Example Playbook