Provide granular noop for shh configuration

Author: seven-beep

roles/ssh_hardening/README.md

@@ -140,7 +140,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Required: no
 - `ssh_ciphers`
   - Default: ``
-  - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
+  - Description: Change this list to overwrite ciphers. If false this configuration will be skipped. Defaults found in `defaults/main.yml`
   - Type: list
   - Required: no
 - `ssh_client_alive_count`
@@ -240,7 +240,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Required: no
 - `ssh_host_key_algorithms`
   - Default: ``
-  - Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
+  - Description: Host key algorithms that the server offers. If empty the default list will be used. If false this configuration will be skipped. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
   - Type: list
   - Required: no
 - `ssh_host_key_files`
@@ -260,7 +260,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Required: no
 - `ssh_kex`
   - Default: ``
-  - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
+  - Description: Change this list to overwrite kexs. If false this configuration will be skipped. Defaults found in `defaults/main.yml`
   - Type: list
   - Required: no
 - `ssh_listen_to`
@@ -275,7 +275,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Required: no
 - `ssh_macs`
   - Default: ``
-  - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
+  - Description: Change this list to overwrite macs. If false this configuration will be skipped. Defaults found in `defaults/main.yml`
   - Type: list
   - Required: no
 - `ssh_max_auth_retries`

roles/ssh_hardening/defaults/main.yml

@@ -41,7 +41,7 @@ ssh_client_port: "22" # ssh
 ssh_listen_to: [0.0.0.0] # sshd
 
 # Host keys to look for when starting sshd.
-ssh_host_key_files: [] # sshd
+ssh_host_key_files: none # sshd
 
 # Host RSA key size in bits
 ssh_host_rsa_key_size: 4096 # sshd
@@ -206,9 +206,9 @@ ssh_max_startups: 10:30:60 # sshd
 
 ssh_ps59: sandbox
 
-ssh_macs: []
-ssh_ciphers: []
-ssh_kex: []
+ssh_macs: none
+ssh_ciphers: none
+ssh_kex: none
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: /etc/selinux/local-policies
 

roles/ssh_hardening/tasks/hardening.yml

@@ -35,23 +35,23 @@
   ansible.builtin.set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
-- name: Set default for ssh_host_key_files if not supplied
+- name: Set default for ssh_host_key_files if none
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when:
     - ssh_server_hardening | bool
-    - not ssh_host_key_files
+    - ssh_host_key_files is none
 
-- name: Set default for ssh_macs if not supplied
+- name: Set default for ssh_macs if none
   ansible.builtin.include_tasks: crypto_macs.yml
-  when: not ssh_macs
+  when: ssh_macs is none
 
-- name: Set default for ssh_ciphers if not supplied
+- name: Set default for ssh_ciphers if none
   ansible.builtin.include_tasks: crypto_ciphers.yml
-  when: not ssh_ciphers
+  when: ssh_ciphers is none
 
-- name: Set default for ssh_kex if not supplied
+- name: Set default for ssh_kex if none
   ansible.builtin.include_tasks: crypto_kex.yml
-  when: not ssh_kex
+  when: ssh_kex is none
 
 - name: Create revoked_keys and set permissions to root/600
   ansible.builtin.template: