Issue
I have a task within my playbook where I want to add a new line and then place it after a certain line but after I run it, it adds to the bottom of the file rather than the destination I would like it to be. Any chance to why this keeps being placed at the end of my file? There are a total of 41 lines in the sshd_confiq file.
- name: Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '17'
state: present
create: true
become: true
become_method: sudo
Results
Protocol 2
ListenAddress 127.0.0.1
ListenAddress 10.224.122.141
SyslogFacility AUTHPRIV
LogLevel VERBOSE
PermitRootLogin no
MaxAuthTries 3
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication yes
[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
[email protected],[email protected],[email protected],hmac-sha2-256,[email protected],hmac-sha2-512
KexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
HostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected]
ChallengeResponseAuthentication no
GSSAPIAuthentication no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFIcatION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding no
AllowTCPForwarding yes
AllowAgentForwarding yes
ClientAliveCountMax 0
ClientAliveInterval 900
Banner /etc/issue
Subsystem sftp /usr/libexec/openssh/sftp-server
DenyGroups service
Match User AWS_GDIT_Nessus,AWS_GDIT_Retina,AWS_IP360,nessus_service
PasswordAuthentication yes
Match Group ansible
PasswordAuthentication no
GSSAPIAuthentication no
KerberosAuthentication no
PubkeyAuthentication yes
GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
sh-4.4$
Emros Correction:
- name: Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '^.*MACs=hmac-sha2-256'
state: present
create: true
become: true
become_method: sudo
Full Ansible Playbook
---
- name: MAC SSH Vulnerability FIX
hosts: all
tasks:
- name: Backing up /etc/ssh/sshd_config
shell: cp -prf /etc/ssh/sshd_config /etc/ssh/sshd_config.10-19-23
become: true
become_method: sudo
- name: Uncomment the CRYPTO_POLICY setting in /etc/sysconfig/sshd file
replace:
path: /etc/sysconfig/sshd
regexp: '# CRYPTO_POLICY='
replace: 'CRYPTO_POLICY='
become: true
become_method: sudo
- name: Updating ciphers directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Ciphers'
line: '[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr'
become: true
become_method: sudo
- name: Updating MACs directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Macs'
line: '[email protected],[email protected],[email protected],hmac-sha2-256,[email protected],hmac-sha2-512'
become: true
become_method: sudo
- name: Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '^.*MACs=hmac-sha2-256'
state: present
create: true
become: true
become_method: sudo
- name: Updating KexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^KexAlgorithms'
line: 'KexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1'
become: true
become_method: sudo
- name: Updating HostKeyAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'HostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected]'
insertafter: '18'
become: true
become_method: sudo
- name: Restarting sshd service
become: yes
become_user: root
ansible.builtin.service:
name: sshd
state: restarted
Solution
I don't understand, You seem to want to insert a line after '17', but it's not possible with the lineinfile module to insert based on a line number. Line 17 corresponds to 'PasswordAuthentication yes,' so I suggest you change your code to the following:
- name: "Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file"
lineinfile:
path: "/etc/ssh/sshd_config"
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '^PasswordAuthentication yes'
state: present
become: yes
In this example, the GSSAPIKexAlgorithms line will be added after the line containing 'PasswordAuthentication yes,' which is line 17 in the provided file.
You can use template module if you dont want to use line in file module.
Answered By - Emros Answer Checked By - Mary Flores (WPSolving Volunteer)
