fix(cis): make mlkem768x25519-sha256 KexAlgorithm conditional on OpenSSH 9.9+

roles/cis/tasks/sshd.yml

@@ -30,7 +30,21 @@
     - { option: PermitTunnel, value: "no" }
     - { option: Banner, value: /etc/issue.net }
 
+- name: Detect target OpenSSH version
+  ansible.builtin.shell: >-
+    {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
+  register: cis_sshd_openssh_version
+  changed_when: false
+  failed_when: false
+
 - name: Append CIS specific configurations to sshd_config
+  vars:
+    cis_sshd_has_mlkem: "{{ (cis_sshd_openssh_version.stdout | default('0.0') is version('9.9', '>=')) }}"
+    cis_sshd_kex: >-
+      {{
+        (['mlkem768x25519-sha256'] if cis_sshd_has_mlkem | bool else [])
+        + ['curve25519-sha256@libssh.org', 'ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256']
+      }}
   ansible.builtin.blockinfile:
     path: /mnt/etc/ssh/sshd_config
     marker: "# {mark} CIS SSH HARDENING"
@@ -38,7 +52,7 @@
       ## CIS Specific
       ### Ciphers and keying ###
       RekeyLimit 512M 6h
-      KexAlgorithms  mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
+      KexAlgorithms  {{ cis_sshd_kex | join(',') }}
       Ciphers        aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
       MACs           hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
       ###########################