2018-08-25 23:39:06 +02:00
|
|
|
---
|
2020-03-29 15:51:27 +02:00
|
|
|
- name: OS is supported
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.meta: end_host
|
2020-09-14 17:48:04 +02:00
|
|
|
when:
|
2022-08-16 08:59:59 +02:00
|
|
|
- not __sshd_os_supported | bool
|
2018-08-25 23:39:06 +02:00
|
|
|
|
|
|
|
- name: Install ssh packages
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.package:
|
2018-09-08 10:13:51 +02:00
|
|
|
name: "{{ sshd_packages }}"
|
2018-08-25 23:39:06 +02:00
|
|
|
state: present
|
2023-11-17 14:44:54 +01:00
|
|
|
use: "{{ (__sshd_is_ostree | d(false)) |
|
|
|
|
ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
|
2018-08-25 23:39:06 +02:00
|
|
|
|
2020-10-06 21:11:35 +02:00
|
|
|
- name: Sysconfig configuration
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.template:
|
2020-10-06 21:11:35 +02:00
|
|
|
src: sysconfig.j2
|
|
|
|
dest: "/etc/sysconfig/sshd"
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
mode: "600"
|
|
|
|
backup: "{{ sshd_backup }}"
|
|
|
|
when:
|
2022-08-16 08:59:59 +02:00
|
|
|
- sshd_sysconfig | bool
|
2020-11-23 15:24:52 +01:00
|
|
|
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
|
2020-10-06 21:11:35 +02:00
|
|
|
notify: reload_sshd
|
|
|
|
|
2022-05-02 14:39:00 +02:00
|
|
|
- name: Check FIPS mode
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.include_tasks: check_fips.yml
|
2021-11-09 15:17:08 +01:00
|
|
|
when:
|
2021-11-10 09:18:40 +01:00
|
|
|
- __sshd_hostkeys_nofips | d([])
|
2021-11-09 15:17:08 +01:00
|
|
|
|
2020-10-23 21:10:00 +02:00
|
|
|
- name: Make sure hostkeys are available and have expected permissions
|
2020-11-05 17:02:33 +01:00
|
|
|
vars: &share_vars
|
2022-04-11 19:52:19 +02:00
|
|
|
# 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
|
2021-11-09 15:17:08 +01:00
|
|
|
__sshd_fips_mode: >-
|
2022-04-06 20:28:32 +02:00
|
|
|
{{ __sshd_hostkeys_nofips | d([]) and
|
|
|
|
(__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
|
|
|
|
__sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
|
2020-10-23 21:10:00 +02:00
|
|
|
# This mimics the macro body_option() in sshd_config.j2
|
|
|
|
# The explicit to_json filter is needed for Python 2 compatibility
|
2020-11-05 17:02:33 +01:00
|
|
|
__sshd_hostkeys_from_config: >-
|
|
|
|
{% if sshd_HostKey is defined %}
|
|
|
|
{{ sshd_HostKey | to_json }}
|
|
|
|
{% elif sshd['HostKey'] is defined %}
|
|
|
|
{{ sshd['HostKey'] | to_json }}
|
|
|
|
{% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
|
2021-11-09 15:17:08 +01:00
|
|
|
{% if __sshd_fips_mode %}
|
|
|
|
{{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
|
|
|
|
{% else %}
|
|
|
|
{{ __sshd_defaults['HostKey'] | to_json }}
|
|
|
|
{% endif %}
|
2020-11-05 17:02:33 +01:00
|
|
|
{% else %}
|
2022-04-06 20:28:32 +02:00
|
|
|
{{ [] | to_json }}
|
2020-11-05 17:02:33 +01:00
|
|
|
{% endif %}
|
2020-10-23 21:10:00 +02:00
|
|
|
__sshd_verify_hostkeys: >-
|
|
|
|
{% if not sshd_verify_hostkeys %}
|
2022-04-06 20:28:32 +02:00
|
|
|
{{ [] | to_json }}
|
2020-10-23 21:10:00 +02:00
|
|
|
{% elif sshd_verify_hostkeys == 'auto' %}
|
2022-04-11 13:07:44 +02:00
|
|
|
{% if not __sshd_hostkeys_from_config | from_json %}
|
|
|
|
{% if __sshd_fips_mode %}
|
|
|
|
{{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
|
|
|
|
{% else %}
|
|
|
|
{{ __sshd_verify_hostkeys_default | to_json }}
|
|
|
|
{% endif %}
|
|
|
|
{% elif __sshd_hostkeys_from_config | from_json is string %}
|
2022-09-07 10:33:33 +02:00
|
|
|
{{ [__sshd_hostkeys_from_config | from_json] | to_json }}
|
2020-11-21 00:23:30 +01:00
|
|
|
{% else %}
|
|
|
|
{{ __sshd_hostkeys_from_config }}
|
|
|
|
{% endif %}
|
2020-10-23 21:10:00 +02:00
|
|
|
{% else %}
|
|
|
|
{{ sshd_verify_hostkeys | to_json }}
|
|
|
|
{% endif %}
|
|
|
|
block:
|
|
|
|
- name: Make sure hostkeys are available
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.shell: |
|
2021-04-07 20:12:03 +02:00
|
|
|
set -eu
|
|
|
|
if set -o | grep pipefail 2>&1 /dev/null ; then
|
|
|
|
set -o pipefail
|
|
|
|
fi
|
2020-10-23 21:10:00 +02:00
|
|
|
{% if sshd_sysconfig %}
|
2021-04-07 20:12:03 +02:00
|
|
|
source /etc/sysconfig/sshd
|
2020-10-23 21:10:00 +02:00
|
|
|
{% endif %}
|
|
|
|
ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N ''
|
|
|
|
args:
|
|
|
|
creates: "{{ item }}"
|
|
|
|
loop: "{{ __sshd_verify_hostkeys | from_json | list }}"
|
2021-04-07 20:12:03 +02:00
|
|
|
changed_when: false
|
2020-10-23 21:10:00 +02:00
|
|
|
|
|
|
|
- name: Make sure private hostkeys have expected permissions
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.file:
|
2020-10-23 21:10:00 +02:00
|
|
|
path: "{{ item }}"
|
|
|
|
owner: "{{ sshd_hostkey_owner }}"
|
|
|
|
group: "{{ sshd_hostkey_group }}"
|
|
|
|
mode: "{{ sshd_hostkey_mode }}"
|
|
|
|
loop: "{{ __sshd_verify_hostkeys | from_json | list }}"
|
|
|
|
|
|
|
|
- name: Apply configuration
|
2020-11-05 17:02:33 +01:00
|
|
|
vars:
|
|
|
|
<<: *share_vars
|
|
|
|
block:
|
|
|
|
- name: Create a temporary hostkey for syntax verification if needed
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.tempfile:
|
2020-11-05 17:02:33 +01:00
|
|
|
state: directory
|
|
|
|
register: sshd_test_hostkey
|
2021-04-07 20:12:03 +02:00
|
|
|
changed_when: false
|
2020-11-05 17:02:33 +01:00
|
|
|
when:
|
|
|
|
- __sshd_hostkeys_from_config | from_json == []
|
2022-09-26 16:33:28 +02:00
|
|
|
- __sshd_supports_validate
|
2020-11-05 17:02:33 +01:00
|
|
|
|
|
|
|
- name: Generate temporary hostkey
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.command: >
|
2021-04-07 20:12:03 +02:00
|
|
|
ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
|
|
|
|
changed_when: false
|
2020-11-05 17:02:33 +01:00
|
|
|
when: sshd_test_hostkey.path is defined
|
|
|
|
|
2020-11-23 10:00:58 +01:00
|
|
|
- name: Make sure sshd runtime directory is present
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.file:
|
2023-10-30 14:27:37 +01:00
