ansible-sshd/README.md

323 lines
9.4 KiB
Markdown
Raw Normal View History

2015-01-12 22:40:04 +01:00
OpenSSH Server
==============
2014-12-18 23:12:51 +01:00
2017-03-20 12:03:19 +01:00
[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-willshersystems.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/willshersystems/sshd/)
2014-12-22 21:18:35 +01:00
This role configures the OpenSSH daemon. It:
2014-12-18 23:12:51 +01:00
2015-01-12 22:40:04 +01:00
* By default configures the SSH daemon with the normal OS defaults.
* Works across a variety of `UN*X` distributions
2015-01-12 22:40:04 +01:00
* Can be configured by dict or simple variables
* Supports Match sets
* Supports all `sshd_config` options. Templates are programmatically generated.
(see [`meta/make_option_list`](meta/make_option_list))
* Tests the `sshd_config` before reloading sshd.
2015-01-12 22:40:04 +01:00
2015-01-13 14:29:53 +01:00
**WARNING** Misconfiguration of this role can lock you out of your server!
Please test your configuration and its interaction with your users configuration
before using in production!
**WARNING** Digital Ocean allows root with passwords via SSH on Debian and
Ubuntu. This is not the default assigned by this module - it will set
`PermitRootLogin without-password` which will allow access via SSH key but not
via simple password. If you need this functionality, be sure to set
`sshd_PermitRootLogin yes` for those hosts.
2015-01-13 14:29:53 +01:00
2015-01-12 22:40:04 +01:00
Requirements
------------
Tested on:
* Ubuntu precise, trusty, xenial, bionic, focal
* Debian wheezy, jessie, stretch, buster
2015-01-12 22:40:04 +01:00
* FreeBSD 10.1
* EL 6, 7, 8, 9 derived distributions
* Fedora 31, 32, 33, 34
2016-10-19 21:33:15 +02:00
* OpenBSD 6.0
* AIX 7.1, 7.2
2015-01-12 22:40:04 +01:00
It will likely work on other flavours and more direct support via suitable
[vars/](vars/) files is welcome.
Role variables
---------------
Unconfigured, this role will provide a `sshd_config` that matches the OS default,
2015-01-12 22:40:04 +01:00
minus the comments and in a different order.
2018-09-08 09:14:39 +02:00
* `sshd_enable`
If set to *false*, the role will be completely disabled. Defaults to *true*.
2018-09-08 09:14:39 +02:00
2018-09-07 01:31:02 +02:00
* `sshd_skip_defaults`
2015-01-12 22:40:04 +01:00
If set to *true*, don't apply default values. This means that you must have a
complete set of configuration defaults via either the `sshd` dict, or
`sshd_Key` variables. Defaults to *false*.
2015-01-13 18:42:10 +01:00
2018-09-07 01:31:02 +02:00
* `sshd_manage_service`
If set to *false*, the service/daemon won't be **managed** at all, i.e. will not
try to enable on boot or start or reload the service. Defaults to *true*
unless: Running inside a docker container (it is assumed ansible is used during
build phase) or AIX (Ansible `service` module does not currently support `enabled`
for AIX)
2018-09-07 01:31:02 +02:00
* `sshd_allow_reload`
2015-01-13 18:42:10 +01:00
If set to *false*, a reload of sshd wont happen on change. This can help with
2015-01-13 18:44:00 +01:00
troubleshooting. You'll need to manually reload sshd if you want to apply the
changed configuration. Defaults to the same value as `sshd_manage_service`.
(Except on AIX, where `sshd_manage_service` is default *false*, but
`sshd_allow_reload` is default *true*)
2015-01-13 18:42:10 +01:00
2018-09-07 01:31:02 +02:00
* `sshd_install_service`
If set to *true*, the role will install service files for the ssh service.
Defaults to *false*.
2018-09-07 01:31:02 +02:00
The templates for the service files to be used are pointed to by the variables
- `sshd_service_template_service` (__default__: `templates/sshd.service.j2`)
- `sshd_service_template_at_service` (__default__: `templates/sshd@.service.j2`)
- `sshd_service_template_socket` (__default__: `templates/sshd.socket.j2`)
2018-09-07 01:31:02 +02:00
Using these variables, you can use your own custom templates. With the above
default templates, the name of the installed ssh service will be provided by
the `sshd_service` variable.
* `sshd`
2015-01-13 18:42:10 +01:00
A dict containing configuration. e.g.
2014-12-22 21:18:35 +01:00
```yaml
2014-12-21 21:39:44 +01:00
sshd:
Compression: delayed
ListenAddress:
- 0.0.0.0
```
2014-12-18 23:12:51 +01:00
* `sshd_...`
2015-01-13 18:42:10 +01:00
Simple variables can be used rather than a dict. Simple values override dict
values. e.g.:
2014-12-22 21:18:35 +01:00
```yaml
sshd_Compression: off
```
In all cases, booleans are correctly rendered as yes and no in sshd
configuration. Lists can be used for multiline configuration items. e.g.
2014-12-25 13:13:34 +01:00
```yaml
sshd_ListenAddress:
- 0.0.0.0
2015-01-12 22:40:04 +01:00
- '::'
2014-12-25 13:13:34 +01:00
```
2015-01-13 18:42:10 +01:00
Renders as:
```
ListenAddress 0.0.0.0
ListenAddress ::
```
* `sshd_match`, `sshd_match_1` through `sshd_match_9`
2015-01-13 18:42:10 +01:00
A list of dicts or just a dict for a Match section. Note, that these variables
do not override match blocks as defined in the `sshd` dict. All of the sources
will be reflected in the resulting configuration file.
2014-12-25 13:13:34 +01:00
* `sshd_backup`
When set to *false*, the original `sshd_config` file is not backed up. Default
is *true*.
* `sshd_sysconfig`
On RHEL-based systems, sysconfig is used for configuring more details of sshd
service. If set to *true*, this role will manage also the `/etc/sysconfig/sshd`
configuration file based on the following configuration. Default is *false*.
* `sshd_sysconfig_override_crypto_policy`
In RHEL8-based systems, this can be used to override system-wide crypto policy
by setting to *true*. Defaults to *false*.
* `sshd_sysconfig_use_strong_rng`
In RHEL-based systems, this can be used to force sshd to reseed openssl random
number generator with the given amount of bytes as an argument. The default is
*0*, which disables this functionality. It is not recommended to turn this on
if the system does not have hardware random number generator.
* `sshd_config_file`
The path where the openssh configuration produced by this role should be saved.
This is useful mostly when generating configuration snippets to Include.
* `sshd_namespace_append`
By default (*null*), the role defines whole content of the configuration file
(with potential system defaults). To allow this role to be invoked from other
roles or from multiple places in a single playbok on systems that do not
support drop-in directory, we can define namespaces, that will allow us place
configuration snippets idempotently into a single configuration file. The only
requirement for these instances is to have different namespace name (this
variable). Other limitation of openssh configuration file such as that only the
first option specified in a configuration file is effective still apply.
Technically, the snippets are placed in `Match all` blocks (unless they contain
other match block) to make sure they are applied regardless the previous match
blocks. This allows to configure any non-conflicting options from different
roles invocations.
2018-09-07 01:31:02 +02:00
### Secondary role variables
These variables are used by the role internals and can be used to override the
defaults that correspond to each supported platform.
* `sshd_packages`
Use this variable to override the default list of packages to install.
* `sshd_config_owner`, `sshd_config_group`, `sshd_config_mode`
Use these variables to set the ownership and permissions for the openssh config
file that this role produces.
* `sshd_binary`
The path to the openssh executable
* `sshd_service`
The name of the openssh service. By default, this variable contains the name of
the ssh service that the target platform uses. But it can also be used to set
the name of the custom ssh service when the `sshd_install_service` variable is
used.
* `sshd_verify_hostkeys`
By default (*auto*), this list contains all the host keys that are present in
the produced configuration file. The paths are checked for presence and
generated if missing. Additionally, permissions and file owners are set to sane
defaults. This is useful if the role is used in deployment stage to make sure
the service is able to start on the first attempt. To disable this check, set
this to empty list.
2020-12-15 16:58:34 +01:00
* `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_mode`
Use these variables to set the ownership and permissions for the host keys from
the above list.
2018-09-07 01:31:02 +02:00
* `sshd_sftp_server`
Default path to the sftp server binary.
### Variables Exported by the Role
* `sshd_has_run`
This variable is set to *true* after the role was successfully executed.
2015-01-14 13:53:16 +01:00
Dependencies
------------
None
2015-01-14 13:53:16 +01:00
2015-01-12 22:40:04 +01:00
Example Playbook
----------------
2015-08-25 19:41:22 +02:00
**DANGER!** This example is to show the range of configuration this role
provides. Running it will likely break your SSH access to the server!
2014-12-25 13:13:34 +01:00
```yaml
---
2015-01-12 22:40:04 +01:00
- hosts: all
vars:
sshd_skip_defaults: true
sshd:
Compression: true
ListenAddress:
- "0.0.0.0"
- "::"
GSSAPIAuthentication: no
Match:
- Condition: "Group user"
GSSAPIAuthentication: yes
sshd_UsePrivilegeSeparation: no
2015-01-12 22:40:04 +01:00
sshd_match:
- Condition: "Group xusers"
X11Forwarding: yes
roles:
2017-03-20 12:03:19 +01:00
- role: willshersystems.sshd
2014-12-25 13:13:34 +01:00
```
Results in:
2015-01-14 09:45:57 +01:00
```
2014-12-25 13:13:34 +01:00
# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation no
2014-12-25 13:13:34 +01:00
Match Group user
GSSAPIAuthentication yes
Match Group xusers
X11Forwarding yes
```
2014-12-26 11:09:34 +01:00
Since Ansible 2.4, the role can be invoked using `include_role` keyword,
for example:
```yaml
---
- hosts: all
become: true
tasks:
- name: "Configure sshd"
include_role:
name: willshersystems.sshd
vars:
sshd_skip_defaults: true
sshd:
Compression: true
ListenAddress:
- "0.0.0.0"
- "::"
GSSAPIAuthentication: no
Match:
- Condition: "Group user"
GSSAPIAuthentication: yes
sshd_UsePrivilegeSeparation: no
sshd_match:
- Condition: "Group xusers"
X11Forwarding: yes
```
2020-12-15 15:54:10 +01:00
More example playbooks can be found in [`examples/`](examples/) directory.
Template Generation
-------------------
The [`sshd_config.j2`](templates/sshd_config.j2) template is programatically
generated by the scripts in meta. New options should be added to the
`options_body` or `options_match`.
To regenerate the template, from within the meta/ directory run:
`./make_option_lists`
2015-01-12 22:40:04 +01:00
License
-------
LGPLv3
Author
------
Matt Willsher <matt@willsher.systems>
2014-12-26 11:09:34 +01:00
2015-08-25 19:41:22 +02:00
&copy; 2014,2015 Willsher Systems Ltd.