mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-29 14:10:18 +01:00
Merge pull request #165 from Jakuje/centos6
This commit is contained in:
commit
1c5c48835e
8 changed files with 56 additions and 15 deletions
19
.github/workflows/ansible-centos6.yml
vendored
Normal file
19
.github/workflows/ansible-centos6.yml
vendored
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
name: Run tests on CentOS 6
|
||||||
|
|
||||||
|
on: [push, pull_request]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
|
||||||
|
# Workaround missing support for end_host in old ansible
|
||||||
|
- run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml"
|
||||||
|
|
||||||
|
- name: ansible check with centos:6
|
||||||
|
uses: roles-ansible/check-ansible-centos-centos6-action@master
|
||||||
|
with:
|
||||||
|
group: local
|
||||||
|
hosts: localhost
|
||||||
|
targets: "tests/*.yml"
|
|
@ -126,7 +126,7 @@
|
||||||
group: "{{ sshd_config_group }}"
|
group: "{{ sshd_config_group }}"
|
||||||
mode: "{{ sshd_config_mode }}"
|
mode: "{{ sshd_config_mode }}"
|
||||||
block: |
|
block: |
|
||||||
Match all
|
{{ __sshd_compat_match_all }}
|
||||||
{{ lookup('template', 'sshd_config_snippet.j2') }}
|
{{ lookup('template', 'sshd_config_snippet.j2') }}
|
||||||
create: yes
|
create: yes
|
||||||
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
|
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
|
||||||
|
|
|
@ -16,8 +16,8 @@
|
||||||
sshd_config_file: /etc/ssh/sshd_config
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
sshd_config_namespace: nm1
|
sshd_config_namespace: nm1
|
||||||
sshd:
|
sshd:
|
||||||
AcceptEnv: EDITOR
|
|
||||||
PasswordAuthentication: yes
|
PasswordAuthentication: yes
|
||||||
|
PermitRootLogin: yes
|
||||||
Match:
|
Match:
|
||||||
Condition: user root
|
Condition: user root
|
||||||
AllowAgentForwarding: no
|
AllowAgentForwarding: no
|
||||||
|
@ -29,8 +29,8 @@
|
||||||
sshd_config_file: /etc/ssh/sshd_config
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
sshd_config_namespace: nm2
|
sshd_config_namespace: nm2
|
||||||
sshd:
|
sshd:
|
||||||
AcceptEnv: LS_COLORS
|
|
||||||
PasswordAuthentication: no
|
PasswordAuthentication: no
|
||||||
|
PermitRootLogin: no
|
||||||
Match:
|
Match:
|
||||||
Condition: Address 127.0.0.1
|
Condition: Address 127.0.0.1
|
||||||
AllowTcpForwarding: no
|
AllowTcpForwarding: no
|
||||||
|
@ -60,17 +60,31 @@
|
||||||
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
|
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
|
||||||
register: nonmatching
|
register: nonmatching
|
||||||
|
|
||||||
|
- name: Check content of configuration file (blocks)
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
|
||||||
|
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
|
||||||
|
when:
|
||||||
|
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
|
||||||
|
|
||||||
|
- name: Check content of configuration file (blocks for RHEL 6)
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
|
||||||
|
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
|
||||||
|
when:
|
||||||
|
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6'
|
||||||
|
|
||||||
- name: Check content of configuration file
|
- name: Check content of configuration file
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "'AcceptEnv EDITOR' in config.content | b64decode"
|
- "'PermitRootLogin yes' in config.content | b64decode"
|
||||||
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')"
|
|
||||||
- "'PasswordAuthentication yes' in config.content | b64decode"
|
- "'PasswordAuthentication yes' in config.content | b64decode"
|
||||||
- "'Match user root' in config.content | b64decode"
|
- "'Match user root' in config.content | b64decode"
|
||||||
- "'AllowAgentForwarding no' in config.content | b64decode"
|
- "'AllowAgentForwarding no' in config.content | b64decode"
|
||||||
- "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')"
|
- "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')"
|
||||||
- "'AcceptEnv LS_COLORS' in config.content | b64decode"
|
- "'PermitRootLogin no' in config.content | b64decode"
|
||||||
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')"
|
|
||||||
- "'PasswordAuthentication no' in config.content | b64decode"
|
- "'PasswordAuthentication no' in config.content | b64decode"
|
||||||
- "'Match Address 127.0.0.1' in config.content | b64decode"
|
- "'Match Address 127.0.0.1' in config.content | b64decode"
|
||||||
- "'AllowTcpForwarding no' in config.content | b64decode"
|
- "'AllowTcpForwarding no' in config.content | b64decode"
|
||||||
