mirror of
https://github.com/willshersystems/ansible-sshd
synced 2025-01-11 01:30:18 +01:00
Merge pull request #222 from richm/more-ansible-lint
ansible-lint - align with current Ansible recommendations
This commit is contained in:
commit
511527c889
63 changed files with 397 additions and 383 deletions
|
@ -1,4 +1,2 @@
|
|||
warn_list: # or 'skip_list' to silence them completely
|
||||
- '306' # Shells that use pipes should set the pipefail option
|
||||
exclude_paths:
|
||||
- tests/roles/
|
||||
|
|
4
.github/workflows/ansible-centos-check.yml
vendored
4
.github/workflows/ansible-centos-check.yml
vendored
|
@ -22,7 +22,7 @@ jobs:
|
|||
tests/tasks/restore.yml
|
||||
tests/tests_duplicate_role.yml
|
||||
tests/tests_os_defaults.yml
|
||||
- run: "sed -i -e 's/ansible.builtin.//g' */*.yml */*/*.yml"
|
||||
- run: "sed -i -e 's/ansible.builtin.//g' -e 's/ansible.posix.//g' */*.yml */*/*.yml"
|
||||
|
||||
- name: ansible check with centos 6
|
||||
uses: roles-ansible/check-ansible-centos-centos6-action@master
|
||||
|
@ -37,6 +37,8 @@ jobs:
|
|||
- name: checkout PR
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- run: "sed -i -e 's/ansible.posix.//g' */*.yml */*/*.yml"
|
||||
|
||||
- name: ansible check with centos 7
|
||||
uses: roles-ansible/check-ansible-centos-centos7-action@master
|
||||
with:
|
||||
|
|
|
@ -1,18 +1,9 @@
|
|||
# SPDX-License-Identifier: MIT
|
||||
---
|
||||
extends: .yamllint_defaults.yml
|
||||
# possible customizations over the base yamllint config
|
||||
# skip the yaml files in the /tests/ directory
|
||||
# NOTE: If you want to customize `ignore` you'll have to
|
||||
# copy in all of the config from .yamllint.yml, then
|
||||
# add your own - so if you want to just add /tests/ to
|
||||
# be ignored, you'll have to add the ignores from the base
|
||||
ignore: |
|
||||
/.tox/
|
||||
/.github/
|
||||
# /tests/
|
||||
/tests/roles/
|
||||
# skip checking line length
|
||||
# NOTE: the above does not apply to `rules` - you do not
|
||||
# have to copy all of the rules from the base config
|
||||
rules:
|
||||
line-length: disable
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
# SPDX-License-Identifier: MIT
|
||||
---
|
||||
ignore: |
|
||||
/.tox/
|
||||
extends: default
|
||||
rules:
|
||||
braces:
|
||||
max-spaces-inside: 1
|
||||
level: error
|
||||
brackets:
|
||||
max-spaces-inside: 1
|
||||
level: error
|
||||
truthy:
|
||||
allowed-values: ["yes", "no", "true", "false"]
|
||||
level: error
|
||||
document-start: disable
|
16
README.md
16
README.md
|
@ -307,14 +307,14 @@ provides. Running it will likely break your SSH access to the server!
|
|||
ListenAddress:
|
||||
- "0.0.0.0"
|
||||
- "::"
|
||||
GSSAPIAuthentication: no
|
||||
GSSAPIAuthentication: false
|
||||
Match:
|
||||
- Condition: "Group user"
|
||||
GSSAPIAuthentication: yes
|
||||
sshd_UsePrivilegeSeparation: no
|
||||
GSSAPIAuthentication: true
|
||||
sshd_UsePrivilegeSeparation: false
|
||||
sshd_match:
|
||||
- Condition: "Group xusers"
|
||||
X11Forwarding: yes
|
||||
X11Forwarding: true
|
||||
roles:
|
||||
- role: willshersystems.sshd
|
||||
```
|
||||
|
@ -350,14 +350,14 @@ for example:
|
|||
ListenAddress:
|
||||
- "0.0.0.0"
|
||||
- "::"
|
||||
GSSAPIAuthentication: no
|
||||
GSSAPIAuthentication: false
|
||||
Match:
|
||||
- Condition: "Group user"
|
||||
GSSAPIAuthentication: yes
|
||||
sshd_UsePrivilegeSeparation: no
|
||||
GSSAPIAuthentication: true
|
||||
sshd_UsePrivilegeSeparation: false
|
||||
sshd_match:
|
||||
- Condition: "Group xusers"
|
||||
X11Forwarding: yes
|
||||
X11Forwarding: true
|
||||
```
|
||||
|
||||
You can just add a configuration snippet with the `sshd_config_namespace`
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Manage environment variables
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Configure sshd to accept some useful environment variables
|
||||
include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_config_namespace: accept-env
|
||||
sshd:
|
||||
# there are some handy environment variables to accept
|
||||
AcceptEnv:
|
||||
LANG
|
||||
LS_COLORS
|
||||
EDITOR
|
||||
- name: Configure sshd to accept some useful environment variables
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_config_namespace: accept-env
|
||||
sshd:
|
||||
# there are some handy environment variables to accept
|
||||
AcceptEnv:
|
||||
LANG
|
||||
LS_COLORS
|
||||
EDITOR
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Manage root login
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Configure sshd to prevent root and password login except from particular subnet
|
||||
include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
# root login and password login is enabled only from a particular subnet
|
||||
PermitRootLogin: no
|
||||
PasswordAuthentication: no
|
||||
Match:
|
||||
- Condition: "Address 192.0.2.0/24"
|
||||
PermitRootLogin: yes
|
||||
PasswordAuthentication: yes
|
||||
- name: Configure sshd to prevent root and password login except from particular subnet
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
# root login and password login is enabled only from a particular subnet
|
||||
PermitRootLogin: false
|
||||
PasswordAuthentication: false
|
||||
Match:
|
||||
- Condition: "Address 192.0.2.0/24"
|
||||
PermitRootLogin: true
|
||||
PasswordAuthentication: true
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
block: |
|
||||
{{ __sshd_compat_match_all }}
|
||||
{{ lookup('template', 'sshd_config_snippet.j2') }}
|
||||
create: yes
|
||||
create: true
|
||||
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
|
||||
validate: >-
|
||||
{% if not __sshd_supports_validate %}
|
||||
|
|
|
@ -44,3 +44,4 @@
|
|||
- ansible_connection == 'chroot'
|
||||
- ansible_os_family == 'RedHat'
|
||||
- ansible_distribution_major_version|int >= 7
|
||||
changed_when: true
|
||||
|
|
|
@ -30,14 +30,16 @@
|
|||
- ansible_facts['os_family'] == "RedHat"
|
||||
|
||||
- name: Reinstall manual pages for openssh-server on RHEL
|
||||
ansible.builtin.command: "{{ pkg_mgr|quote }} reinstall -y openssh-server"
|
||||
ansible.builtin.command: "{{ pkg_mgr | quote }} reinstall -y openssh-server"
|
||||
when:
|
||||
- ansible_facts['os_family'] == "RedHat"
|
||||
changed_when: true
|
||||
|
||||
- name: Unminimize image on Debian. It looks like there is no simpler way to get manual pages
|
||||
ansible.builtin.shell: yes | unminimize
|
||||
ansible.builtin.shell: set -eu; set -o | grep -q pipefail && set -o pipefail; yes | unminimize
|
||||
when:
|
||||
- ansible_facts['distribution'] == "Ubuntu"
|
||||
changed_when: true
|
||||
|
||||
- name: Make sure manual pages and bash are installed on Alpine
|
||||
ansible.builtin.package:
|
||||
|
@ -61,7 +63,8 @@
|
|||
|
||||
- name: Get list of options from manual page
|
||||
ansible.builtin.shell: >-
|
||||
man sshd_config | cat
|
||||
set -eu; set -o | grep -q pipefail && set -o pipefail; man sshd_config | cat
|
||||
changed_when: false
|
||||
|
||||
- name: Get list of options from manual page
|
||||
ansible.builtin.shell: >-
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test alternative config file
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -20,7 +21,7 @@
|
|||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
create_home: no
|
||||
create_home: false
|
||||
shell: /sbin/nologin
|
||||
|
||||
- name: Configure alternative sshd_config file
|
||||
|
@ -36,7 +37,7 @@
|
|||
AcceptEnv: LANG
|
||||
Banner: /etc/issue
|
||||
Ciphers: aes256-ctr
|
||||
sshd_Compression: no # noqa var-naming
|
||||
sshd_Compression: false # noqa var-naming
|
||||
|
||||
- name: Configure second alternative sshd_config file
|
||||
ansible.builtin.include_role:
|
||||
|
@ -60,9 +61,10 @@
|
|||
Ciphers: aes192-ctr
|
||||
HostKey:
|
||||
- /tmp/ssh_host_ecdsa_key
|
||||
sshd_PasswordAuthentication: no # noqa var-naming
|
||||
sshd_PasswordAuthentication: false # noqa var-naming
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -179,7 +181,6 @@
|
|||
- config_stat.stat.gr_name == 'nobody'
|
||||
- config_stat.stat.pw_name == 'nobody'
|
||||
- config_stat.stat.mode == '0660'
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test alternative role file - setup tasks
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -20,11 +21,12 @@
|
|||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
create_home: no
|
||||
create_home: false
|
||||
shell: /sbin/nologin
|
||||
|
||||
# Configure alternative sshd_config file
|
||||
- hosts: all
|
||||
- name: Test first alternative role file
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-sshd
|
||||
vars:
|
||||
|
@ -37,10 +39,11 @@
|
|||
AcceptEnv: LANG
|
||||
Banner: /etc/issue
|
||||
Ciphers: aes256-ctr
|
||||
sshd_Compression: no # noqa var-naming
|
||||
sshd_Compression: false # noqa var-naming
|
||||
|
||||
# Configure second alternative sshd_config file
|
||||
- hosts: all
|
||||
- name: Test first alternative role file
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-sshd
|
||||
vars:
|
||||
|
@ -53,7 +56,8 @@
|
|||
sshd_MaxStartups: 100 # noqa var-naming
|
||||
|
||||
# Now configure the main sshd_config file
|
||||
- hosts: all
|
||||
- name: Test main config file
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-sshd
|
||||
vars:
|
||||
|
@ -63,9 +67,10 @@
|
|||
Ciphers: aes192-ctr
|
||||
HostKey:
|
||||
- /tmp/ssh_host_ecdsa_key
|
||||
sshd_PasswordAuthentication: no # noqa var-naming
|
||||
sshd_PasswordAuthentication: false # noqa var-naming
|
||||
|
||||
- hosts: all
|
||||
- name: Verify config files are correct
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -74,9 +79,10 @@
|
|||
- /etc/ssh/sshd_config_custom_second
|
||||
tasks:
|
||||
- name: Setup variables
|
||||
include_tasks: tasks/setup.yml
|
||||
ansible.builtin.include_tasks: tasks/setup.yml
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -194,7 +200,6 @@
|
|||
- config_stat.stat.gr_name == 'nobody'
|
||||
- config_stat.stat.pw_name == 'nobody'
|
||||
- config_stat.stat.mode == '0660'
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test backups
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test config namespaces
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -16,11 +17,11 @@
|
|||
sshd_config_file: /etc/ssh/sshd_config
|
||||
sshd_config_namespace: nm1
|
||||
sshd:
|
||||
PasswordAuthentication: yes
|
||||
PermitRootLogin: yes
|
||||
PasswordAuthentication: true
|
||||
PermitRootLogin: true
|
||||
Match:
|
||||
Condition: user root
|
||||
AllowAgentForwarding: no
|
||||
AllowAgentForwarding: false
|
||||
|
||||
- name: Add second configuration block to default configuration file
|
||||
ansible.builtin.include_role:
|
||||
|
@ -29,13 +30,14 @@
|
|||
sshd_config_file: /etc/ssh/sshd_config
|
||||
sshd_config_namespace: nm2
|
||||
sshd:
|
||||
PasswordAuthentication: no
|
||||
PermitRootLogin: no
|
||||
PasswordAuthentication: false
|
||||
PermitRootLogin: false
|
||||
Match:
|
||||
Condition: Address 127.0.0.1
|
||||
Banner: /etc/issue
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -111,7 +113,6 @@
|
|||
- "'allowAgentforwarding no' not in nonmatching.stdout"
|
||||
- "'banner /etc/issue' not in nonmatching.stdout"
|
||||
- "'passwordauthentication yes' in nonmatching.stdout"
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test default - setup
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -8,11 +9,13 @@
|
|||
- name: "Backup configuration files"
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- hosts: all
|
||||
- name: Test defaults
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-sshd
|
||||
|
||||
- hosts: all
|
||||
- name: Test default - restore
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test default with include tasks
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test duplicates - setup config1
|
||||
hosts: all
|
||||
vars:
|
||||
sshd_config_file: /etc/ssh/dup_config1
|
||||
__sshd_test_backup_files:
|
||||
|
@ -14,13 +15,15 @@
|
|||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
|
||||
- hosts: all
|
||||
- name: Test duplicates - default config
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Configure default config
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
|
||||
- hosts: all
|
||||
- name: Test duplicates - setup config2
|
||||
hosts: all
|
||||
vars:
|
||||
sshd_config_file: /etc/ssh/dup_config2
|
||||
tasks:
|
||||
|
@ -30,10 +33,11 @@
|
|||
public: true
|
||||
|
||||
- name: Convert exported variable to fact so that it is available in next plays
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
__sshd_config_file: "{{ __sshd_config_file }}"
|
||||
|
||||
- hosts: all
|
||||
- name: Test duplicate - verify results
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Get config1 stat
|
||||
ansible.builtin.stat:
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test managing firewall and selinux from role
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -21,6 +22,7 @@
|
|||
Port: 22
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -34,7 +36,6 @@
|
|||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Port 22' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
##########
|
||||
# Second test: non-default port
|
||||
|
@ -50,6 +51,7 @@
|
|||
Port: 222
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -63,7 +65,6 @@
|
|||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Port 222' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
##########
|
||||
# Third test: multiple ports
|
||||
|
@ -80,6 +81,7 @@
|
|||
- 222
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -93,7 +95,6 @@
|
|||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Port 222' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
##########
|
||||
# Cleanup
|
||||
|
@ -110,7 +111,7 @@
|
|||
state: disabled
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
|
||||
- ansible_virtualization_type | default(None) not in __sshd_skip_virt_env
|
||||
|
||||
- name: Remove the modification to the selinux policy
|
||||
ansible.builtin.include_role:
|
||||
|
@ -124,4 +125,4 @@
|
|||
local: true
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
|
||||
- ansible_virtualization_type | default(None) not in __sshd_skip_virt_env
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test hostkeys
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -23,7 +24,7 @@
|
|||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
create_home: no
|
||||
create_home: false
|
||||
shell: /sbin/nologin
|
||||
|
||||
- name: Configure sshd with alternative host keys
|
||||
|
@ -39,6 +40,7 @@
|
|||
- /tmp/ssh_host_rsa_key2
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -71,7 +73,6 @@
|
|||
- privkey.stat.pw_name == 'nobody'
|
||||
- privkey.stat.mode == '0664'
|
||||
- pubkey.stat.exists
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test hostkeys with FIPS
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -16,6 +17,10 @@
|
|||
name: ansible-sshd
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version'] | int > 6
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -41,17 +46,13 @@
|
|||
- "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version']|int < 9
|
||||
- ansible_facts['distribution_major_version'] | int < 9
|
||||
|
||||
- name: Check host key was generated
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- privkey.stat.exists
|
||||
- pubkey.stat.exists
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version']|int > 6
|
||||
tags: tests::verify
|
||||
|
||||
- name: Fake FIPS mode
|
||||
block:
|
||||
|
@ -69,11 +70,11 @@
|
|||
- name: Create a fips_enabled file
|
||||
ansible.builtin.copy:
|
||||
dest: "{{ fips_directory.path }}/fips_enabled"
|
||||
content: 1
|
||||
content: "1"
|
||||
mode: "0644"
|
||||
|
||||
- name: Bind mount the file where we need it
|
||||
ansible.builtin.mount:
|
||||
ansible.posix.mount:
|
||||
path: /proc/sys/crypto/fips_enabled
|
||||
src: "{{ fips_directory.path }}/fips_enabled"
|
||||
opts: bind
|
||||
|
@ -98,6 +99,10 @@
|
|||
name: ansible-sshd
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version'] | int > 6
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -127,15 +132,11 @@
|
|||
that:
|
||||
- not privkey.stat.exists
|
||||
- not pubkey.stat.exists
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version']|int > 6
|
||||
tags: tests::verify
|
||||
|
||||
- name: Remove the FIPS mode indicators
|
||||
block:
|
||||
- name: Unmount the file
|
||||
mount:
|
||||
ansible.posix.mount:
|
||||
path: /proc/sys/crypto/fips_enabled
|
||||
state: unmounted
|
||||
failed_when: false
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test missing hostkeys
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -10,6 +11,10 @@
|
|||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd with missing host keys and prevent their creation
|
||||
when:
|
||||
- ansible_facts['os_family'] != 'Debian'
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Configure missing hostkey
|
||||
ansible.builtin.include_role:
|
||||
|
@ -21,7 +26,7 @@
|
|||
- /tmp/missing_ssh_host_rsa_key
|
||||
register: role_result
|
||||
|
||||
- name: unreachable task
|
||||
- name: Unreachable task
|
||||
ansible.builtin.fail:
|
||||
msg: UNREACH
|
||||
|
||||
|
@ -32,10 +37,6 @@
|
|||
- ansible_failed_result.msg != 'UNREACH'
|
||||
- not role_result.changed
|
||||
msg: "Role has not failed when it should have"
|
||||
when:
|
||||
- ansible_facts['os_family'] != 'Debian'
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
tags: tests::verify
|
||||
|
||||
- name: Make sure the key was not created
|
||||
ansible.builtin.file:
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test hostkeys via role - setup
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -23,11 +24,12 @@
|
|||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
create_home: no
|
||||
create_home: false
|
||||
shell: /sbin/nologin
|
||||
|
||||
# invoke role through "roles"
|
||||
- hosts: all
|
||||
- name: Test hostkeys via role
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-sshd
|
||||
vars:
|
||||
|
@ -39,7 +41,8 @@
|
|||
HostKey:
|
||||
- /tmp/ssh_host_rsa_key2
|
||||
|
||||
- hosts: all
|
||||
- name: Test hostkeys via role - verify
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -50,6 +53,7 @@
|
|||
ansible.builtin.include_tasks: tasks/setup.yml
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush metadata
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -82,7 +86,6 @@
|
|||
- privkey.stat.pw_name == 'nobody'
|
||||
- privkey.stat.mode == '0664'
|
||||
- pubkey.stat.exists
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test include present
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -15,8 +16,8 @@
|
|||
regexp: "^Include"
|
||||
state: absent
|
||||
when:
|
||||
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
|
||||
|
||||
- name: Create a new configuration in drop-in directory
|
||||
ansible.builtin.include_role:
|
||||
|
@ -27,10 +28,14 @@
|
|||
Banner: /etc/include-issue
|
||||
Ciphers: aes192-ctr
|
||||
when:
|
||||
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
when:
|
||||
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -47,6 +52,7 @@
|
|||
|
||||
- name: Check content of drop-in configuration file
|
||||
ansible.builtin.assert:
|
||||
# noqa no-tabs
|
||||
that:
|
||||
- "'Banner /etc/include-issue' in config.content | b64decode"
|
||||
- "'Ciphers aes192-ctr' in config.content | b64decode"
|
||||
|
@ -73,16 +79,11 @@
|
|||
- "config_main.content | b64decode | regex_search('Subsystem\\ssftp\\s/usr/lib/openssh/sftp-server')"
|
||||
when: ansible_facts['os_family'] == 'Ubuntu'
|
||||
|
||||
when:
|
||||
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
||||
- hosts: all
|
||||
- name: Test include present - verify
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/custom_sshd_config
|
||||
|
@ -93,7 +94,7 @@
|
|||
ansible.builtin.meta: end_play
|
||||
when:
|
||||
ansible_facts['distribution'] != 'Ubuntu'
|
||||
or ansible_facts['distribution_major_version']|int != 20
|
||||
or ansible_facts['distribution_major_version'] | int != 20
|
||||
|
||||
- name: "Backup configuration files"
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
@ -101,9 +102,10 @@
|
|||
- name: Create sample main configuration file
|
||||
# Normally, this should not be needed. For test, however, we need a file
|
||||
# different to the one in the first play.
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /etc/ssh/custom_sshd_config
|
||||
state: touch
|
||||
mode: '0777'
|
||||
|
||||
- name: Create a new configuration in a custom drop-in directory
|
||||
ansible.builtin.include_role:
|
||||
|
@ -117,6 +119,7 @@
|
|||
Ciphers: aes192-ctr
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -133,6 +136,7 @@
|
|||
|
||||
- name: Check content of custom drop-in configuration file
|
||||
ansible.builtin.assert:
|
||||
# noqa no-tabs
|
||||
that:
|
||||
- "'Banner /etc/include-issue' in custom_drop_in.content | b64decode"
|
||||
- "'Ciphers aes192-ctr' in custom_drop_in.content | b64decode"
|
||||
|
@ -153,13 +157,11 @@
|
|||
register: drop_in_dir_stat
|
||||
|
||||
- name: Check drop in directory mode has been set correctly
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- drop_in_dir_stat.stat.isdir | bool
|
||||
- drop_in_dir_stat.stat.mode == '0770'
|
||||
msg: "effective mode: {{ drop_in_dir_stat.stat.mode }}, desired mode: 0770"
|
||||
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test indentation
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -13,13 +14,14 @@
|
|||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
PasswordAuthentication: yes
|
||||
PermitRootLogin: yes
|
||||
PasswordAuthentication: true
|
||||
PermitRootLogin: true
|
||||
Match:
|
||||
Condition: user root
|
||||
AllowAgentForwarding: no
|
||||
AllowAgentForwarding: false
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -36,7 +38,5 @@
|
|||
- "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)"
|
||||
- "config.content | b64decode | regex_search('^Match user root\\n\\s+AllowAgentForwarding no$', multiline=True)"
|
||||
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test match blocks
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -18,11 +19,11 @@
|
|||
sshd:
|
||||
Match:
|
||||
Condition: "User xusers"
|
||||
X11Forwarding: yes
|
||||
X11Forwarding: true
|
||||
Banner: /tmp/xusers-banner
|
||||
sshd_match:
|
||||
- Condition: "User bot"
|
||||
AllowTcpForwarding: no
|
||||
AllowTcpForwarding: false
|
||||
Banner: /tmp/bot-banner
|
||||
sshd_match_1:
|
||||
- Condition: "User sftponly"
|
||||
|
@ -30,10 +31,11 @@
|
|||
ChrootDirectory: "/var/uploads/"
|
||||
sshd_match_2:
|
||||
- Condition: "User root"
|
||||
PasswordAuthentication: no
|
||||
AllowTcpForwarding: yes
|
||||
PasswordAuthentication: false
|
||||
AllowTcpForwarding: true
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -83,7 +85,6 @@
|
|||
- "'Match User bot' in config.content | b64decode"
|
||||
- "'Match User sftponly' in config.content | b64decode"
|
||||
- "'Match User root' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test match iterate
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -18,20 +19,21 @@
|
|||
sshd:
|
||||
Match:
|
||||
- Condition: "User xusers"
|
||||
X11Forwarding: yes
|
||||
X11Forwarding: true
|
||||
Banner: /tmp/xusers-banner
|
||||
- Condition: "User bot"
|
||||
AllowTcpForwarding: no
|
||||
AllowTcpForwarding: false
|
||||
Banner: /tmp/bot-banner
|
||||
sshd_match:
|
||||
- Condition: "User sftponly"
|
||||
ForceCommand: "internal-sftp"
|
||||
ChrootDirectory: "/var/uploads/"
|
||||
- Condition: "User root"
|
||||
PasswordAuthentication: no
|
||||
AllowTcpForwarding: yes
|
||||
PasswordAuthentication: false
|
||||
AllowTcpForwarding: true
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -81,7 +83,6 @@
|
|||
- "'Match User bot' in config.content | b64decode"
|
||||
- "'Match User sftponly' in config.content | b64decode"
|
||||
- "'Match User root' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test OS default settings
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -49,7 +50,7 @@
|
|||
when: __sshd_defaults.Include is defined
|
||||
|
||||
- name: Check drop in directory mode has not changed
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- drop_in_dir_stat.stat.mode == __sshd_drop_in_dir_mode
|
||||
when: __sshd_defaults.Include is defined
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test precedence
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -27,6 +28,7 @@
|
|||
sshd_HostKey: /tmp/ssh_host_rsa_key
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush metadata
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -55,7 +57,6 @@
|
|||
- "'Banner /etc/good-issue' in config.content | b64decode"
|
||||
- "'Ciphers aes128-ctr' in config.content | b64decode"
|
||||
- "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test some common options
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -20,6 +21,7 @@
|
|||
sshd_config_file: /etc/ssh/sshd_config
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -50,7 +52,6 @@
|
|||
- "'Banner /etc/issue' in config.content | b64decode"
|
||||
- "'Ciphers aes256-ctr' in config.content | b64decode"
|
||||
- "'Subsystem sftp internal-sftp' in config.content | b64decode"
|
||||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test uncommon options
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -9,6 +10,8 @@
|
|||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd with uncommon options, making sure it keeps running
|
||||
when:
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
block:
|
||||
- name: Configure ssh with unsupported options
|
||||
ansible.builtin.include_role:
|
||||
|
@ -17,20 +20,20 @@
|
|||
sshd:
