feat: New options in OpenSSH + fixes for bugx in OpenSSH 9.9p1 (#304)

* Add new options from OpenSSH 9.9p1 Signed-off-by: Jakub Jelen <jjelen@redhat.com> * ci: Add CentOS10 Signed-off-by: Jakub Jelen <jjelen@redhat.com> * tests: Use LogLevel option for testing to avoid OpenSSH 9.9 bug The OpenSSH 9.9p1 has a bug in parsing/printing the Compression option so lets use different option for testing. https://bugzilla.mindrot.org/show_bug.cgi?id=3759 Signed-off-by: Jakub Jelen <jjelen@redhat.com> --------- Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-12-22 00:20:18 +01:00 · 2024-12-17 05:36:51 +01:00 · 2024-12-17 05:36:51 +01:00 · 426469d984
commit 426469d984
parent da3e33ec46
7 changed files with 28 additions and 8 deletions
--- a/.github/workflows/ansible-centos-check.yml
+++ b/.github/workflows/ansible-centos-check.yml
@ -74,3 +74,17 @@ jobs:
          hosts: localhost
          targets: "tests/tests_*.yml"
          requirements: tests/requirements.yml
+
+  centos-10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v4
+
+      - name: ansible check with centos 10
+        uses: roles-ansible/check-ansible-centos-centos10-action@main
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+          requirements: tests/requirements.yml
--- a/meta/options_body
+++ b/meta/options_body
@ -96,6 +96,7 @@ PubkeyAuthOptions
 PubkeyAuthentication
 RSAAuthentication
 RSAMinSize
+RefuseConnection
 RekeyLimit
 RequiredRSASize
 RevokedKeys
--- a/meta/options_match
+++ b/meta/options_match
@ -50,6 +50,7 @@ PubkeyAcceptedAlgorithms
 PubkeyAuthentication
 PubkeyAuthOptions
 RDomain
+RefuseConnection
 RekeyLimit
 RevokedKeys
 RequiredRSASize
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@ -96,6 +96,7 @@ Match {{ match["Condition"] }}
 {{       render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
 {{       render_option("PubkeyAuthOptions",match["PubkeyAuthOptions"],true) -}}
 {{       render_option("RDomain",match["RDomain"],true) -}}
+{{       render_option("RefuseConnection",match["RefuseConnection"],true) -}}
 {{       render_option("RekeyLimit",match["RekeyLimit"],true) -}}
 {{       render_option("RevokedKeys",match["RevokedKeys"],true) -}}
 {{       render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
@ -221,6 +222,7 @@ Match {{ match["Condition"] }}
 {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
 {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
 {{ body_option("RSAMinSize",sshd_RSAMinSize) -}}
+{{ body_option("RefuseConnection",sshd_RefuseConnection) -}}
 {{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
 {{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}}
 {{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
--- a/templates/sshd_config_snippet.j2
+++ b/templates/sshd_config_snippet.j2
@ -94,6 +94,7 @@ Match {{ match["Condition"] }}
 {{       render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
 {{       render_option("PubkeyAuthOptions",match["PubkeyAuthOptions"],true) -}}
 {{       render_option("RDomain",match["RDomain"],true) -}}
+{{       render_option("RefuseConnection",match["RefuseConnection"],true) -}}
 {{       render_option("RekeyLimit",match["RekeyLimit"],true) -}}
 {{       render_option("RevokedKeys",match["RevokedKeys"],true) -}}
 {{       render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
@ -219,6 +220,7 @@ Match {{ match["Condition"] }}
 {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
 {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
 {{ body_option("RSAMinSize",sshd_RSAMinSize) -}}
+{{ body_option("RefuseConnection",sshd_RefuseConnection) -}}
 {{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
 {{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}}
 {{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@ -37,7 +37,7 @@
          AcceptEnv: LANG
          Banner: /etc/issue
          Ciphers: aes256-ctr
-        sshd_Compression: false  # noqa var-naming
+        sshd_LogLevel: DEBUG1  # noqa var-naming

    - name: Configure second alternative sshd_config file
      ansible.builtin.include_role:
@ -95,7 +95,7 @@
              - "'AcceptEnv LANG' in config.content | b64decode"
              - "'Banner /etc/issue' in config.content | b64decode"
              - "'Ciphers aes256-ctr' in config.content | b64decode"
-              - "'Compression no' in config.content | b64decode"
+              - "'LogLevel DEBUG1' in config.content | b64decode"

        - name: Check Fedora/RHEL9+ defaults are present in the first configuration file
          ansible.builtin.assert:
@ -159,7 +159,7 @@
              - "'Ciphers aes128-ctr' in config2.content | b64decode"
              - "'HostKey' not in config2.content | b64decode"
              - "'MaxStartups 100' in config2.content | b64decode"
-              - "'Compression no' not in config2.content | b64decode"
+              - "'LogLevel DEBUG1' not in config2.content | b64decode"

        - name: Check content of the main configuration file
          ansible.builtin.assert:
@ -169,7 +169,7 @@
              - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode"
              - "'PasswordAuthentication no' in config3.content | b64decode"
              - "'MaxStartups 100' not in config3.content | b64decode"
-              - "'Compression no' not in config3.content | b64decode"
+              - "'LogLevel DEBUG1' not in config3.content | b64decode"

        - name: Check the main configuration file contains some default values for RHEL 9
          ansible.builtin.assert:
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@ -39,7 +39,7 @@
      AcceptEnv: LANG
      Banner: /etc/issue
      Ciphers: aes256-ctr
-    sshd_Compression: false  # noqa var-naming
+    sshd_LogLevel: DEBUG1  # noqa var-naming

 # Configure second alternative sshd_config file
 - name: Test first alternative role file
@ -113,7 +113,7 @@
              - "'AcceptEnv LANG' in config.content | b64decode"
              - "'Banner /etc/issue' in config.content | b64decode"
              - "'Ciphers aes256-ctr' in config.content | b64decode"
-              - "'Compression no' in config.content | b64decode"
+              - "'LogLevel DEBUG1' in config.content | b64decode"

        - name: Check Fedora/RHEL9+ defaults are present in the first configuration file
          ansible.builtin.assert:
@ -177,7 +177,7 @@
              - "'Ciphers aes128-ctr' in config2.content | b64decode"
              - "'HostKey' not in config2.content | b64decode"
              - "'MaxStartups 100' in config2.content | b64decode"
-              - "'Compression no' not in config2.content | b64decode"
+              - "'LogLevel DEBUG1' not in config2.content | b64decode"

        - name: Check content of the main configuration file
          ansible.builtin.assert:
@ -187,7 +187,7 @@
              - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode"
              - "'PasswordAuthentication no' in config3.content | b64decode"
              - "'MaxStartups 100' not in config3.content | b64decode"
-              - "'Compression no' not in config3.content | b64decode"
+              - "'LogLevel DEBUG1' not in config3.content | b64decode"

        - name: Check the main configuration file contains some default values for RHEL 9
          ansible.builtin.assert: