I am checking out the VMware DoD community Ansible playbook to implement STIGs for Photon OS 3.0. When I went to make sure that it was idempotent in its execution (run once, run again) I immediately found that sshd had failed to start after running the playbook. The problem was a duplicate configuration in /etc/ssh/sshd_config that comes out of box w/the VCSA regardless of whether or not you use STIGs.

What I found is that the playbook detected the first instance of "FipsMode yes" in /etc/ssh/sshd_config and then added the "Ciphers" line as necessary after it. Unfortunately, some configs have a certain order of operations to them and the service failed to start because it detected the Ciphers line was preceding FipsMode yes in the config. Examination of the v00500 and v00600 appliances (base builds, mind you) shows a duplicate "FipsMode yes" within /etc/ssh/sshd_config.

I am just helping the VM guy and maybe he'll run this up the support contract channel/flag but I figured I'd post it here as well as a word of warning to always QA other folks work because sometimes the vendor makes mistakes too!

Bottom-line up front on the VMware side: maybe comment out/remove the duplicated FipsMode yes in /etc/ssh/sshd_config

I'll have to post up something similar on the github side for the playbook. Someone should have noticed if they had simply just tried to run the playbook more than once.