|
|
|
path: "/run/{{ __sshd_runtime_directory }}"
|
2020-11-23 10:00:58 +01:00
|
|
|
state: directory
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "{{ __sshd_runtime_directory_mode }}"
|
|
|
|
when:
|
2022-08-17 16:34:35 +02:00
|
|
|
- __sshd_runtime_directory is not none
|
2020-11-23 10:00:58 +01:00
|
|
|
|
2022-12-13 17:55:13 +01:00
|
|
|
- name: Find SSHD ports
|
|
|
|
ansible.builtin.include_tasks: find_ports.yml
|
|
|
|
|
|
|
|
- name: Configure firewall
|
|
|
|
ansible.builtin.include_tasks: firewall.yml
|
|
|
|
when:
|
|
|
|
- sshd_manage_firewall | bool
|
|
|
|
- ansible_facts['os_family'] == 'RedHat'
|
|
|
|
- ansible_facts['distribution_version'] is version('7', '>=')
|
2023-08-05 12:01:19 +02:00
|
|
|
- ansible_facts['virtualization_type']|default(None) not in __sshd_skip_virt_env
|
2022-12-13 17:55:13 +01:00
|
|
|
|
|
|
|
- name: Configure selinux
|
|
|
|
ansible.builtin.include_tasks: selinux.yml
|
|
|
|
when:
|
|
|
|
- sshd_manage_selinux | bool
|
|
|
|
- ansible_facts['os_family'] == 'RedHat'
|
2023-08-05 12:01:19 +02:00
|
|
|
- ansible_facts['virtualization_type']|default(None) not in __sshd_skip_virt_env
|
2022-12-13 17:55:13 +01:00
|
|
|
|
2021-05-20 16:52:29 +02:00
|
|
|
- name: Create the complete configuration file
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.include_tasks: install_config.yml
|
2021-06-10 21:46:06 +02:00
|
|
|
when: sshd_config_namespace is none
|
2021-05-20 16:52:29 +02:00
|
|
|
|
|
|
|
- name: Update configuration file snippet
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.include_tasks: install_namespace.yml
|
2021-06-10 21:46:06 +02:00
|
|
|
when: sshd_config_namespace is not none
|
2021-05-20 16:52:29 +02:00
|
|
|
|
2023-09-11 15:39:03 +02:00
|
|
|
- name: Configure sshd to use SSH certificates
|
|
|
|
ansible.builtin.include_tasks: certificates.yml
|
|
|
|
when: sshd_trusted_user_ca_keys_list != []
|
|
|
|
|
2020-11-05 17:02:33 +01:00
|
|
|
rescue:
|
2022-09-07 10:33:33 +02:00
|
|
|
- name: Re-raise the error
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.fail:
|
2020-11-05 17:02:33 +01:00
|
|
|
msg: "{{ ansible_failed_result }}"
|
|
|
|
always:
|
|
|
|
- name: Remove temporary host keys
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.file:
|
2020-11-05 17:02:33 +01:00
|
|
|
path: "{{ sshd_test_hostkey.path }}"
|
|
|
|
state: absent
|
2021-04-07 20:12:03 +02:00
|
|
|
changed_when: false
|
2020-11-05 17:02:33 +01:00
|
|
|
when: sshd_test_hostkey.path is defined
|
2020-10-23 21:10:00 +02:00
|
|
|
|
2022-05-02 14:39:00 +02:00
|
|
|
- name: Install and start systemd service
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.include_tasks: install_service.yml
|
2018-08-25 23:39:06 +02:00
|
|
|
|
|
|
|
- name: Register that this role has run
|
2022-06-03 12:22:17 +02:00
|
|
|
ansible.builtin.set_fact:
|
2018-09-08 10:13:51 +02:00
|
|
|
sshd_has_run: true
|
2018-08-25 23:39:06 +02:00
|
|
|
when: sshd_has_run is not defined
|