Fix issues found by linters - enable all tests on all repos - remove suppressions

Cleaning up yamllint errors.
  - Use .yamllint.yml and .yamllint_defaults.yml instead of
    .yamllint.yaml.
  - Fix the invalid indentations.

Cleaning up ansible-lint errors.
  - Add "name" to every task.
  - Use command rather than shell
  - Add "changed_when: false".
  - Use '|' instead of '>' for the shell module.
  - Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
  - Add "set -eu" and "set -o pipefail" if pipefail is available.
    Note: "pipefail" is not available in "sh" and "dash".
  - Add "- '306'  # Shells that use pipes should set the pipefail option"
    to .ansible-lint since ansible-lint does not recognize it if it's set
    in "if set -o | grep pipefail".

RHELPLAN-73804
This commit is contained in:
Noriko Hosoi 2021-04-07 11:12:03 -07:00
parent 428d390668
commit 6887864d2c
31 changed files with 831 additions and 765 deletions

View file

@ -1,2 +1,3 @@
warn_list: # or 'skip_list' to silence them completely │ warn_list: # or 'skip_list' to silence them completely │
- '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern
- '306' # Shells that use pipes should set the pipefail option

View file

@ -6,11 +6,12 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with centos:7 - name: ansible check with centos:7
uses: roles-ansible/check-ansible-centos-centos7-action@master uses: roles-ansible/check-ansible-centos-centos7-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -6,11 +6,12 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with centos:8 - name: ansible check with centos:8
uses: roles-ansible/check-ansible-centos-centos8-action@master uses: roles-ansible/check-ansible-centos-centos8-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -6,12 +6,13 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:buster (10) - name: ansible check with debian:buster (10)
uses: roles-ansible/check-ansible-debian-buster-action@master uses: roles-ansible/check-ansible-debian-buster-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -6,12 +6,13 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:stretch (9) - name: ansible check with debian:stretch (9)
uses: roles-ansible/check-ansible-debian-stretch-action@master uses: roles-ansible/check-ansible-debian-stretch-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -6,12 +6,13 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:latest - name: ansible check with debian:latest
uses: roles-ansible/check-ansible-debian-latest-action@master uses: roles-ansible/check-ansible-debian-latest-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -6,12 +6,13 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with fedora:latest - name: ansible check with fedora:latest
uses: roles-ansible/check-ansible-fedora-latest-action@master uses: roles-ansible/check-ansible-fedora-latest-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -3,32 +3,35 @@ name: Ansible Lint # feel free to pick your own name
on: [push, pull_request] on: [push, pull_request]
jobs: jobs:
# test-ansible28: # test-ansible28:
# runs-on: ubuntu-latest # runs-on: ubuntu-latest
# steps: # steps:
# - uses: actions/checkout@v2 # - name: checkout PR
# - name: Lint Ansible Playbook # uses: actions/checkout@v2
# uses: ansible/ansible-lint-action@master # - name: Lint Ansible Playbook
# with: # uses: ansible/ansible-lint-action@master
# targets: "tests/test_*.yml" # with:
# override-deps: | # targets: "tests/test_*.yml"
# ansible==2.8 # override-deps: |
# args: "" # ansible==2.8
# test-ansible29: # args: ""
# runs-on: ubuntu-latest # test-ansible29:
# steps: # runs-on: ubuntu-latest
# - uses: actions/checkout@v2 # steps:
# - name: Lint Ansible Playbook # - name: checkout PR
# uses: ansible/ansible-lint-action@master # uses: actions/checkout@v2
# with: # - name: Lint Ansible Playbook
# targets: "tests/test_*.yml" # uses: ansible/ansible-lint-action@master
# override-deps: | # with:
# ansible==2.9 # targets: "tests/test_*.yml"
# args: "" # override-deps: |
# ansible==2.9
# args: ""
test-ansible210: test-ansible210:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: Lint Ansible Playbook - name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master uses: ansible/ansible-lint-action@master
with: with:

View file

@ -6,12 +6,13 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with ubuntu:latest - name: ansible check with ubuntu:latest
uses: roles-ansible/check-ansible-ubuntu-latest-action@master uses: roles-ansible/check-ansible-ubuntu-latest-action@master
with: with:
group: local group: local
hosts: localhost hosts: localhost
targets: "tests/*.yml" targets: "tests/*.yml"

View file

@ -1,21 +0,0 @@
---
# Based on ansible-lint config
extends: default
rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines: {type: unix}
trailing-spaces: disable
truthy: disable

18
.yamllint.yml Normal file
View file

@ -0,0 +1,18 @@
# SPDX-License-Identifier: MIT
---
extends: .yamllint_defaults.yml
# possible customizations over the base yamllint config
# skip the yaml files in the /tests/ directory
# NOTE: If you want to customize `ignore` you'll have to
# copy in all of the config from .yamllint.yml, then
# add your own - so if you want to just add /tests/ to
# be ignored, you'll have to add the ignores from the base
ignore: |
/.tox/
/.github/
# /tests/
# skip checking line length
# NOTE: the above does not apply to `rules` - you do not
# have to copy all of the rules from the base config
rules:
line-length: disable

16
.yamllint_defaults.yml Normal file
View file

@ -0,0 +1,16 @@
# SPDX-License-Identifier: MIT
---
ignore: |
/.tox/
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
truthy:
allowed-values: ["yes", "no", "true", "false"]
level: error
document-start: disable

View file

@ -10,6 +10,6 @@
PermitRootLogin: no PermitRootLogin: no
PasswordAuthentication: no PasswordAuthentication: no
Match: Match:
- Condition: "Address 192.0.2.0/24" - Condition: "Address 192.0.2.0/24"
PermitRootLogin: yes PermitRootLogin: yes
PasswordAuthentication: yes PasswordAuthentication: yes

View file

@ -8,7 +8,7 @@
- sshd_allow_reload|bool - sshd_allow_reload|bool
- ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'docker'
- ansible_virtualization_type|default(None) != 'podman' - ansible_virtualization_type|default(None) != 'podman'
- ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions
- ansible_connection != 'chroot' - ansible_connection != 'chroot'
- ansible_os_family != 'AIX' - ansible_os_family != 'AIX'
listen: reload_sshd listen: reload_sshd
@ -19,10 +19,15 @@
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6 # https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
- name: Reload sshd Service (AIX) - name: Reload sshd Service (AIX)
shell: | shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
stopsrc -s sshd stopsrc -s sshd
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
startsrc -s sshd startsrc -s sshd
listen: reload_sshd listen: reload_sshd
changed_when: false
when: when:
- sshd_allow_reload|bool - sshd_allow_reload|bool
- ansible_os_family == 'AIX' - ansible_os_family == 'AIX'

View file

@ -50,14 +50,19 @@
{% endif %} {% endif %}
block: block:
- name: Make sure hostkeys are available - name: Make sure hostkeys are available
shell: > shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
{% if sshd_sysconfig %} {% if sshd_sysconfig %}
source /etc/sysconfig/sshd; source /etc/sysconfig/sshd
{% endif %} {% endif %}
ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N '' ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N ''
args: args:
creates: "{{ item }}" creates: "{{ item }}"
loop: "{{ __sshd_verify_hostkeys | from_json | list }}" loop: "{{ __sshd_verify_hostkeys | from_json | list }}"
changed_when: false
- name: Make sure private hostkeys have expected permissions - name: Make sure private hostkeys have expected permissions
file: file:
@ -75,14 +80,15 @@
tempfile: tempfile:
state: directory state: directory
register: sshd_test_hostkey register: sshd_test_hostkey
changed_when: False changed_when: false
when: when:
- __sshd_hostkeys_from_config | from_json == [] - __sshd_hostkeys_from_config | from_json == []
- sshd_config_file != "/etc/ssh/sshd_config" - sshd_config_file != "/etc/ssh/sshd_config"
- name: Generate temporary hostkey - name: Generate temporary hostkey
shell: "ssh-keygen -q -t rsa -f {{ sshd_test_hostkey.path }}/rsa_key -C '' -N ''" command: >
changed_when: False ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
changed_when: false
when: sshd_test_hostkey.path is defined when: sshd_test_hostkey.path is defined
- name: Make sure sshd runtime directory is present - name: Make sure sshd runtime directory is present
@ -119,7 +125,7 @@
file: file:
path: "{{ sshd_test_hostkey.path }}" path: "{{ sshd_test_hostkey.path }}"
state: absent state: absent
changed_when: False changed_when: false
when: sshd_test_hostkey.path is defined when: sshd_test_hostkey.path is defined
- name: Install systemd service files - name: Install systemd service files
@ -159,7 +165,7 @@
- sshd_manage_service|bool - sshd_manage_service|bool
- ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'docker'
- ansible_virtualization_type|default(None) != 'podman' - ansible_virtualization_type|default(None) != 'podman'
- ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions
- ansible_connection != 'chroot' - ansible_connection != 'chroot'
# Due to ansible bug 21026, cannot use service module on RHEL 7 # Due to ansible bug 21026, cannot use service module on RHEL 7

View file

@ -6,17 +6,21 @@
tempfile: tempfile:
state: directory state: directory
register: __sshd_test_backup register: __sshd_test_backup
changed_when: False changed_when: false
when: when:
- sshd_test_backup_skip is not defined - sshd_test_backup_skip is not defined
- name: Backup files - name: Backup files
shell: > shell: |
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
set -eu
if test -f {{ item }}; then if test -f {{ item }}; then
mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }}); mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }})
cp {{ item }} {{ __sshd_test_backup.path }}/$(dirname {{ item }}) cp {{ item }} {{ __sshd_test_backup.path }}/$(dirname {{ item }})
fi fi
changed_when: False changed_when: false
loop: "{{ __sshd_test_backup_files | d([]) }}" loop: "{{ __sshd_test_backup_files | d([]) }}"
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined

View file

@ -1,12 +1,16 @@
--- ---
- name: Restore backed up files and remove what was not present - name: Restore backed up files and remove what was not present
shell: > shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test -f {{ __sshd_test_backup.path }}/{{ item }}; then if test -f {{ __sshd_test_backup.path }}/{{ item }}; then
cp {{ __sshd_test_backup.path }}/{{ item }} $(dirname {{ item }}) cp {{ __sshd_test_backup.path }}/{{ item }} $(dirname {{ item }})
elif test -f {{ item }}; then elif test -f {{ item }}; then
rm {{ item }} rm {{ item }}
fi fi
changed_when: False changed_when: false
loop: "{{ __sshd_test_backup_files | d([]) }}" loop: "{{ __sshd_test_backup_files | d([]) }}"
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined
@ -16,7 +20,7 @@
file: file:
path: "{{ __sshd_test_backup.path }}" path: "{{ __sshd_test_backup.path }}"
state: absent state: absent
changed_when: False changed_when: false
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined
- __sshd_test_backup.path is defined - __sshd_test_backup.path is defined
@ -25,11 +29,11 @@
service: service:
name: sshd name: sshd
state: reloaded state: reloaded
changed_when: False changed_when: false
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined
- ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'docker'
- ansible_virtualization_type|default(None) != 'podman' - ansible_virtualization_type|default(None) != 'podman'
- ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions
- ansible_connection != 'chroot' - ansible_connection != 'chroot'
- ansible_os_family != 'AIX' - ansible_os_family != 'AIX'

