From 0b85e9757ec6a9bde123eeef43a19eabd2a4f5e8 Mon Sep 17 00:00:00 2001
From: Chad Sheets <cjsheets@gmail.com>
Date: Mon, 30 May 2016 22:27:28 -0800
Subject: [PATCH 1/2] Fixed KexAlgorithms Conditional Statement

Corrected the conditional statement which was missing an `elif`. (also now with same formating as openssh client template), sshd_kex_59_weak was omitted and is now re-added and `client` selector needed to be changed to `server` for sshd template.
---
 templates/opensshd.conf.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index 8e1a5e2..71b7309 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -99,7 +99,7 @@ LogLevel VERBOSE
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-    {% if ssh_client_weak_kex -%}
+    {% if sshd_server_weak_kex -%}
         KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
     {% else -%}
         KexAlgorithms {{ ssh_kex_66_default | join(',') }}
@@ -107,6 +107,8 @@ LogLevel VERBOSE
 {% else -%}
     {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
         #KexAlgorithms
+    {% elif sshd_server_weak_kex -%}
+        KexAlgorithms {{ sshd_kex_59_weak | join(',') }}
     {% else -%}
         KexAlgorithms {{ ssh_kex_59_default | join(',') }}
     {% endif %}

From a17aa4967baa55874d1cd9600aa3b9a30b356b38 Mon Sep 17 00:00:00 2001
From: Chad Sheets <cjsheets@gmail.com>
Date: Mon, 6 Jun 2016 17:40:20 -0800
Subject: [PATCH 2/2] Corrected a type in ssh_server_weak_kex

---
 templates/opensshd.conf.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index 71b7309..2582ac2 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -8,7 +8,7 @@
 # Basic configuration
 # ===================
 
-# Either disable or only allow root login via certificates.
+# Either disable or only allowssh root login via certificates.
 PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
 
 # Define which port sshd should listen to. Default to `22`.
@@ -99,7 +99,7 @@ LogLevel VERBOSE
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
-    {% if sshd_server_weak_kex -%}
+    {% if ssh_server_weak_kex -%}
         KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
     {% else -%}
         KexAlgorithms {{ ssh_kex_66_default | join(',') }}
@@ -107,7 +107,7 @@ LogLevel VERBOSE
 {% else -%}
     {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
         #KexAlgorithms
-    {% elif sshd_server_weak_kex -%}
+    {% elif ssh_server_weak_kex -%}
         KexAlgorithms {{ sshd_kex_59_weak | join(',') }}
     {% else -%}
         KexAlgorithms {{ ssh_kex_59_default | join(',') }}