From 426469d9844d0c1953d99432e7417ba26911a692 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 17 Dec 2024 05:36:51 +0100 Subject: [PATCH] feat: New options in OpenSSH + fixes for bugx in OpenSSH 9.9p1 (#304) * Add new options from OpenSSH 9.9p1 Signed-off-by: Jakub Jelen * ci: Add CentOS10 Signed-off-by: Jakub Jelen * tests: Use LogLevel option for testing to avoid OpenSSH 9.9 bug The OpenSSH 9.9p1 has a bug in parsing/printing the Compression option so lets use different option for testing. https://bugzilla.mindrot.org/show_bug.cgi?id=3759 Signed-off-by: Jakub Jelen --------- Signed-off-by: Jakub Jelen --- .github/workflows/ansible-centos-check.yml | 14 ++++++++++++++ meta/options_body | 1 + meta/options_match | 1 + templates/sshd_config.j2 | 2 ++ templates/sshd_config_snippet.j2 | 2 ++ tests/tests_alternative_file.yml | 8 ++++---- tests/tests_alternative_file_role.yml | 8 ++++---- 7 files changed, 28 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ansible-centos-check.yml b/.github/workflows/ansible-centos-check.yml index 9b3fd2b..c224ba1 100644 --- a/.github/workflows/ansible-centos-check.yml +++ b/.github/workflows/ansible-centos-check.yml @@ -74,3 +74,17 @@ jobs: hosts: localhost targets: "tests/tests_*.yml" requirements: tests/requirements.yml + + centos-10: + runs-on: ubuntu-latest + steps: + - name: checkout PR + uses: actions/checkout@v4 + + - name: ansible check with centos 10 + uses: roles-ansible/check-ansible-centos-centos10-action@main + with: + group: local + hosts: localhost + targets: "tests/tests_*.yml" + requirements: tests/requirements.yml diff --git a/meta/options_body b/meta/options_body index 87b8f17..5d1bdbd 100644 --- a/meta/options_body +++ b/meta/options_body @@ -96,6 +96,7 @@ PubkeyAuthOptions PubkeyAuthentication RSAAuthentication RSAMinSize +RefuseConnection RekeyLimit RequiredRSASize RevokedKeys diff --git a/meta/options_match b/meta/options_match index 5889cc9..7efa6d3 100644 --- a/meta/options_match +++ b/meta/options_match @@ -50,6 +50,7 @@ PubkeyAcceptedAlgorithms PubkeyAuthentication PubkeyAuthOptions RDomain +RefuseConnection RekeyLimit RevokedKeys RequiredRSASize diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index adcfeb7..975d5be 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -96,6 +96,7 @@ Match {{ match["Condition"] }} {{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}} {{ render_option("PubkeyAuthOptions",match["PubkeyAuthOptions"],true) -}} {{ render_option("RDomain",match["RDomain"],true) -}} +{{ render_option("RefuseConnection",match["RefuseConnection"],true) -}} {{ render_option("RekeyLimit",match["RekeyLimit"],true) -}} {{ render_option("RevokedKeys",match["RevokedKeys"],true) -}} {{ render_option("RequiredRSASize",match["RequiredRSASize"],true) -}} @@ -221,6 +222,7 @@ Match {{ match["Condition"] }} {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}} {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}} {{ body_option("RSAMinSize",sshd_RSAMinSize) -}} +{{ body_option("RefuseConnection",sshd_RefuseConnection) -}} {{ body_option("RekeyLimit",sshd_RekeyLimit) -}} {{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}} {{ body_option("RevokedKeys",sshd_RevokedKeys) -}} diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2 index 07d4c9c..0fa5aa8 100644 --- a/templates/sshd_config_snippet.j2 +++ b/templates/sshd_config_snippet.j2 @@ -94,6 +94,7 @@ Match {{ match["Condition"] }} {{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}} {{ render_option("PubkeyAuthOptions",match["PubkeyAuthOptions"],true) -}} {{ render_option("RDomain",match["RDomain"],true) -}} +{{ render_option("RefuseConnection",match["RefuseConnection"],true) -}} {{ render_option("RekeyLimit",match["RekeyLimit"],true) -}} {{ render_option("RevokedKeys",match["RevokedKeys"],true) -}} {{ render_option("RequiredRSASize",match["RequiredRSASize"],true) -}} @@ -219,6 +220,7 @@ Match {{ match["Condition"] }} {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}} {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}} {{ body_option("RSAMinSize",sshd_RSAMinSize) -}} +{{ body_option("RefuseConnection",sshd_RefuseConnection) -}} {{ body_option("RekeyLimit",sshd_RekeyLimit) -}} {{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}} {{ body_option("RevokedKeys",sshd_RevokedKeys) -}} diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index b54a8f6..c1cca39 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -37,7 +37,7 @@ AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr - sshd_Compression: false # noqa var-naming + sshd_LogLevel: DEBUG1 # noqa var-naming - name: Configure second alternative sshd_config file ansible.builtin.include_role: @@ -95,7 +95,7 @@ - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" - "'Ciphers aes256-ctr' in config.content | b64decode" - - "'Compression no' in config.content | b64decode" + - "'LogLevel DEBUG1' in config.content | b64decode" - name: Check Fedora/RHEL9+ defaults are present in the first configuration file ansible.builtin.assert: @@ -159,7 +159,7 @@ - "'Ciphers aes128-ctr' in config2.content | b64decode" - "'HostKey' not in config2.content | b64decode" - "'MaxStartups 100' in config2.content | b64decode" - - "'Compression no' not in config2.content | b64decode" + - "'LogLevel DEBUG1' not in config2.content | b64decode" - name: Check content of the main configuration file ansible.builtin.assert: @@ -169,7 +169,7 @@ - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode" - "'PasswordAuthentication no' in config3.content | b64decode" - "'MaxStartups 100' not in config3.content | b64decode" - - "'Compression no' not in config3.content | b64decode" + - "'LogLevel DEBUG1' not in config3.content | b64decode" - name: Check the main configuration file contains some default values for RHEL 9 ansible.builtin.assert: diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index 63a76f7..5a49390 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -39,7 +39,7 @@ AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr - sshd_Compression: false # noqa var-naming + sshd_LogLevel: DEBUG1 # noqa var-naming # Configure second alternative sshd_config file - name: Test first alternative role file @@ -113,7 +113,7 @@ - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" - "'Ciphers aes256-ctr' in config.content | b64decode" - - "'Compression no' in config.content | b64decode" + - "'LogLevel DEBUG1' in config.content | b64decode" - name: Check Fedora/RHEL9+ defaults are present in the first configuration file ansible.builtin.assert: @@ -177,7 +177,7 @@ - "'Ciphers aes128-ctr' in config2.content | b64decode" - "'HostKey' not in config2.content | b64decode" - "'MaxStartups 100' in config2.content | b64decode" - - "'Compression no' not in config2.content | b64decode" + - "'LogLevel DEBUG1' not in config2.content | b64decode" - name: Check content of the main configuration file ansible.builtin.assert: @@ -187,7 +187,7 @@ - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode" - "'PasswordAuthentication no' in config3.content | b64decode" - "'MaxStartups 100' not in config3.content | b64decode" - - "'Compression no' not in config3.content | b64decode" + - "'LogLevel DEBUG1' not in config3.content | b64decode" - name: Check the main configuration file contains some default values for RHEL 9 ansible.builtin.assert: