As horrifying as it sounds, the fix is simple: remove weak moduli. They can be found in /etc/ssh/moduli file, which should look like the following..
# Time Type Tests Tries Size Generator Modulus
20150520235007 2 6 100 2047 5 (some hex)
20150520235015 2 6 100 2047 5 (some hex)
20150520235039 2 6 100 2047 2 (some hex)
...
...
20150520235007 2 6 100 2047 5 (some hex)
20150520235015 2 6 100 2047 5 (some hex)
20150520235039 2 6 100 2047 2 (some hex)
...
...
I could go into what they all mean, but lets focus on Awk and just say that I needed to remove from this file the lines where Size was 1024 or less. Because this file was already sorted by Size, my initial approach was to open it up in Nano and Ctrl + k each line until all of the weak moduli were gone. Coworker suggested that I use some more brain power and go with Awk and Ansible because we had about 20 servers to update (and also I can blog about it).
After an hour of re-learning, this line of shell command was forged:
cat moduli | awk '{if((NR==1) || NR>1 && $5>2046)print}' > temp && mv temp moduli && chown root:root moduli
(Assumes your cwd to be /etc/ssh)Here is the Ansible task you can simply plug into your YAML and let it work its magic on your 9000+ servers while you grab a quick coffee.
- name: Remove insecure SSH moduli
shell: cat moduli | awk '{if((NR==1) || NR>1 && $5>2046)print}' > temp && mv temp moduli && chown root:root moduli
args:
chdir: /etc/ssh/
shell: cat moduli | awk '{if((NR==1) || NR>1 && $5>2046)print}' > temp && mv temp moduli && chown root:root moduli
args:
chdir: /etc/ssh/
