Merge "rhel7stig: sshd.yml: Respect the STIG sshd configuration" into…

… stable/ocata
justinpersaud · Nov 14, 2017 · f0c87ff · f0c87ff
2 parents f4a60c9 + 298dda5
commit f0c87ff
Showing 1 changed file with 1 addition and 16 deletions.
diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml
@@ -13,21 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Adding additional sshd configuration options is usually easy, but if a
-# configuration file ends with certain configurations, like a "Match" stanza,
-# we need a blank line to separate those configurations from the ones that
-# are added by the security role. For that reason, we check for the existence
-# of a marker line here and add a marker line to the file if it doesn't exist.
-
-- name: Find first 'Match' line in sshd_config (if it exists)
-  shell: "grep '^Match' /etc/ssh/sshd_config || echo 'EOF'"
-  register: sshd_match_check
-  changed_when: False
-  check_mode: no
-  tags:
-    - always
-    - sshd
-
 - name: Copy login warning banner
   copy:
     src: login_banner.txt
@@ -45,7 +30,7 @@
     dest: /etc/ssh/sshd_config
     state: present
     marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
-    insertbefore: "{{ sshd_match_check.stdout_lines[0] }}"
+    insertbefore: "BOF"
     validate: '/usr/sbin/sshd -T -f %s'
     block: "{{ lookup('template', 'sshd_config_block.j2') }}"
   notify: