Improve option rendering, allow per OS defaults

defaults/main.yml

@@ -4,5 +4,5 @@ sshd_group: root
 sshd_binary: /usr/sbin/sshd
 sshd_config_file: /etc/ssh/sshd_config
 sshd_service: sshd
-sshd_force_sftp: true
+sshd_sftp_server: /usr/lib/openssh/sftp-server
-sshd: {}
+sshd: "{{ sshd_defaults }}"

meta/macros.j2

@@ -1,12 +1,16 @@
 # {{ ansible_managed }}
-{% macro sshd_multiline(key,override) %}
+{% macro render_option(key,override) %}
 {%   if override is defined %}
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   endif %}
 {%   if value is defined %}
-{%     if value is string %}
+{%     if value is sameas true %}
+{{ key }} yes
+{%     elif value is sameas false %}
+{{ key }} no
+{%     elif value is string or value is number %}
 {{ key }} {{ value }}
 {%     else %}
 {%       for i in value %}
@@ -15,32 +19,3 @@
 {%     endif %}
 {%   endif %}
 {% endmacro %}
-{% macro sshd_boolean(key,override) %}
-{%   if override is defined %}
-{%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
-{%   endif %}
-{%   if value is defined %}
-{%     if value == true %}
-{{ key }} yes
-{%     elif value == false %}
-{{ key }} no
-{%     else %}
-{{ key }} {{ value }}
-{%     endif %}
-{%   endif %}
-{% endmacro %}
-{% macro sshd_value(key,override) %}
-{%   if override is defined %}
-{%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
-{%   endif %}
-{%   if value is defined %}
-{{ key }} {{ value }}
-{%   endif %}
-{% endmacro %}
-{% if sshd_force_sftp == true %}
-Subsystem sftp {{ sshd_sftp_server }}
-{% endif %}

meta/make_option_list

@@ -1,20 +1,8 @@
 #!/bin/sh
 cat macros.j2
 
-cat ssh_multi_options |
+cat ssh_options |
   sort |
   awk '{
-print "{{ sshd_multiline(\""$1"\",sshd_"$1") -}}"
+print "{{ render_option(\""$1"\",sshd_"$1") -}}"
-}'
-
-cat ssh_kv_options |
-  sort |
-  awk '{
-print "{{ sshd_value(\""$1"\",sshd_"$1") -}}"
-}'
-
-cat ssh_boolean_options |
-  sort |
-  awk '{
-print "{{ sshd_boolean(\""$1"\",sshd_"$1") -}}"
 }'

meta/ssh_boolean_options

@@ -1,37 +0,0 @@
-AllowAgentForwarding
-AllowTcpForwarding
-ChallengeResponseAuthentication
-Compression
-GatewayPorts
-GSSAPICleanupCredentials
-GSSAPIStrictAcceptorCheck
-GSSAPIStoreCredentialsOnRekey
-HostbasedAuthentication
-HostbasedUsesNameFromPacketOnly
-IgnoreRhosts
-IgnoreUserKnownHosts
-KerberosAuthentication
-KerberosGetAFSToken
-KerberosOrLocalPasswd
-KerberosTicketCleanup
-PasswordAuthentication
-PermitEmptyPasswords
-PermitRootLogin
-PermitTunnel
-PermitUserEnvironment
-PrintLastLog
-PrintMotd
-PubkeyAuthentication
-RhostsRSAAuthentication
-RSAAuthentication
-StrictModes
-TCPKeepAlive
-UseDNS
-UseLogin
-UsePAM
-UsePrivilegeSeparation
-X11Forwarding
-X11UseLocalhost
-HPNDisabled
-TcpRcvBufPoll
-NoneEnabled

meta/ssh_kv_options

@@ -1,45 +0,0 @@
-AcceptEnv
-AddressFamily
-AllowGroups
-AllowUsers
-AuthenticationMethods
-AuthorizedKeysCommand
-AuthorizedKeysCommandUser
-AuthorizedKeysFile
-AuthorizedPrincipalsFile
-Banner
-ChrootDirectory
-Ciphers
-ClientAliveCountMax
-ClientAliveInterval
-DenyGroups
-DenyUsers
-ForceCommand
-GSSAPIAuthentication
-GSSAPIKeyExchange
-HostCertificate
-HostKeyAgent
-IPQoS
-KbdInteractiveAuthentication
-KexAlgorithms
-KeyRegenerationInterval
-LoginGraceTime
-LogLevel
-MACs
-MaxAuthTries
-MaxSessions
-MaxStartups
-PermitOpen
-PermitTTY
-PidFile
-Port
-Protocol
-RekeyLimit
-RevokedKeys
-ServerKeyBits
-SyslogFacility
-TrustedUserCAKeys
-VersionAddendum
-X11DisplayOffset
-XAuthLocation
-HPNBufferSize

meta/ssh_multi_options

@@ -1,3 +0,0 @@
-HostKey
-ListenAddress
-Subsystem

meta/ssh_options

@@ -0,0 +1,85 @@
+AcceptEnv
+AddressFamily
+AllowAgentForwarding
+AllowGroups
+AllowTcpForwarding
+AllowUsers
+AuthenticationMethods
+AuthorizedKeysCommand
+AuthorizedKeysCommandUser
+AuthorizedKeysFile
+AuthorizedPrincipalsFile
+Banner
+ChallengeResponseAuthentication
+ChrootDirectory
+Ciphers
+ClientAliveCountMax
+ClientAliveInterval
+Compression
+DenyGroups
+DenyUsers
+ForceCommand
+GSSAPIAuthentication
+GSSAPICleanupCredentials
+GSSAPIKeyExchange
+GSSAPIStoreCredentialsOnRekey
+GSSAPIStrictAcceptorCheck
+GatewayPorts
+HPNBufferSize
+HPNDisabled
+HostCertificate
+HostKey
+HostKeyAgent
+HostbasedAuthentication
+HostbasedUsesNameFromPacketOnly
+IPQoS
+IgnoreRhosts
+IgnoreUserKnownHosts
+KbdInteractiveAuthentication
+KerberosAuthentication
+KerberosGetAFSToken
+KerberosOrLocalPasswd
+KerberosTicketCleanup
+KexAlgorithms
+KeyRegenerationInterval
+ListenAddress
+LogLevel
+LoginGraceTime
+MACs
+MaxAuthTries
+MaxSessions
+MaxStartups
+NoneEnabled
+PasswordAuthentication
+PermitEmptyPasswords
+PermitOpen
+PermitRootLogin
+PermitTTY
+PermitTunnel
+PermitUserEnvironment
+PidFile
+Port
+PrintLastLog
+PrintMotd
+Protocol
+PubkeyAuthentication
+RSAAuthentication
+RekeyLimit
+RevokedKeys
+RhostsRSAAuthentication
+ServerKeyBits
+StrictModes
+Subsystem
+SyslogFacility
+TCPKeepAlive
+TcpRcvBufPoll
+TrustedUserCAKeys
+UseDNS
+UseLogin
+UsePAM
+UsePrivilegeSeparation
+VersionAddendum
+X11DisplayOffset
+X11Forwarding
+X11UseLocalhost
+XAuthLocation

tasks/main.yml

@@ -13,6 +13,10 @@
     state=installed
   with_items: sshd_packages
 
+- name: Debug config
+  debug: var=sshd
+  when: sshd_debug is defined
+
 - name: Configured
   template:
     src: sshd_config.j2

templates/sshd_config.j2

@@ -1,124 +1,106 @@
 # {{ ansible_managed }}
-{% macro sshd_multiline(key,override) %}
+{% macro render_option(key,override) %}
 {%   if override is defined %}
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   endif %}
 {%   if value is defined %}
+{%     if value is sameas true %}
+{{ key }} yes
+{%     elif value is sameas false %}
+{{ key }} no
+{%     elif value is string or value is number %}
+{{ key }} {{ value }}
+{%     else %}
 {%       for i in value %}
 {{ key }} {{ i }}
 {%       endfor %}
 {%     endif %}
+{%   endif %}
 {% endmacro %}
-{% macro sshd_boolean(key,override) %}
+{{ render_option("AcceptEnv",sshd_AcceptEnv) -}}
-{%   if override is defined %}
+{{ render_option("AddressFamily",sshd_AddressFamily) -}}
-{%     set value = override %}
+{{ render_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
-{%   elif sshd[key] is defined %}
+{{ render_option("AllowGroups",sshd_AllowGroups) -}}
-{%     set value = sshd[key] %}
+{{ render_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
-{%   endif %}
+{{ render_option("AllowUsers",sshd_AllowUsers) -}}
-{%   if value is defined %}
+{{ render_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
-{%     if value == true %}
+{{ render_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
-{{ key }} yes
+{{ render_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
-{%     elif value == false %}
+{{ render_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
-{{ key }} no
+{{ render_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
-{%     else %}
+{{ render_option("Banner",sshd_Banner) -}}
-{{ key }} {{ value }}
+{{ render_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
-{%     endif %}
+{{ render_option("ChrootDirectory",sshd_ChrootDirectory) -}}
-{%   endif %}
+{{ render_option("Ciphers",sshd_Ciphers) -}}
-{% endmacro -%}
+{{ render_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}}
-{% macro sshd_value(key,override) -%}
+{{ render_option("ClientAliveInterval",sshd_ClientAliveInterval) -}}
-{%   if override is defined -%}
+{{ render_option("Compression",sshd_Compression) -}}
-{%     set value = override -%}
+{{ render_option("DenyGroups",sshd_DenyGroups) -}}
-{%   elif sshd[key] is defined -%}
+{{ render_option("DenyUsers",sshd_DenyUsers) -}}
-{%     set value = sshd[key] -%}
+{{ render_option("ForceCommand",sshd_ForceCommand) -}}
-{%   endif -%}
+{{ render_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
-{%   if value is defined -%}
+{{ render_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
-{{ key }} {{ value }}
+{{ render_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
-{%   endif -%}
+{{ render_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
-{% endmacro -%}
+{{ render_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
-{{ sshd_multiline("HostKey",sshd_HostKey) }}
+{{ render_option("GatewayPorts",sshd_GatewayPorts) -}}
-{{ sshd_multiline("ListenAddress",sshd_ListenAddress) }}
+{{ render_option("HPNBufferSize",sshd_HPNBufferSize) -}}
-{{ sshd_multiline("Subsystem",sshd_Subsystem) }}
+{{ render_option("HPNDisabled",sshd_HPNDisabled) -}}
-{{ sshd_value("AcceptEnv",sshd_AcceptEnv) }}
+{{ render_option("HostCertificate",sshd_HostCertificate) -}}
-{{ sshd_value("AddressFamily",sshd_AddressFamily) }}
+{{ render_option("HostKey",sshd_HostKey) -}}
-{{ sshd_value("AllowGroups",sshd_AllowGroups) }}
+{{ render_option("HostKeyAgent",sshd_HostKeyAgent) -}}
-{{ sshd_value("AllowUsers",sshd_AllowUsers) }}
+{{ render_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
-{{ sshd_value("AuthenticationMethods",sshd_AuthenticationMethods) }}
+{{ render_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
-{{ sshd_value("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) }}
+{{ render_option("IPQoS",sshd_IPQoS) -}}
-{{ sshd_value("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) }}
+{{ render_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
-{{ sshd_value("AuthorizedKeysFile",sshd_AuthorizedKeysFile) }}
+{{ render_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
-{{ sshd_value("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) }}
+{{ render_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}}
-{{ sshd_value("Banner",sshd_Banner) }}
+{{ render_option("KerberosAuthentication",sshd_KerberosAuthentication) -}}
-{{ sshd_value("ChrootDirectory",sshd_ChrootDirectory) }}
+{{ render_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}}
-{{ sshd_value("Ciphers",sshd_Ciphers) }}
+{{ render_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}}
-{{ sshd_value("ClientAliveCountMax",sshd_ClientAliveCountMax) }}
+{{ render_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}}
-{{ sshd_value("ClientAliveInterval",sshd_ClientAliveInterval) }}
+{{ render_option("KexAlgorithms",sshd_KexAlgorithms) -}}
-{{ sshd_value("DenyGroups",sshd_DenyGroups) }}
+{{ render_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}}
-{{ sshd_value("DenyUsers",sshd_DenyUsers) }}
+{{ render_option("ListenAddress",sshd_ListenAddress) -}}
-{{ sshd_value("ForceCommand",sshd_ForceCommand) }}
+{{ render_option("LogLevel",sshd_LogLevel) -}}
-{{ sshd_value("GSSAPIAuthentication",sshd_GSSAPIAuthentication) }}
+{{ render_option("LoginGraceTime",sshd_LoginGraceTime) -}}
-{{ sshd_value("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) }}
+{{ render_option("MACs",sshd_MACs) -}}
-{{ sshd_value("HPNBufferSize",sshd_HPNBufferSize) }}
+{{ render_option("MaxAuthTries",sshd_MaxAuthTries) -}}
-{{ sshd_value("HostCertificate",sshd_HostCertificate) }}
+{{ render_option("MaxSessions",sshd_MaxSessions) -}}
-{{ sshd_value("HostKeyAgent",sshd_HostKeyAgent) }}
+{{ render_option("MaxStartups",sshd_MaxStartups) -}}
-{{ sshd_value("IPQoS",sshd_IPQoS) }}
+{{ render_option("NoneEnabled",sshd_NoneEnabled) -}}
-{{ sshd_value("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) }}
+{{ render_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
-{{ sshd_value("KexAlgorithms",sshd_KexAlgorithms) }}
+{{ render_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
-{{ sshd_value("KeyRegenerationInterval",sshd_KeyRegenerationInterval) }}
+{{ render_option("PermitOpen",sshd_PermitOpen) -}}
-{{ sshd_value("LogLevel",sshd_LogLevel) }}
+{{ render_option("PermitRootLogin",sshd_PermitRootLogin) -}}
-{{ sshd_value("LoginGraceTime",sshd_LoginGraceTime) }}
+{{ render_option("PermitTTY",sshd_PermitTTY) -}}
-{{ sshd_value("MACs",sshd_MACs) }}
+{{ render_option("PermitTunnel",sshd_PermitTunnel) -}}
-{{ sshd_value("MaxAuthTries",sshd_MaxAuthTries) }}
+{{ render_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
-{{ sshd_value("MaxSessions",sshd_MaxSessions) }}
+{{ render_option("PidFile",sshd_PidFile) -}}
-{{ sshd_value("MaxStartups",sshd_MaxStartups) }}
+{{ render_option("Port",sshd_Port) -}}
-{{ sshd_value("PermitOpen",sshd_PermitOpen) }}
+{{ render_option("PrintLastLog",sshd_PrintLastLog) -}}
-{{ sshd_value("PermitTTY",sshd_PermitTTY) }}
+{{ render_option("PrintMotd",sshd_PrintMotd) -}}
-{{ sshd_value("PidFile",sshd_PidFile) }}
+{{ render_option("Protocol",sshd_Protocol) -}}
-{{ sshd_value("Port",sshd_Port) }}
+{{ render_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
-{{ sshd_value("Protocol",sshd_Protocol) }}
+{{ render_option("RSAAuthentication",sshd_RSAAuthentication) -}}
-{{ sshd_value("RekeyLimit",sshd_RekeyLimit) }}
+{{ render_option("RekeyLimit",sshd_RekeyLimit) -}}
-{{ sshd_value("RevokedKeys",sshd_RevokedKeys) }}
+{{ render_option("RevokedKeys",sshd_RevokedKeys) -}}
-{{ sshd_value("ServerKeyBits",sshd_ServerKeyBits) }}
+{{ render_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
-{{ sshd_value("SyslogFacility",sshd_SyslogFacility) }}
+{{ render_option("ServerKeyBits",sshd_ServerKeyBits) -}}
-{{ sshd_value("TrustedUserCAKeys",sshd_TrustedUserCAKeys) }}
+{{ render_option("StrictModes",sshd_StrictModes) -}}
-{{ sshd_value("VersionAddendum",sshd_VersionAddendum) }}
+{{ render_option("Subsystem",sshd_Subsystem) -}}
-{{ sshd_value("X11DisplayOffset",sshd_X11DisplayOffset) }}
+{{ render_option("SyslogFacility",sshd_SyslogFacility) -}}
-{{ sshd_value("XAuthLocation",sshd_XAuthLocation) }}
+{{ render_option("TCPKeepAlive",sshd_TCPKeepAlive) -}}
-{{ sshd_boolean("AllowAgentForwarding",sshd_AllowAgentForwarding) }}
+{{ render_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}}
-{{ sshd_boolean("AllowTcpForwarding",sshd_AllowTcpForwarding) }}
+{{ render_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}}
-{{ sshd_boolean("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) }}
+{{ render_option("UseDNS",sshd_UseDNS) -}}
-{{ sshd_boolean("Compression",sshd_Compression) }}
+{{ render_option("UseLogin",sshd_UseLogin) -}}
-{{ sshd_boolean("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) }}
+{{ render_option("UsePAM",sshd_UsePAM) -}}
-{{ sshd_boolean("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) }}
+{{ render_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
-{{ sshd_boolean("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) }}
+{{ render_option("VersionAddendum",sshd_VersionAddendum) -}}
-{{ sshd_boolean("GatewayPorts",sshd_GatewayPorts) }}
+{{ render_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
-{{ sshd_boolean("HPNDisabled",sshd_HPNDisabled) }}
+{{ render_option("X11Forwarding",sshd_X11Forwarding) -}}
-{{ sshd_boolean("HostbasedAuthentication",sshd_HostbasedAuthentication) }}
+{{ render_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
-{{ sshd_boolean("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) }}
+{{ render_option("XAuthLocation",sshd_XAuthLocation) -}}
-{{ sshd_boolean("IgnoreRhosts",sshd_IgnoreRhosts) }}
-{{ sshd_boolean("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) }}
-{{ sshd_boolean("KerberosAuthentication",sshd_KerberosAuthentication) }}
-{{ sshd_boolean("KerberosGetAFSToken",sshd_KerberosGetAFSToken) }}
-{{ sshd_boolean("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) }}
-{{ sshd_boolean("KerberosTicketCleanup",sshd_KerberosTicketCleanup) }}
-{{ sshd_boolean("NoneEnabled",sshd_NoneEnabled) }}
-{{ sshd_boolean("PasswordAuthentication",sshd_PasswordAuthentication) }}
-{{ sshd_boolean("PermitEmptyPasswords",sshd_PermitEmptyPasswords) }}
-{{ sshd_boolean("PermitRootLogin",sshd_PermitRootLogin) }}
-{{ sshd_boolean("PermitTunnel",sshd_PermitTunnel) }}
-{{ sshd_boolean("PermitUserEnvironment",sshd_PermitUserEnvironment) }}
-{{ sshd_boolean("PrintLastLog",sshd_PrintLastLog) }}
-{{ sshd_boolean("PrintMotd",sshd_PrintMotd) }}
-{{ sshd_boolean("PubkeyAuthentication",sshd_PubkeyAuthentication) }}
-{{ sshd_boolean("RSAAuthentication",sshd_RSAAuthentication) }}
-{{ sshd_boolean("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) }}
-{{ sshd_boolean("StrictModes",sshd_StrictModes) }}
-{{ sshd_boolean("TCPKeepAlive",sshd_TCPKeepAlive) }}
-{{ sshd_boolean("TcpRcvBufPoll",sshd_TcpRcvBufPoll) }}
-{{ sshd_boolean("UseDNS",sshd_UseDNS) }}
-{{ sshd_boolean("UseLogin",sshd_UseLogin) }}
-{{ sshd_boolean("UsePAM",sshd_UsePAM) }}
-{{ sshd_boolean("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) }}
-{{ sshd_boolean("X11Forwarding",sshd_X11Forwarding) }}
-{{ sshd_boolean("X11UseLocalhost",sshd_X11UseLocalhost) }}

vars/Debian.yml

@@ -5,4 +5,10 @@ sshd_packages:
   - openssh-blacklist
   - openssh-blacklist-extra
   - openssh-sftp-server
-sshd_sftp_server: /usr/lib/openssh/sftp-server
+sshd_defaults:
+  ChallengeResponseAuthentication: no
+  X11Forwarding: yes
+  PrintMotd: no
+  AcceptEnv: LANG LC_*
+  Subsystem: sftp {{ sshd_sftp_server }}
+  UsePAM: yes

vars/FreeBSD.yml

@@ -1,5 +1,5 @@
 ---
-sshd_service: sshd
 sshd_packages: []
 sshd_group: wheel
 sshd_sftp_server: /usr/libexec/sftp-server
+sshd_defaults: {}