|
@ -80,9 +94,8 @@
|
||||||
# note, the options are in lower-case here
|
# note, the options are in lower-case here
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "'acceptenv EDITOR' in runtime.stdout"
|
- "'permitrootlogin yes' in runtime.stdout"
|
||||||
- "'allowagentforwarding no' in runtime.stdout"
|
- "'allowagentforwarding no' in runtime.stdout"
|
||||||
- "'acceptenv LS_COLORS' in runtime.stdout"
|
|
||||||
- "'allowtcpforwarding no' in runtime.stdout"
|
- "'allowtcpforwarding no' in runtime.stdout"
|
||||||
- "'passwordauthentication yes' in runtime.stdout"
|
- "'passwordauthentication yes' in runtime.stdout"
|
||||||
|
|
||||||
|
@ -90,9 +103,8 @@
|
||||||
# note, the options are in lower-case here
|
# note, the options are in lower-case here
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "'acceptenv EDITOR' in nonmatching.stdout"
|
- "'permitrootlogin yes' in runtime.stdout"
|
||||||
- "'allowAgentforwarding no' not in nonmatching.stdout"
|
- "'allowAgentforwarding no' not in nonmatching.stdout"
|
||||||
- "'acceptenv LS_COLORS' in nonmatching.stdout"
|
|
||||||
- "'allowtcpforwarding no' not in nonmatching.stdout"
|
- "'allowtcpforwarding no' not in nonmatching.stdout"
|
||||||
- "'passwordauthentication yes' in nonmatching.stdout"
|
- "'passwordauthentication yes' in nonmatching.stdout"
|
||||||
tags: tests::verify
|
tags: tests::verify
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
msg: "Role has not failed when it should have"
|
msg: "Role has not failed when it should have"
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] != 'Debian'
|
- ansible_facts['os_family'] != 'Debian'
|
||||||
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||||
tags: tests::verify
|
tags: tests::verify
|
||||||
|
|
||||||
- name: Make sure the key was not created
|
- name: Make sure the key was not created
|
||||||
|
@ -52,6 +52,8 @@
|
||||||
register: result
|
register: result
|
||||||
failed_when: result.changed
|
failed_when: result.changed
|
||||||
tags: tests::verify
|
tags: tests::verify
|
||||||
|
when:
|
||||||
|
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||||
|
|
||||||
- name: "Restore configuration files"
|
- name: "Restore configuration files"
|
||||||
include_tasks: tasks/restore.yml
|
include_tasks: tasks/restore.yml
|
||||||
|
|
|
@ -34,7 +34,8 @@
|
||||||
that:
|
that:
|
||||||
- runtime_before.stdout == runtime_after.stdout
|
- runtime_before.stdout == runtime_after.stdout
|
||||||
when:
|
when:
|
||||||
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
# RHEL6/CentOS6 images have modified sshd_config, different from what is in rpm package
|
||||||
|
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||||
|
|
||||||
- name: Restore configuration files
|
- name: Restore configuration files
|
||||||
include_tasks: tasks/restore.yml
|
include_tasks: tasks/restore.yml
|
||||||
|
|
|
@ -48,6 +48,8 @@
|
||||||
- ansible_failed_result.msg != 'UNREACH'
|
- ansible_failed_result.msg != 'UNREACH'
|
||||||
- not role_result.changed
|
- not role_result.changed
|
||||||
msg: "Role has not failed when it should have"
|
msg: "Role has not failed when it should have"
|
||||||
|
when:
|
||||||
|
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||||
|
|
||||||
- name: Make sure service is still running
|
- name: Make sure service is still running
|
||||||
service:
|
service:
|
||||||
|
@ -56,6 +58,8 @@
|
||||||
register: result
|
register: result
|
||||||
failed_when: result.changed
|
failed_when: result.changed
|
||||||
tags: tests::verify
|
tags: tests::verify
|
||||||
|
when:
|
||||||
|
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||||
|
|
||||||
- name: "Restore configuration files"
|
- name: "Restore configuration files"
|
||||||
include_tasks: tasks/restore.yml
|
include_tasks: tasks/restore.yml
|
||||||
|
|
|
@ -22,3 +22,4 @@ __sshd_defaults:
|
||||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||||
__sshd_os_supported: yes
|
__sshd_os_supported: yes
|
||||||
__sshd_sysconfig_supports_use_strong_rng: true
|
__sshd_sysconfig_supports_use_strong_rng: true
|
||||||
|
__sshd_compat_match_all: Match address *
|
||||||
|
|
|
@ -5,3 +5,5 @@ __sshd_config_mode: "0600"
|
||||||
__sshd_hostkey_owner: "root"
|
__sshd_hostkey_owner: "root"
|
||||||
__sshd_hostkey_group: "root"
|
__sshd_hostkey_group: "root"
|
||||||
__sshd_hostkey_mode: "0600"
|
__sshd_hostkey_mode: "0600"
|
||||||
|
# The OpenSSH 5.3 in RHEL6 does not support "Match all" so we need a workaround
|
||||||
|
__sshd_compat_match_all: Match all
|
||||||
|
|
Loading…
Reference in a new issue