Do not use bash to get ssh version

tasks/crypto.yml

@@ -3,65 +3,65 @@
 - name: set hostkeys according to openssh-version
   set_fact:
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
-  when: sshd_version.stdout is version('6.3', '>=') and not ssh_host_key_files
+  when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
 
 - name: set hostkeys according to openssh-version
   set_fact:
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
-  when: sshd_version.stdout is version('6.0', '>=') and not ssh_host_key_files
+  when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
 
 - name: set hostkeys according to openssh-version
   set_fact:
     ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
-  when: sshd_version.stdout is version('5.3', '>=') and not ssh_host_key_files
+  when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
 
 ###
 
 - name: set macs according to openssh-version if openssh >= 7.6
   set_fact:
     ssh_macs: '{{ ssh_macs_76_default }}'
-  when: sshd_version.stdout is version('7.6', '>=') and not ssh_macs
+  when: sshd_version is version('7.6', '>=') and not ssh_macs
 
 - name: set macs according to openssh-version if openssh >= 6.6
   set_fact:
     ssh_macs: '{{ ssh_macs_66_default }}'
-  when: sshd_version.stdout is version('6.6', '>=') and not ssh_macs
+  when: sshd_version is version('6.6', '>=') and not ssh_macs
 
 - name: set macs according to openssh-version
   set_fact:
     ssh_macs: '{{ ssh_macs_59_default }}'
-  when: sshd_version.stdout is version('5.9', '>=') and not ssh_macs
+  when: sshd_version is version('5.9', '>=') and not ssh_macs
 
 - name: set macs according to openssh-version
   set_fact:
     ssh_macs: '{{ ssh_macs_53_default }}'
-  when: sshd_version.stdout is version('5.3', '>=') and not ssh_macs
+  when: sshd_version is version('5.3', '>=') and not ssh_macs
 
 ###
 
 - name: set ciphers according to openssh-version if openssh >= 6.6
   set_fact:
     ssh_ciphers: '{{ ssh_ciphers_66_default }}'
-  when: sshd_version.stdout is version('6.6', '>=') and not ssh_ciphers
+  when: sshd_version is version('6.6', '>=') and not ssh_ciphers
 
 - name: set ciphers according to openssh-version
   set_fact:
     ssh_ciphers: '{{ ssh_ciphers_53_default }}'
-  when: sshd_version.stdout is version('5.3', '>=') and not ssh_ciphers
+  when: sshd_version is version('5.3', '>=') and not ssh_ciphers
 
 ###
 
 - name: set kex according to openssh-version if openssh >= 8.0
   set_fact:
     ssh_kex: '{{ ssh_kex_80_default }}'
-  when: sshd_version.stdout is version('8.0', '>=') and not ssh_kex
+  when: sshd_version is version('8.0', '>=') and not ssh_kex
 
 - name: set kex according to openssh-version if openssh >= 6.6
   set_fact:
     ssh_kex: '{{ ssh_kex_66_default }}'
-  when: sshd_version.stdout is version('6.6', '>=') and not ssh_kex
+  when: sshd_version is version('6.6', '>=') and not ssh_kex
 
 - name: set kex according to openssh-version
   set_fact:
     ssh_kex: '{{ ssh_kex_59_default }}'
-  when: sshd_version.stdout is version('5.9', '>=') and not ssh_kex
+  when: sshd_version is version('5.9', '>=') and not ssh_kex

tasks/hardening.yml

@@ -8,13 +8,15 @@
    - '{{ ansible_os_family }}.yml'
 
 - name: get openssh-version
-  shell: set -o pipefail && ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
-  args:
-    executable: /bin/bash
+  command: ssh -V
+  register: sshd_version_raw
   changed_when: false
-  register: sshd_version
   check_mode: no
 
+- name: parse openssh-version
+  set_fact:
+    sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
+
 - name: include tasks to create crypo-vars
   include_tasks: crypto.yml
 

templates/openssh.conf.j2

@@ -90,7 +90,7 @@ ForwardX11 no
 
 # Never use host-based authentication. It can be exploited.
 HostbasedAuthentication no
-{% if sshd_version.stdout is version('7.6', '<') %}
+{% if sshd_version is version('7.6', '<') %}
 RhostsRSAAuthentication no
 # Enable RSA authentication via identity files.
 RSAAuthentication yes
@@ -119,7 +119,7 @@ Compression yes
 #EscapeChar ~
 #VisualHostKey yes
 
-{% if sshd_version.stdout is version('7.1', '<=') %}
+{% if sshd_version is version('7.1', '<=') %}
 # Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
 UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
 {% endif %}

templates/opensshd.conf.j2

@@ -83,10 +83,10 @@ LogLevel {{ sshd_log_level }}
 # --------------
 
 # Secure Login directives.
-{% if sshd_version.stdout is version('7.4', '<') %}
+{% if sshd_version is version('7.4', '<') %}
 UseLogin no
 {% endif %}
-{% if sshd_version.stdout is version('7.5', '<') %}
+{% if sshd_version is version('7.5', '<') %}
 UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
 {% endif %}
 
@@ -110,7 +110,7 @@ UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
 
 # Set AuthenticationMethods per default to publickey
 # AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2
-{% if sshd_version.stdout is version('6.2', '>=') %}
+{% if sshd_version is version('6.2', '>=') %}
 AuthenticationMethods {{ sshd_authenticationmethods }}
 {% endif %}
 
@@ -174,7 +174,7 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access
-{% if sshd_version.stdout is version('6.2', '>=') %}
+{% if sshd_version is version('6.2', '>=') %}
 AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all')) else 'no' }}
 {% else %}
 AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }}