From 4e22a9618d87f8fedc1d2f36ff154e90071a5caf Mon Sep 17 00:00:00 2001 From: Nikolaos Kakouros Date: Wed, 17 Aug 2022 11:53:56 +0000 Subject: [PATCH] Fixes un-overrideable public api variables --- defaults/main.yml | 9 +++++---- vars/AIX.yml | 6 +++--- vars/Amazon.yml | 6 +++--- vars/Arch Linux.yml | 12 +++++++++++- vars/Archlinux.yml | 6 +++--- vars/Container Linux by CoreOS.yml | 8 ++++---- vars/Debian.yml | 6 +++--- vars/Debian_10.yml | 6 +++--- vars/Debian_11.yml | 6 +++--- vars/Debian_8.yml | 6 +++--- vars/Debian_9.yml | 6 +++--- vars/Fedora.yml | 4 ++-- vars/Fedora_31.yml | 6 +++--- vars/FreeBSD.yml | 4 ++-- vars/Gentoo.yml | 6 +++--- vars/OpenBSD.yml | 4 ++-- vars/RedHat_6.yml | 6 +++--- vars/RedHat_7.yml | 6 +++--- vars/RedHat_8.yml | 6 +++--- vars/RedHat_9.yml | 4 ++-- vars/Suse.yml | 6 +++--- vars/Ubuntu_12.yml | 6 +++--- vars/Ubuntu_14.yml | 6 +++--- vars/Ubuntu_16.yml | 6 +++--- vars/Ubuntu_18.yml | 6 +++--- vars/Ubuntu_20.yml | 4 ++-- vars/Ubuntu_22.yml | 4 ++-- vars/common.yml | 4 ++++ vars/openSUSE Leap_15.yml | 6 +++--- 29 files changed, 93 insertions(+), 78 deletions(-) mode change 120000 => 100644 vars/Arch Linux.yml diff --git a/defaults/main.yml b/defaults/main.yml index 045270c..8aabc2d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,13 +48,14 @@ sshd_config_file: "{{ __sshd_config_file }}" ### VARS DEFAULTS ### The following are defaults for OS specific configuration in var files in ### this role. They should not be set directly by role users. -sshd_packages: [] +sshd_packages: "{{ __sshd_packages }}" sshd_config_owner: "{{ __sshd_config_owner }}" sshd_config_group: "{{ __sshd_config_group }}" sshd_config_mode: "{{ __sshd_config_mode }}" -sshd_binary: /usr/sbin/sshd -sshd_service: sshd -sshd_sftp_server: /usr/lib/openssh/sftp-server +sshd_service: "{{ __sshd_service }}" +sshd_binary: "{{ __sshd_binary }}" +sshd_service: "{{ __sshd_service }}" +sshd_sftp_server: "{{ __sshd_sftp_server }}" # This lists by default all hostkeys as rendered in the generated configuration # file ("auto"). Before attempting to run sshd (either for verification of diff --git a/vars/AIX.yml b/vars/AIX.yml index b2dfe0e..5159c90 100644 --- a/vars/AIX.yml +++ b/vars/AIX.yml @@ -2,11 +2,11 @@ __sshd_config_mode: '0644' # sshd is not installed by yum / AIX toolbox for Linux. # You'll need to manually install them using AIX Web Download Packs. -sshd_packages: [] -sshd_sftp_server: /usr/sbin/sftp-server +__sshd_packages: [] +__sshd_sftp_server: /usr/sbin/sftp-server __sshd_config_group: system __sshd_defaults: - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes sshd_install_service: no diff --git a/vars/Amazon.yml b/vars/Amazon.yml index 8e3bfbc..b3f4efe 100644 --- a/vars/Amazon.yml +++ b/vars/Amazon.yml @@ -1,9 +1,9 @@ --- __sshd_config_mode: '0644' -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_defaults: SyslogFacility: AUTHPRIV PermitRootLogin: forced-commands-only @@ -19,5 +19,5 @@ __sshd_defaults: - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes diff --git a/vars/Arch Linux.yml b/vars/Arch Linux.yml deleted file mode 120000 index d255bcd..0000000 --- a/vars/Arch Linux.yml +++ /dev/null @@ -1 +0,0 @@ -Archlinux.yml \ No newline at end of file diff --git a/vars/Arch Linux.yml b/vars/Arch Linux.yml new file mode 100644 index 0000000..35d602f --- /dev/null +++ b/vars/Arch Linux.yml @@ -0,0 +1,11 @@ +--- +__sshd_packages: + - openssh +__sshd_sftp_server: /usr/lib/ssh/sftp-server +__sshd_defaults: + AuthorizedKeysFile: .ssh/authorized_keys + ChallengeResponseAuthentication: no + PrintMotd: no + Subsystem: "sftp {{ __sshd_sftp_server }}" + UsePAM: yes +__sshd_os_supported: yes diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index de1da39..35d602f 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -1,11 +1,11 @@ --- -sshd_packages: +__sshd_packages: - openssh -sshd_sftp_server: /usr/lib/ssh/sftp-server +__sshd_sftp_server: /usr/lib/ssh/sftp-server __sshd_defaults: AuthorizedKeysFile: .ssh/authorized_keys ChallengeResponseAuthentication: no PrintMotd: no - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes diff --git a/vars/Container Linux by CoreOS.yml b/vars/Container Linux by CoreOS.yml index 656b455..ea362e9 100644 --- a/vars/Container Linux by CoreOS.yml +++ b/vars/Container Linux by CoreOS.yml @@ -1,10 +1,10 @@ --- # There is no package manager in CoreOS -sshd_packages: [] -sshd_service: sshd -sshd_sftp_server: internal-sftp +__sshd_packages: [] +__sshd_service: sshd +__sshd_sftp_server: internal-sftp __sshd_defaults: - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" ClientAliveInterval: 180 UseDNS: no UsePAM: yes diff --git a/vars/Debian.yml b/vars/Debian.yml index b9b6ff9..53c04f4 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server __sshd_config_mode: "0644" __sshd_defaults: @@ -31,7 +31,7 @@ __sshd_defaults: PrintLastLog: yes TCPKeepAlive: yes AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes __sshd_runtime_directory: /run/sshd diff --git a/vars/Debian_10.yml b/vars/Debian_10.yml index 8246ad0..ba99b99 100644 --- a/vars/Debian_10.yml +++ b/vars/Debian_10.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -9,7 +9,7 @@ __sshd_defaults: X11Forwarding: yes PrintMotd: no AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes __sshd_runtime_directory: /run/sshd diff --git a/vars/Debian_11.yml b/vars/Debian_11.yml index 8246ad0..ba99b99 100644 --- a/vars/Debian_11.yml +++ b/vars/Debian_11.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -9,7 +9,7 @@ __sshd_defaults: X11Forwarding: yes PrintMotd: no AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes __sshd_runtime_directory: /run/sshd diff --git a/vars/Debian_8.yml b/vars/Debian_8.yml index 11359a1..4a4f10a 100644 --- a/vars/Debian_8.yml +++ b/vars/Debian_8.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -33,7 +33,7 @@ __sshd_defaults: PrintLastLog: yes TCPKeepAlive: yes AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes __sshd_runtime_directory: /run/sshd diff --git a/vars/Debian_9.yml b/vars/Debian_9.yml index 8246ad0..ba99b99 100644 --- a/vars/Debian_9.yml +++ b/vars/Debian_9.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -9,7 +9,7 @@ __sshd_defaults: X11Forwarding: yes PrintMotd: no AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes __sshd_runtime_directory: /run/sshd diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 63269da..cbf709c 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -1,10 +1,10 @@ --- __sshd_os_supported: yes -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server # Fedora 32 ships with drop-in directory support so we touch # just included file with highest priority by default __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf diff --git a/vars/Fedora_31.yml b/vars/Fedora_31.yml index 821e109..18cf450 100644 --- a/vars/Fedora_31.yml +++ b/vars/Fedora_31.yml @@ -1,8 +1,8 @@ --- -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_defaults: HostKey: - /etc/ssh/ssh_host_rsa_key @@ -21,7 +21,7 @@ __sshd_defaults: - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes __sshd_sysconfig_supports_crypto_policy: true __sshd_hostkey_group: ssh_keys diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index a650c86..b17bfe5 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -1,7 +1,7 @@ --- __sshd_config_group: wheel __sshd_config_mode: "0644" -sshd_sftp_server: /usr/libexec/sftp-server +__sshd_sftp_server: /usr/libexec/sftp-server __sshd_defaults: - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes diff --git a/vars/Gentoo.yml b/vars/Gentoo.yml index efb54df..bb18bc6 100644 --- a/vars/Gentoo.yml +++ b/vars/Gentoo.yml @@ -1,9 +1,9 @@ --- -sshd_packages: +__sshd_packages: - net-misc/openssh -sshd_sftp_server: /usr/lib64/misc/sftp-server +__sshd_sftp_server: /usr/lib64/misc/sftp-server __sshd_defaults: - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" # Replace tcp keepalive with unspoofable keepalive TCPKeepAlive: no ClientAliveInterval: 300 diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml index 1d2a0b1..948ed6b 100644 --- a/vars/OpenBSD.yml +++ b/vars/OpenBSD.yml @@ -1,9 +1,9 @@ --- __sshd_config_group: wheel __sshd_config_mode: "0600" -sshd_sftp_server: /usr/libexec/sftp-server +__sshd_sftp_server: /usr/libexec/sftp-server __sshd_defaults: AuthorizedKeysFile: .ssh/authorized_keys - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes __sshd_manage_var_run: no diff --git a/vars/RedHat_6.yml b/vars/RedHat_6.yml index 182e4e4..2015555 100644 --- a/vars/RedHat_6.yml +++ b/vars/RedHat_6.yml @@ -1,8 +1,8 @@ --- -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_defaults: HostKey: - /etc/ssh/ssh_host_rsa_key @@ -19,7 +19,7 @@ __sshd_defaults: - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS X11Forwarding: yes - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes __sshd_sysconfig_supports_use_strong_rng: true __sshd_compat_match_all: Match address * diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 4601f7b..63e00f8 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -1,8 +1,8 @@ --- -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_defaults: HostKey: - /etc/ssh/ssh_host_rsa_key @@ -24,7 +24,7 @@ __sshd_defaults: - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes __sshd_sysconfig_supports_use_strong_rng: true __sshd_hostkey_group: ssh_keys diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index 9bb1646..55ebd9a 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -1,8 +1,8 @@ --- -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_defaults: HostKey: - /etc/ssh/ssh_host_rsa_key @@ -25,7 +25,7 @@ __sshd_defaults: - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes __sshd_sysconfig_supports_use_strong_rng: true __sshd_sysconfig_supports_crypto_policy: true diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml index fbb11e7..6f4ca73 100644 --- a/vars/RedHat_9.yml +++ b/vars/RedHat_9.yml @@ -1,10 +1,10 @@ --- __sshd_os_supported: yes -sshd_packages: +__sshd_packages: - openssh - openssh-server -sshd_sftp_server: /usr/libexec/openssh/sftp-server +__sshd_sftp_server: /usr/libexec/openssh/sftp-server # RHEL 9 ships with drop-in directory support so we touch # just included file with highest priority by default __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf diff --git a/vars/Suse.yml b/vars/Suse.yml index 9a86857..cec1e91 100644 --- a/vars/Suse.yml +++ b/vars/Suse.yml @@ -1,7 +1,7 @@ --- -sshd_packages: +__sshd_packages: - openssh -sshd_sftp_server: /usr/lib/ssh/sftp-server +__sshd_sftp_server: /usr/lib/ssh/sftp-server __sshd_defaults: HostKey: - /etc/ssh/ssh_host_rsa_key @@ -20,5 +20,5 @@ __sshd_defaults: - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes diff --git a/vars/Ubuntu_12.yml b/vars/Ubuntu_12.yml index c5d61e8..2cad4af 100644 --- a/vars/Ubuntu_12.yml +++ b/vars/Ubuntu_12.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server __sshd_config_mode: "0644" __sshd_defaults: @@ -31,6 +31,6 @@ __sshd_defaults: PrintLastLog: yes TCPKeepAlive: yes AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes diff --git a/vars/Ubuntu_14.yml b/vars/Ubuntu_14.yml index fce5646..c9f31b0 100644 --- a/vars/Ubuntu_14.yml +++ b/vars/Ubuntu_14.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -33,6 +33,6 @@ __sshd_defaults: PrintLastLog: yes TCPKeepAlive: yes AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes __sshd_os_supported: yes diff --git a/vars/Ubuntu_16.yml b/vars/Ubuntu_16.yml index 02849e8..a0c0da3 100644 --- a/vars/Ubuntu_16.yml +++ b/vars/Ubuntu_16.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -34,7 +34,7 @@ __sshd_defaults: PrintLastLog: yes TCPKeepAlive: yes AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" UsePAM: yes UseDNS: no __sshd_os_supported: yes diff --git a/vars/Ubuntu_18.yml b/vars/Ubuntu_18.yml index 294e836..262a477 100644 --- a/vars/Ubuntu_18.yml +++ b/vars/Ubuntu_18.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" @@ -11,6 +11,6 @@ __sshd_defaults: X11Forwarding: yes PrintMotd: no AcceptEnv: LANG LC_* - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes __sshd_runtime_directory: /run/sshd diff --git a/vars/Ubuntu_20.yml b/vars/Ubuntu_20.yml index c401b6d..a73d393 100644 --- a/vars/Ubuntu_20.yml +++ b/vars/Ubuntu_20.yml @@ -1,6 +1,6 @@ --- -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server __sshd_config_mode: "0644" diff --git a/vars/Ubuntu_22.yml b/vars/Ubuntu_22.yml index c13f632..5658e14 100644 --- a/vars/Ubuntu_22.yml +++ b/vars/Ubuntu_22.yml @@ -1,8 +1,8 @@ --- __sshd_os_supported: yes -sshd_service: ssh -sshd_packages: +__sshd_service: ssh +__sshd_packages: - openssh-server - openssh-sftp-server # Ubuntu 22.04 finally ships with drop-in directory support so we touch diff --git a/vars/common.yml b/vars/common.yml index 4165e57..d949238 100644 --- a/vars/common.yml +++ b/vars/common.yml @@ -4,3 +4,7 @@ __sshd_skip_virt_env: - container - containerd - VirtualPC + +__sshd_binary: /usr/sbin/sshd +__sshd_service: sshd +__sshd_sftp_server: /usr/lib/openssh/sftp-server diff --git a/vars/openSUSE Leap_15.yml b/vars/openSUSE Leap_15.yml index 883627c..8577b45 100644 --- a/vars/openSUSE Leap_15.yml +++ b/vars/openSUSE Leap_15.yml @@ -1,7 +1,7 @@ --- -sshd_packages: +__sshd_packages: - openssh -sshd_sftp_server: /usr/lib/ssh/sftp-server +__sshd_sftp_server: /usr/lib/ssh/sftp-server __sshd_defaults: AuthorizedKeysFile: .ssh/authorized_keys UsePAM: yes @@ -10,5 +10,5 @@ __sshd_defaults: - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL - Subsystem: "sftp {{ sshd_sftp_server }}" + Subsystem: "sftp {{ __sshd_sftp_server }}" __sshd_os_supported: yes