|
||||
# Unsupported in new versions, but ignored ?
|
||||
Protocol: 1
|
||||
UsePrivilegeSeparation: no
|
||||
UseLogin: yes
|
||||
UsePrivilegeSeparation: false
|
||||
UseLogin: true
|
||||
# Debian only
|
||||
DebianBanner: /etc/motd
|
||||
# Used in FreeBSD ?
|
||||
VersionAddendum: FreeBSD-20180909
|
||||
# HPN only
|
||||
HPNDisabled: yes
|
||||
HPNDisabled: true
|
||||
HPNBufferSize: 2MB
|
||||
TcpRcvBufPoll: yes
|
||||
NoneEnabled: yes
|
||||
TcpRcvBufPoll: true
|
||||
NoneEnabled: true
|
||||
# some builds might be without kerberos/GSSAPI
|
||||
KerberosAuthentication: yes
|
||||
GSSAPIStoreCredentialsOnRekey: yes
|
||||
KerberosAuthentication: true
|
||||
GSSAPIStoreCredentialsOnRekey: true
|
||||
# SSHv1 options
|
||||
KeyRegenerationInterval: 1h
|
||||
ServerKeyBits: 1024
|
||||
|
@ -38,7 +41,7 @@
|
|||
RDomain: 2
|
||||
register: role_result
|
||||
|
||||
- name: unreachable task
|
||||
- name: Unreachable task
|
||||
ansible.builtin.fail:
|
||||
msg: UNREACH
|
||||
rescue:
|
||||
|
@ -48,8 +51,6 @@
|
|||
- ansible_failed_result.msg != 'UNREACH'
|
||||
- not role_result.changed
|
||||
msg: "Role has not failed when it should have"
|
||||
when:
|
||||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: Make sure service is still running
|
||||
ansible.builtin.service:
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test sshd enable
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
- name: Test sysconfig
|
||||
hosts: all
|
||||
vars:
|
||||
__sshd_test_backup_files:
|
||||
- /etc/ssh/sshd_config
|
||||
|
@ -18,6 +19,11 @@
|
|||
sshd_sysconfig_use_strong_rng: 32
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
tags: tests::verify
|
||||
when:
|
||||
- ansible_facts['os_family'] == "RedHat"
|
||||
- ansible_facts['distribution'] != 'Fedora'
|
||||
- ansible_facts['distribution_major_version']|int < 9
|
||||
block:
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
@ -74,11 +80,6 @@
|
|||
- "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode"
|
||||
- "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode"
|
||||
- "'RNG=|32|' in evaluation.stdout"
|
||||
tags: tests::verify
|
||||
when:
|
||||
- ansible_facts['os_family'] == "RedHat"
|
||||
- ansible_facts['distribution'] != 'Fedora'
|
||||
- ansible_facts['distribution_major_version']|int < 9
|
||||
|
||||
- name: "Restore configuration files"
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,8 +7,8 @@ __sshd_sftp_server: /usr/sbin/sftp-server
|
|||
__sshd_config_group: system
|
||||
__sshd_defaults:
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
||||
sshd_install_service: no
|
||||
sshd_manage_service: no
|
||||
sshd_allow_reload: yes
|
||||
sshd_install_service: false
|
||||
sshd_manage_service: false
|
||||
sshd_allow_reload: true
|
||||
|
|
|
@ -3,8 +3,8 @@ __sshd_packages:
|
|||
- openssh
|
||||
__sshd_defaults:
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
AllowTcpForwarding: no
|
||||
GatewayPorts: no
|
||||
X11Forwarding: no
|
||||
AllowTcpForwarding: false
|
||||
GatewayPorts: false
|
||||
X11Forwarding: false
|
||||
Subsystem: 'sftp internal-sftp'
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -8,11 +8,11 @@ __sshd_defaults:
|
|||
SyslogFacility: AUTHPRIV
|
||||
PermitRootLogin: forced-commands-only
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PrintLastLog: yes
|
||||
PasswordAuthentication: false
|
||||
ChallengeResponseAuthentication: false
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
PrintLastLog: true
|
||||
UsePrivilegeSeparation: sandbox
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
|
@ -20,4 +20,4 @@ __sshd_defaults:
|
|||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -4,8 +4,8 @@ __sshd_packages:
|
|||
__sshd_sftp_server: /usr/lib/ssh/sftp-server
|
||||
__sshd_defaults:
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
ChallengeResponseAuthentication: no
|
||||
PrintMotd: no
|
||||
ChallengeResponseAuthentication: false
|
||||
PrintMotd: false
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -4,8 +4,8 @@ __sshd_packages:
|
|||
__sshd_sftp_server: /usr/lib/ssh/sftp-server
|
||||
__sshd_defaults:
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
ChallengeResponseAuthentication: no
|
||||
PrintMotd: no
|
||||
ChallengeResponseAuthentication: false
|
||||
PrintMotd: false
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -6,8 +6,8 @@ __sshd_sftp_server: internal-sftp
|
|||
__sshd_defaults:
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
ClientAliveInterval: 180
|
||||
UseDNS: no
|
||||
UsePAM: yes
|
||||
PrintLastLog: no
|
||||
PrintMotd: no
|
||||
__sshd_os_supported: yes
|
||||
UseDNS: false
|
||||
UsePAM: true
|
||||
PrintLastLog: false
|
||||
PrintMotd: false
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -10,28 +10,28 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
UsePrivilegeSeparation: yes
|
||||
UsePrivilegeSeparation: true
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 768
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: yes
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
PermitRootLogin: true
|
||||
StrictModes: true
|
||||
RSAAuthentication: true
|
||||
PubkeyAuthentication: true
|
||||
IgnoreRhosts: true
|
||||
RhostsRSAAuthentication: false
|
||||
HostbasedAuthentication: false
|
||||
PermitEmptyPasswords: false
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
PrintMotd: false
|
||||
PrintLastLog: true
|
||||
TCPKeepAlive: true
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -5,11 +5,11 @@ __sshd_packages:
|
|||
- openssh-sftp-server
|
||||
__sshd_config_mode: "0644"
|
||||
__sshd_defaults:
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
PrintMotd: false
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -5,11 +5,11 @@ __sshd_packages:
|
|||
- openssh-sftp-server
|
||||
__sshd_config_mode: "0644"
|
||||
__sshd_defaults:
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
PrintMotd: false
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -12,28 +12,28 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation: yes
|
||||
UsePrivilegeSeparation: true
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 1024
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: without-password
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
StrictModes: true
|
||||
RSAAuthentication: true
|
||||
PubkeyAuthentication: true
|
||||
IgnoreRhosts: true
|
||||
RhostsRSAAuthentication: false
|
||||
HostbasedAuthentication: false
|
||||
PermitEmptyPasswords: false
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
PrintMotd: false
|
||||
PrintLastLog: true
|
||||
TCPKeepAlive: true
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -5,11 +5,11 @@ __sshd_packages:
|
|||
- openssh-sftp-server
|
||||
__sshd_config_mode: "0644"
|
||||
__sshd_defaults:
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
PrintMotd: false
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
||||
__sshd_packages:
|
||||
- openssh
|
||||
|
|
|
@ -10,19 +10,19 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
SyslogFacility: AUTHPRIV
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PasswordAuthentication: true
|
||||
ChallengeResponseAuthentication: false
|
||||
GSSAPIAuthentication: true
|
||||
GSSAPICleanupCredentials: false
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
__sshd_sysconfig_supports_crypto_policy: true
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
||||
__sshd_packages:
|
||||
- openssh
|
||||
|
|
|
@ -4,4 +4,4 @@ __sshd_config_mode: "0644"
|
|||
__sshd_sftp_server: /usr/libexec/sftp-server
|
||||
__sshd_defaults:
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -5,7 +5,7 @@ __sshd_sftp_server: /usr/lib64/misc/sftp-server
|
|||
__sshd_defaults:
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
# Replace tcp keepalive with unspoofable keepalive
|
||||
TCPKeepAlive: no
|
||||
TCPKeepAlive: false
|
||||
ClientAliveInterval: 300
|
||||
ClientAliveCountMax: 2
|
||||
# Secure cipher and algorithm settings
|
||||
|
@ -18,15 +18,15 @@ __sshd_defaults:
|
|||
MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
# Security settings
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
PermitRootLogin: no
|
||||
PasswordAuthentication: false
|
||||
ChallengeResponseAuthentication: false
|
||||
PermitRootLogin: false
|
||||
# Login settings
|
||||
UsePAM: yes
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
UsePAM: true
|
||||
PrintMotd: false
|
||||
PrintLastLog: true
|
||||
# Disable most forwarding types for more security
|
||||
AllowAgentForwarding: no
|
||||
AllowTcpForwarding: no
|
||||
AllowStreamLocalForwarding: no
|
||||
__sshd_os_supported: yes
|
||||
AllowAgentForwarding: false
|
||||
AllowTcpForwarding: false
|
||||
AllowStreamLocalForwarding: false
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -5,5 +5,5 @@ __sshd_sftp_server: /usr/libexec/sftp-server
|
|||
__sshd_defaults:
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_manage_var_run: no
|
||||
__sshd_os_supported: true
|
||||
__sshd_manage_var_run: false
|
||||
|
|
|
@ -11,4 +11,4 @@ __sshd_defaults:
|
|||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -8,18 +8,18 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_rsa_key
|
||||
Protocol: 2
|
||||
SyslogFacility: AUTHPRIV
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: yes
|
||||
UsePAM: yes
|
||||
PasswordAuthentication: true
|
||||
ChallengeResponseAuthentication: false
|
||||
GSSAPIAuthentication: true
|
||||
GSSAPICleanupCredentials: true
|
||||
UsePAM: true
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
X11Forwarding: yes
|
||||
X11Forwarding: true
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
__sshd_sysconfig_supports_use_strong_rng: true
|
||||
__sshd_compat_match_all: Match address *
|
||||
|
|
|
@ -10,14 +10,14 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
SyslogFacility: AUTHPRIV
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
PasswordAuthentication: true
|
||||
ChallengeResponseAuthentication: false
|
||||
GSSAPIAuthentication: true
|
||||
GSSAPICleanupCredentials: false
|
||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
UsePrivilegeSeparation: sandbox
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
|
@ -25,7 +25,7 @@ __sshd_defaults:
|
|||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
__sshd_sysconfig_supports_use_strong_rng: true
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
|
|
@ -10,23 +10,23 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
SyslogFacility: AUTHPRIV
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
PermitRootLogin: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
PasswordAuthentication: true
|
||||
PermitRootLogin: true
|
||||
ChallengeResponseAuthentication: false
|
||||
GSSAPIAuthentication: true
|
||||
GSSAPICleanupCredentials: false
|
||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
PrintMotd: false
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
__sshd_sysconfig_supports_use_strong_rng: true
|
||||
__sshd_sysconfig_supports_crypto_policy: true
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
||||
__sshd_packages:
|
||||
- openssh
|
||||
|
|
|
@ -9,16 +9,16 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
SyslogFacility: AUTH
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PasswordAuthentication: true
|
||||
ChallengeResponseAuthentication: false
|
||||
GSSAPIAuthentication: true
|
||||
GSSAPICleanupCredentials: false
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -10,27 +10,27 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
UsePrivilegeSeparation: yes
|
||||
UsePrivilegeSeparation: true
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 768
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: yes
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
PermitRootLogin: true
|
||||
StrictModes: true
|
||||
RSAAuthentication: true
|
||||
PubkeyAuthentication: true
|
||||
IgnoreRhosts: true
|
||||
RhostsRSAAuthentication: false
|
||||
HostbasedAuthentication: false
|
||||
PermitEmptyPasswords: false
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
PrintMotd: false
|
||||
PrintLastLog: true
|
||||
TCPKeepAlive: true
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -12,27 +12,27 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation: yes
|
||||
UsePrivilegeSeparation: true
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 1024
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: without-password
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
StrictModes: true
|
||||
RSAAuthentication: true
|
||||
PubkeyAuthentication: true
|
||||
IgnoreRhosts: true
|
||||
RhostsRSAAuthentication: false
|
||||
HostbasedAuthentication: false
|
||||
PermitEmptyPasswords: false
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
PrintMotd: false
|
||||
PrintLastLog: true
|
||||
TCPKeepAlive: true
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -12,29 +12,29 @@ __sshd_defaults:
|
|||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation: yes
|
||||
UsePrivilegeSeparation: true
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 1024
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: prohibit-password
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
StrictModes: true
|
||||
RSAAuthentication: true
|
||||
PubkeyAuthentication: true
|
||||
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
IgnoreRhosts: true
|
||||
RhostsRSAAuthentication: false
|
||||
HostbasedAuthentication: false
|
||||
PermitEmptyPasswords: false
|
||||
ChallengeResponseAuthentication: false
|
||||
X11Forwarding: true
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
PrintMotd: false
|
||||
PrintLastLog: true
|
||||
TCPKeepAlive: true
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
UseDNS: no
|
||||
__sshd_os_supported: yes
|
||||
UsePAM: true
|
||||
UseDNS: false
|
||||
__sshd_os_supported: true
|
||||
|
|
|
@ -5,12 +5,12 @@ __sshd_packages:
|
|||
- openssh-sftp-server
|
||||
__sshd_config_mode: "0644"
|
||||
__sshd_defaults:
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
PasswordAuthentication: false
|
||||
ChallengeResponseAuthentication: false
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
PrintMotd: false
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -5,11 +5,11 @@ __sshd_packages:
|
|||
- openssh-sftp-server
|
||||
__sshd_config_mode: "0644"
|
||||
__sshd_defaults:
|
||||
ChallengeResponseAuthentication: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
ChallengeResponseAuthentication: false
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
PrintMotd: false
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: /run/sshd
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
||||
__sshd_service: ssh
|
||||
__sshd_packages:
|
||||
|
@ -12,8 +12,8 @@ __sshd_config_mode: "0644"
|
|||
# the defaults here represent the defaults shipped in the main sshd_config
|
||||
__sshd_defaults:
|
||||
Include: /etc/ssh/sshd_config.d/*.conf
|
||||
KbdInteractiveAuthentication: no
|
||||
UsePAM: yes
|
||||
KbdInteractiveAuthentication: false
|
||||
UsePAM: true
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@ __sshd_service: sshd
|
|||
__sshd_sftp_server: /usr/lib/openssh/sftp-server
|
||||
|
||||
__sshd_defaults: {}
|
||||
__sshd_os_supported: no
|
||||
__sshd_os_supported: false
|
||||
__sshd_sysconfig_supports_crypto_policy: false
|
||||
__sshd_sysconfig_supports_use_strong_rng: false
|
||||
|
||||
|
|
|
@ -4,11 +4,11 @@ __sshd_packages:
|
|||
__sshd_sftp_server: /usr/lib/ssh/sftp-server
|
||||
__sshd_defaults:
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
UsePAM: true
|
||||
X11Forwarding: true
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL
|
||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
__sshd_os_supported: true
|
||||
|
|
Loading…
Reference in a new issue