Merge branch 'master' into master

.ansible-lint

@@ -0,0 +1,2 @@
+warn_list:  # or 'skip_list' to silence them completely                       │
+  - '106'  # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+---
+repos:
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.24.2
+    hooks:
+      - id: yamllint
+        files: \.(yaml|yml)$
+        types: [file, yaml]
+        entry: yamllint --strict
+  - repo: https://github.com/ansible/ansible-lint.git
+    rev: v4.3.5
+    hooks:
+      - id: ansible-lint
+        files: \.(yaml|yml)$

.travis.yml

@@ -1,26 +1,19 @@
 ---
+dist: focal
 language: c
 sudo: required
 
 notifications:
-    webhooks: https://galaxy.ansible.com/api/v1/notifications/
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/
 
 before_install:
-  - sudo add-apt-repository -y ppa:ansible/ansible
-  - sudo apt-get update -qq
-  - sudo apt-get -qq install ansible
+  - sudo -H pip3 install ansible
 
 install:
   # Add ansible.cfg to pick up roles path.
-  - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
+  - "{ echo '[defaults]'; echo 'roles_path = ../'; echo 'deprecation_warnings=False'; } >> ansible.cfg"
 
 script:
-  # Check the ansible version.
-  - >
-    ansible --version
-    | grep -q '^ansible 2'
-    && (echo 'Ansible 2.0+ test: pass' && exit 0)
-    || (echo 'Ansible 2.0+ test: fail' && exit 1)
   # Check the roles syntax.
   - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
 
@@ -32,4 +25,3 @@ script:
     ansible-playbook -i tests/inventory tests/test.yml --connection=local --become | grep -q 'changed=0.*failed=0'
     && (echo 'Idempotence test: pass' && exit 0)
     || (echo 'Idempotence test: fail' && exit 1)
-

.yamllint.yaml

@@ -0,0 +1,21 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces: {max-spaces-inside: 1, level: error}
+  brackets: {max-spaces-inside: 1, level: error}
+  colons: {max-spaces-after: -1, level: error}
+  commas: {max-spaces-after: -1, level: error}
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines: {max: 3, level: error}
+  hyphens: {level: error}
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines: {type: unix}
+  trailing-spaces: disable
+  truthy: disable

meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   description: OpenSSH SSH daemon configuration
   company: Willsher Systems
   license: LGPLv3
-  min_ansible_version: 1.8
+  min_ansible_version: 2.8
   platforms:
   - name: Debian
     versions:
@@ -17,6 +17,8 @@ galaxy_info:
     - precise
     - trusty
     - xenial
+    - bionic
+    - focal
   - name: FreeBSD
     version:
     - 10.1
@@ -24,6 +26,7 @@ galaxy_info:
     versions:
     - 6
     - 7
+    - 8
   - name: Fedora
     versions:
     - 22

meta/options_body

@@ -17,6 +17,7 @@ AuthorizedPrincipalsCommand
 AuthorizedPrincipalsCommandUser
 AuthorizedPrincipalsFile
 Banner
+CASignatureAlgorithms
 ChallengeResponseAuthentication
 ChrootDirectory
 Ciphers
@@ -34,9 +35,9 @@ GatewayPorts
 GSSAPIAuthentication
 GSSAPICleanupCredentials
 GSSAPIKeyExchange
+GSSAPIKexAlgorithms
 GSSAPIStoreCredentialsOnRekey
 GSSAPIStrictAcceptorCheck
-GatewayPorts
 HPNBufferSize
 HPNDisabled
 HostCertificate
@@ -45,6 +46,7 @@ HostKeyAlgorithms
 HostbasedAcceptedKeyTypes
 HostbasedAuthentication
 HostbasedUsesNameFromPacketOnly
+Include
 IPQoS
 IgnoreRhosts
 IgnoreUserKnownHosts
@@ -64,6 +66,7 @@ MaxStartups
 NoneEnabled
 PasswordAuthentication
 PermitEmptyPasswords
+PermitListen
 PermitOpen
 PermitRootLogin
 PermitTTY
@@ -74,12 +77,15 @@ PidFile
 PrintLastLog
 PrintMotd
 PubkeyAcceptedKeyTypes
+PubkeyAuthOptions
 PubkeyAuthentication
 RSAAuthentication
 RekeyLimit
 RevokedKeys
 RDomain
 RhostsRSAAuthentication
+SecurityKeyProvider
+SetEnv
 ServerKeyBits
 StreamLocalBindMask
 StreamLocalBindUnlink
@@ -95,6 +101,7 @@ UsePAM
 UsePrivilegeSeparation
 VersionAddendum
 X11DisplayOffset
+X11MaxDisplays
 X11Forwarding
 X11UseLocalhost
 XAuthLocation

meta/options_match

@@ -23,6 +23,7 @@ GSSAPIAuthentication
 HostbasedAcceptedKeyTypes
 HostbasedAuthentication
 HostbasedUsesNameFromPacketOnly
+Include
 IPQoS
 KbdInteractiveAuthentication
 KerberosAuthentication
@@ -31,6 +32,7 @@ MaxAuthTries
 MaxSessions
 PasswordAuthentication
 PermitEmptyPasswords
+PermitListen
 PermitOpen
 PermitRootLogin
 PermitTTY
@@ -43,9 +45,11 @@ RekeyLimit
 RevokedKeys
 RhostsRSAAuthentication
 RSAAuthentication
+SetEnv
 StreamLocalBindMask
 StreamLocalBindUnlink
 TrustedUserCAKeys
 X11DisplayOffset
+X11MaxDisplays
 X11Forwarding
 X11UseLocalHost

tasks/install.yml

@@ -32,16 +32,25 @@
       template:
         src: "{{ sshd_service_template_service }}"
         dest: "/etc/systemd/system/{{ sshd_service }}.service"
+        owner: root
+        group: root
+        mode: "0644"
       notify: reload_sshd
     - name: Install instanced service unit file
       template:
         src: "{{ sshd_service_template_at_service }}"
         dest: "/etc/systemd/system/{{ sshd_service }}@.service"
+        owner: root
+        group: root
+        mode: "0644"
       notify: reload_sshd
     - name: Install socket unit file
       template:
         src: "{{ sshd_service_template_socket }}"
         dest: "/etc/systemd/system/{{ sshd_service }}.socket"
+        owner: root
+        group: root
+        mode: "0644"
       notify: reload_sshd
   when: sshd_install_service|bool
 

tasks/variables.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Set OS dependent variables
   include_vars: "{{ lookup('first_found', params) }}"
   vars:

templates/sshd_config.j2

@@ -58,6 +58,7 @@ Match {{ match["Condition"] }}
 {{       render_option("HostbasedAcceptedKeyTypes",match["HostbasedAcceptedKeyTypes"],true) -}}
 {{       render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
 {{       render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
+{{       render_option("Include",match["Include"],true) -}}
 {{       render_option("IPQoS",match["IPQoS"],true) -}}
 {{       render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
 {{       render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
@@ -66,6 +67,7 @@ Match {{ match["Condition"] }}
 {{       render_option("MaxSessions",match["MaxSessions"],true) -}}
 {{       render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
 {{       render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
+{{       render_option("PermitListen",match["PermitListen"],true) -}}
 {{       render_option("PermitOpen",match["PermitOpen"],true) -}}
 {{       render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
 {{       render_option("PermitTTY",match["PermitTTY"],true) -}}
@@ -78,10 +80,12 @@ Match {{ match["Condition"] }}
 {{       render_option("RevokedKeys",match["RevokedKeys"],true) -}}
 {{       render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
 {{       render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
+{{       render_option("SetEnv",match["SetEnv"],true) -}}
 {{       render_option("StreamLocalBindMask",match["StreamLocalBindMask"],true) -}}
 {{       render_option("StreamLocalBindUnlink",match["StreamLocalBindUnlink"],true) -}}
 {{       render_option("TrustedUserCAKeys",match["TrustedUserCAKeys"],true) -}}
 {{       render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
+{{       render_option("X11MaxDisplays",match["X11MaxDisplays"],true) -}}
 {{       render_option("X11Forwarding",match["X11Forwarding"],true) -}}
 {{       render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
 {%     endfor %}
@@ -106,6 +110,7 @@ Match {{ match["Condition"] }}
 {{ body_option("AuthorizedPrincipalsCommandUser",sshd_AuthorizedPrincipalsCommandUser) -}}
 {{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
 {{ body_option("Banner",sshd_Banner) -}}
+{{ body_option("CASignatureAlgorithms",sshd_CASignatureAlgorithms) -}}
 {{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
 {{ body_option("ChrootDirectory",sshd_ChrootDirectory) -}}
 {{ body_option("Ciphers",sshd_Ciphers) -}}
@@ -123,6 +128,7 @@ Match {{ match["Condition"] }}
 {{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
 {{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
 {{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
+{{ body_option("GSSAPIKexAlgorithms",sshd_GSSAPIKexAlgorithms) -}}
 {{ body_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
 {{ body_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
 {{ body_option("HPNBufferSize",sshd_HPNBufferSize) -}}
@@ -133,6 +139,7 @@ Match {{ match["Condition"] }}
 {{ body_option("HostbasedAcceptedKeyTypes",sshd_HostbasedAcceptedKeyTypes) -}}
 {{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
 {{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
+{{ body_option("Include",sshd_Include) -}}
 {{ body_option("IPQoS",sshd_IPQoS) -}}
 {{ body_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
 {{ body_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
@@ -152,6 +159,7 @@ Match {{ match["Condition"] }}
 {{ body_option("NoneEnabled",sshd_NoneEnabled) -}}
 {{ body_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
 {{ body_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
+{{ body_option("PermitListen",sshd_PermitListen) -}}
 {{ body_option("PermitOpen",sshd_PermitOpen) -}}
 {{ body_option("PermitRootLogin",sshd_PermitRootLogin) -}}
 {{ body_option("PermitTTY",sshd_PermitTTY) -}}
@@ -162,12 +170,15 @@ Match {{ match["Condition"] }}
 {{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
 {{ body_option("PrintMotd",sshd_PrintMotd) -}}
 {{ body_option("PubkeyAcceptedKeyTypes",sshd_PubkeyAcceptedKeyTypes) -}}
+{{ body_option("PubkeyAuthOptions",sshd_PubkeyAuthOptions) -}}
 {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
 {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
 {{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
 {{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
 {{ body_option("RDomain",sshd_RDomain) -}}
 {{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
+{{ body_option("SecurityKeyProvider",sshd_SecurityKeyProvider) -}}
+{{ body_option("SetEnv",sshd_SetEnv) -}}
 {{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
 {{ body_option("StreamLocalBindMask",sshd_StreamLocalBindMask) -}}
 {{ body_option("StreamLocalBindUnlink",sshd_StreamLocalBindUnlink) -}}
@@ -183,6 +194,7 @@ Match {{ match["Condition"] }}
 {{ body_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
 {{ body_option("VersionAddendum",sshd_VersionAddendum) -}}
 {{ body_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
+{{ body_option("X11MaxDisplays",sshd_X11MaxDisplays) -}}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}

vars/Debian_10.yml

@@ -32,4 +32,3 @@ __sshd_defaults:
   Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes
 __sshd_os_supported: yes
-

vars/Ubuntu_20.yml

@@ -0,0 +1,14 @@
+---
+__sshd_service: ssh
+__sshd_packages:
+  - openssh-server
+  - openssh-sftp-server
+__sshd_config_mode: "0644"
+__sshd_defaults:
+  ChallengeResponseAuthentication: no
+  UsePAM: yes
+  X11Forwarding: yes
+  PrintMotd: no
+  AcceptEnv: LANG LC_*
+  Subsystem: "sftp  /usr/lib/openssh/sftp-server"
+__sshd_os_supported: yes