More distro supported, better docs

2024-11-09 21:23:29 +01:00 · 2014-12-22 20:18:35 +00:00 · 2014-12-22 20:18:35 +00:00 · 3689ad7020
commit 3689ad7020
parent 906d8d574d
9 changed files with 77 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -1,20 +1,24 @@
 # Ansible OpenSSH Daemon Role

-This role configures OpenSSH. It:
+This role configures the OpenSSH daemon. It:

- By default, with no set options, creates an empty configuration file.
- Can use a dict of the form:
-```
+- By default configures the SSH daemon with the normal OS defaults. Defaults can be disabled by setting `sshd_skip_defaults: true`
+- Supports use of a dict to configure items:
+
+```yaml
 sshd:
  Compression: delayed
  ListenAddress:
    - 0.0.0.0
-    - ::
 ```
- Can also use scalar variables of the form `sshd_ListenAddress`
- Scalar override dict values.
- Allows the use of booleans for keys with yes/no values, including those with additional non-boolean values such as `Compression`, which has the additional `delayed` option
- Tests the sshd_config before reloading sshd
- Template is programmatically generated. See the files in the meta folder.

-It should cover all valid SSH options.
+- Can use scalars rather than a dict. Scalar values override dict values:
+
+```yaml
+sshd_Compression: off
+```
+
+- Correctly interprets booleans as yes and no in sshd configuration
+- Supports lists for multi line configuration items
+- Tests the sshd_config before reloading sshd
+- Template is programmatically generated. See the files in the meta folder. It should cover all valid SSH options.
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,20 +1,21 @@
 ---
 galaxy_info:
  author: Matt Willsher
-  description: OpenSSH Deamon configuration
+  description: OpenSSH SSH deamon configuration
  company: Willsher Systems
-  license: MIT
+  license: GPLv3
  min_ansible_version: 1.8
  platforms:
  - name: Ubuntu
    versions:
-    - all
-  - name: Debian
-    versions:
-    - all
+    - trusty
  - name: FreeBSD
    version:
-    - all
+    - 10.1
+  - name: EL
+    versions:
+    - 6
+    - 7
  categories:
  - system
 dependencies: []
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,8 +2,8 @@
 - name: Role set up
  include_vars: "{{ item }}"
  with_first_found:
-   - "{{ ansible_distribution }}.yml"
   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_distribution }}.yml"
   - "{{ ansible_os_family }}.yml"
   - default.yml

@ -28,3 +28,4 @@
    name: "{{ sshd_service }}"
    enabled: true
    state: running
+
--- a/vars/Amazon.yml
+++ b/vars/Amazon.yml
@ -0,0 +1,22 @@
+---
+sshd_config_mode: '0644'
+sshd_packages:
+  - openssh
+  - openssh-server
+sshd_sftp_server: /usr/libexec/openssh/sftp-server
+sshd:
+  SyslogFacility: AUTHPRIV
+  PermitRootLogin: forced-commands-only
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  UsePAM: yes
+  X11Forwarding: yes
+  PrintLastLog: yes
+  UsePrivilegeSeparation: sandbox
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: "sftp {{ sshd_sftp_server }}"
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@ -5,10 +5,34 @@ sshd_packages:
  - openssh-blacklist
  - openssh-blacklist-extra
  - openssh-sftp-server
+sshd_config_mode: "0644"
 sshd_defaults:
+  Port: 22
+  Protocol: 2
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+  UsePrivilegeSeperation: yes
+  KeyRegenerationInterval: 3600
+  ServerKeyBits: 768
+  SyslogFacility: AUTH
+  LogLevel: INFO
+  LoginGraceTime: 120
+  PermitRootLogin: yes
+  StrictModes: yes
+  RSAAuthentication: yes
+  PubkeyAuthentication: yes
+  IgnoreRhosts: yes
+  RhostsRSAAuthentication: no
+  HostbaseAuthentication: no
+  PermitEmptyPasswords: no
  ChallengeResponseAuthentication: no
  X11Forwarding: yes
+  X11DisplayOffset: 10
  PrintMotd: no
+  PrintLastLog: yes
+  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
  UsePAM: yes
--- a/vars/FreeBSD.yml
+++ b/vars/FreeBSD.yml
@ -1,3 +1,4 @@
 ---
 sshd_config_group: wheel
+sshd_config_mode: "0644"
 sshd_sftp_server: /usr/libexec/sftp-server
--- a/vars/RedHat_6.yml
+++ b/vars/RedHat_6.yml
@ -17,4 +17,4 @@ sshd_defaults:
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
  X11Forwarding: yes
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
--- a/vars/RedHat_7.yml
+++ b/vars/RedHat_7.yml
@ -21,4 +21,4 @@ sshd_defaults:
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
--- a/vars/Ubuntu.yml
+++ b/vars/Ubuntu.yml
@ -8,7 +8,7 @@ sshd_packages:
 sshd_defaults:
  Port: 22
  Protocol: 2
-  HostKey: 
+  HostKey:
    - /etc/ssh/ssh_host_rsa_key
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_ecdsa_key
@ -34,5 +34,5 @@ sshd_defaults:
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: sftp {{ sshd_sftp_server }}
+  Subsystem: "sftp {{ sshd_sftp_server }}"
  UsePAM: yes