adds option to opt-out of RHEL 8 crypto policies

In RHEL 8 these are hard-wired in the service via:

```
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
```

The `sysconfig` file can override the ones from crypto policies.

README.md

@@ -13,6 +13,7 @@ Table of Contents
   * [Known Hosts](#known-hosts)
   * [Authorized Keys and User Management](#authorized-keys-and-user-management)
   * [Moduli](#moduli)
+  * [Distro Specifics](#distro-specifics)
 - [Dependencies](#dependencies)
 - [Example Playbook](#example-playbook)
   * [Top-Level Playbook](#top-level-playbook)
@@ -165,6 +166,16 @@ To configure the minimum modulus for `/etc/ssh/moduli`:
 ssh_modulus_min: 3071
 ```
 
+### Distro Specifics
+
+Opt out of distro-specific crypto policies (at the time of writing applies only
+to RHEL 8 and derivatives):
+
+```yml
+ssh_opt_out_crypto_policies: no
+```
+
+
 Dependencies
 ------------
 

molecule/alternative/molecule.yml

@@ -94,6 +94,7 @@ provisioner:
           - [email protected]
         ssh_modulus_min: 3071
       redhat:
+        ssh_opt_out_crypto_policies: yes
         ssh_subsystems:
           - name: sftp
             command: '/usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO'

tasks/configuration-sshd.yml

@@ -1,5 +1,15 @@
 ---
 
+- name: opt out of crypto policies
+  ansible.builtin.lineinfile:
+    path: /etc/sysconfig/sshd
+    regexp: CRYPTO_POLICY=
+    line: CRYPTO_POLICY=
+  become: yes
+  when:
+    - ssh_opt_out_crypto_policies | default(False)
+    - __ssh_os_version == 'redhat_8'
+
 - name: configure sshd in /etc/ssh/sshd_config
   ansible.builtin.template:
     src: '{{ lookup("first_found", __ssh_sshd_config_templates) }}'