mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-26 04:50:18 +01:00
Merge pull request #165 from Jakuje/centos6
This commit is contained in:
commit
1c5c48835e
8 changed files with 56 additions and 15 deletions
19
.github/workflows/ansible-centos6.yml
vendored
Normal file
19
.github/workflows/ansible-centos6.yml
vendored
Normal file
|
@ -0,0 +1,19 @@
|
|||
name: Run tests on CentOS 6
|
||||
|
||||
on: [push, pull_request]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# Workaround missing support for end_host in old ansible
|
||||
- run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml"
|
||||
|
||||
- name: ansible check with centos:6
|
||||
uses: roles-ansible/check-ansible-centos-centos6-action@master
|
||||
with:
|
||||
group: local
|
||||
hosts: localhost
|
||||
targets: "tests/*.yml"
|
|
@ -126,7 +126,7 @@
|
|||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
block: |
|
||||
Match all
|
||||
{{ __sshd_compat_match_all }}
|
||||
{{ lookup('template', 'sshd_config_snippet.j2') }}
|
||||
create: yes
|
||||
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
|
||||
|
|
|
@ -16,8 +16,8 @@
|
|||
sshd_config_file: /etc/ssh/sshd_config
|
||||
sshd_config_namespace: nm1
|
||||
sshd:
|
||||
AcceptEnv: EDITOR
|
||||
PasswordAuthentication: yes
|
||||
PermitRootLogin: yes
|
||||
Match:
|
||||
Condition: user root
|
||||
AllowAgentForwarding: no
|
||||
|
@ -29,8 +29,8 @@
|
|||
sshd_config_file: /etc/ssh/sshd_config
|
||||
sshd_config_namespace: nm2
|
||||
sshd:
|
||||
AcceptEnv: LS_COLORS
|
||||
PasswordAuthentication: no
|
||||
PermitRootLogin: no
|
||||
Match:
|
||||
Condition: Address 127.0.0.1
|
||||
AllowTcpForwarding: no
|
||||
|
@ -60,17 +60,31 @@
|
|||
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
|
||||
register: nonmatching
|
||||
|
||||
- name: Check content of configuration file (blocks)
|
||||
assert:
|
||||
that:
|
||||
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
|
||||
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
|
||||
when:
|
||||
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
|
||||
|
||||
- name: Check content of configuration file (blocks for RHEL 6)
|
||||
assert:
|
||||
that:
|
||||
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
|
||||
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6'
|
||||
|
||||
- name: Check content of configuration file
|
||||
assert:
|
||||
that:
|
||||
- "'AcceptEnv EDITOR' in config.content | b64decode"
|
||||
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')"
|
||||
- "'PermitRootLogin yes' in config.content | b64decode"
|
||||
- "'PasswordAuthentication yes' in config.content | b64decode"
|
||||
- "'Match user root' in config.content | b64decode"
|
||||
- "'AllowAgentForwarding no' in config.content | b64decode"
|
||||
- "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')"
|
||||
- "'AcceptEnv LS_COLORS' in config.content | b64decode"
|
||||
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')"
|
||||
- "'PermitRootLogin no' in config.content | b64decode"
|
||||
- "'PasswordAuthentication no' in config.content | b64decode"
|
||||
- "'Match Address 127.0.0.1' in config.content | b64decode"
|
||||
- "'AllowTcpForwarding no' in config.content | b64decode"
|
||||
|
@ -80,9 +94,8 @@
|
|||
# note, the options are in lower-case here
|
||||
assert:
|
||||
that:
|
||||
- "'acceptenv EDITOR' in runtime.stdout"
|
||||
- "'permitrootlogin yes' in runtime.stdout"
|
||||
- "'allowagentforwarding no' in runtime.stdout"
|
||||
- "'acceptenv LS_COLORS' in runtime.stdout"
|
||||
- "'allowtcpforwarding no' in runtime.stdout"
|
||||
- "'passwordauthentication yes' in runtime.stdout"
|
||||
|
||||
|
@ -90,9 +103,8 @@
|
|||
# note, the options are in lower-case here
|
||||
assert:
|
||||
that:
|
||||
- "'acceptenv EDITOR' in nonmatching.stdout"
|
||||
- "'permitrootlogin yes' in runtime.stdout"
|
||||
- "'allowAgentforwarding no' not in nonmatching.stdout"
|
||||
- "'acceptenv LS_COLORS' in nonmatching.stdout"
|
||||
- "'allowtcpforwarding no' not in nonmatching.stdout"
|
||||
- "'passwordauthentication yes' in nonmatching.stdout"
|
||||
tags: tests::verify
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
msg: "Role has not failed when it should have"
|
||||
when:
|
||||
- ansible_facts['os_family'] != 'Debian'
|
||||
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
tags: tests::verify
|
||||
|
||||
- name: Make sure the key was not created
|
||||
|
@ -52,6 +52,8 @@
|
|||
register: result
|
||||
failed_when: result.changed
|
||||
tags: tests::verify
|
||||
when:
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -34,7 +34,8 @@
|
|||
that:
|
||||
- runtime_before.stdout == runtime_after.stdout
|
||||
when:
|
||||
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
# RHEL6/CentOS6 images have modified sshd_config, different from what is in rpm package
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: Restore configuration files
|
||||
include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -48,6 +48,8 @@
|
|||
- ansible_failed_result.msg != 'UNREACH'
|
||||
- not role_result.changed
|
||||
msg: "Role has not failed when it should have"
|
||||
when:
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: Make sure service is still running
|
||||
service:
|
||||
|
@ -56,6 +58,8 @@
|
|||
register: result
|
||||
failed_when: result.changed
|
||||
tags: tests::verify
|
||||
when:
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -22,3 +22,4 @@ __sshd_defaults:
|
|||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_sysconfig_supports_use_strong_rng: true
|
||||
__sshd_compat_match_all: Match address *
|
||||
|
|
|
@ -5,3 +5,5 @@ __sshd_config_mode: "0600"
|
|||
__sshd_hostkey_owner: "root"
|
||||
__sshd_hostkey_group: "root"
|
||||
__sshd_hostkey_mode: "0600"
|
||||
# The OpenSSH 5.3 in RHEL6 does not support "Match all" so we need a workaround
|
||||
__sshd_compat_match_all: Match all
|
||||
|
|
Loading…
Reference in a new issue