# platform = multi_platform_all
# reboot = true
# strategy = configure
# complexity = low
# disruption = low



cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
cipher@SSH = -*-CBC
EOF


current_crypto_policy=$(update-crypto-policies --show)
expected_crypto_policy="DEFAULT:NO-SHA1:NO-SSHCBC"
if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then
    update-crypto-policies --set "$expected_crypto_policy"
fi