View file

@ -7,98 +7,98 @@
- /etc/ssh/sshd_config_custom - /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second - /etc/ssh/sshd_config_custom_second
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure alternative sshd_config file - name: Configure alternative sshd_config file
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# just anything -- will not get processed by sshd # just anything -- will not get processed by sshd
sshd_config_file: /etc/ssh/sshd_config_custom sshd_config_file: /etc/ssh/sshd_config_custom
sshd_skip_defaults: true sshd_skip_defaults: true
sshd: sshd:
AcceptEnv: LANG AcceptEnv: LANG
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes256-ctr Ciphers: aes256-ctr
sshd_Compression: no sshd_Compression: no
- name: Configure second alternative sshd_config file - name: Configure second alternative sshd_config file
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# just anything -- will not get processed by sshd # just anything -- will not get processed by sshd
sshd_config_file: /etc/ssh/sshd_config_custom_second sshd_config_file: /etc/ssh/sshd_config_custom_second
sshd_skip_defaults: true sshd_skip_defaults: true
sshd: sshd:
Banner: /etc/issue2 Banner: /etc/issue2
Ciphers: aes128-ctr Ciphers: aes128-ctr
sshd_MaxStartups: 100 sshd_MaxStartups: 100
- name: Now configure the main sshd_config file - name: Now configure the main sshd_config file
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes192-ctr Ciphers: aes192-ctr
HostKey: HostKey:
- /tmp/ssh_host_ecdsa_key - /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no sshd_PasswordAuthentication: no
- name: Verify the options are correctly set - name: Verify the options are correctly set
vars: vars:
main_sshd_config: >- main_sshd_config: >-
{{ {{
"/etc/ssh/sshd_config.d/00-ansible_system_role.conf" "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
if ansible_facts['distribution'] == 'Fedora' if ansible_facts['distribution'] == 'Fedora'
else "/etc/ssh/sshd_config" else "/etc/ssh/sshd_config"
}} }}
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: /etc/ssh/sshd_config_custom src: /etc/ssh/sshd_config_custom
register: config register: config
- name: Print second configuration file - name: Print second configuration file
slurp: slurp:
src: /etc/ssh/sshd_config_custom_second src: /etc/ssh/sshd_config_custom_second
register: config2 register: config2
- name: Print the main configuration file - name: Print the main configuration file
slurp: slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config3 register: config3
- name: Check content of first configuration file - name: Check content of first configuration file
assert: assert:
that: that:
- "'AcceptEnv LANG' in config.content | b64decode" - "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode"
- "'Ciphers aes256-ctr' in config.content | b64decode" - "'Ciphers aes256-ctr' in config.content | b64decode"
- "'HostKey' not in config.content | b64decode" - "'HostKey' not in config.content | b64decode"
- "'Compression no' in config.content | b64decode" - "'Compression no' in config.content | b64decode"
- "'MaxStartups 100' not in config.content | b64decode" - "'MaxStartups 100' not in config.content | b64decode"
- name: Check content of second configuration file - name: Check content of second configuration file
assert: assert:
that: that:
- "'Banner /etc/issue2' in config2.content | b64decode" - "'Banner /etc/issue2' in config2.content | b64decode"
- "'Ciphers aes128-ctr' in config2.content | b64decode" - "'Ciphers aes128-ctr' in config2.content | b64decode"
- "'HostKey' not in config2.content | b64decode" - "'HostKey' not in config2.content | b64decode"
- "'MaxStartups 100' in config2.content | b64decode" - "'MaxStartups 100' in config2.content | b64decode"
- "'Compression no' not in config2.content | b64decode" - "'Compression no' not in config2.content | b64decode"
- name: Check content of the main configuration file - name: Check content of the main configuration file
assert: assert:
that: that:
- "'Banner /etc/issue' in config3.content | b64decode" - "'Banner /etc/issue' in config3.content | b64decode"
- "'Ciphers aes192-ctr' in config3.content | b64decode" - "'Ciphers aes192-ctr' in config3.content | b64decode"
- "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode" - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode"
- "'PasswordAuthentication no' in config3.content | b64decode" - "'PasswordAuthentication no' in config3.content | b64decode"
- "'MaxStartups 100' not in config3.content | b64decode" - "'MaxStartups 100' not in config3.content | b64decode"
- "'Compression no' not in config3.content | b64decode" - "'Compression no' not in config3.content | b64decode"
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -17,51 +17,51 @@
else "/etc/ssh/" else "/etc/ssh/"
}} }}
tasks: tasks:
- name: Backup configuration files - name: Backup configuration files
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Find old backups files - name: Find old backups files
find: find:
paths: "{{ main_sshd_config_path }}" paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config }}.*@*~" patterns: "{{ main_sshd_config }}.*@*~"
register: backup_files register: backup_files
- name: Remove old backup files - name: Remove old backup files
file: file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: absent state: absent
with_items: "{{ backup_files.files }}" with_items: "{{ backup_files.files }}"
- name: Configure sshd without creating backup - name: Configure sshd without creating backup
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_backup: false sshd_backup: false
- name: Find new backups files - name: Find new backups files
find: find:
paths: "{{ main_sshd_config_path }}" paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config }}.*@*~" patterns: "{{ main_sshd_config }}.*@*~"
register: no_backup register: no_backup
- name: Configure sshd again with different configuration and with backup - name: Configure sshd again with different configuration and with backup
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_Banner: /tmp/banner sshd_Banner: /tmp/banner
register: second_run register: second_run
- name: Find new backups files - name: Find new backups files
find: find:
paths: "{{ main_sshd_config_path }}" paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config }}.*@*~" patterns: "{{ main_sshd_config }}.*@*~"
register: new_backup register: new_backup
- name: Verify the backup was not done in the first attempt, but in the second one - name: Verify the backup was not done in the first attempt, but in the second one
assert: assert:
that: that:
- no_backup.files == [] - no_backup.files == []
- new_backup.files != [] - new_backup.files != []
- name: Restore configuration files - name: Restore configuration files
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,12 +5,12 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- hosts: all - hosts: all
roles: roles:
- ansible-sshd - ansible-sshd
- hosts: all - hosts: all
vars: vars:
@ -18,5 +18,5 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,12 +5,12 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: "Configure sshd" - name: "Configure sshd"
include_role: include_role:
name: ansible-sshd name: ansible-sshd
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -6,76 +6,78 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /tmp/ssh_host_rsa_key2 - /tmp/ssh_host_rsa_key2
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Remove host key before the test - name: Remove host key before the test
file: file:
path: /tmp/ssh_host_rsa_key2 path: /tmp/ssh_host_rsa_key2
state: absent state: absent
- name: Ensure group 'nobody' exists - name: Ensure group 'nobody' exists
group: group:
name: nobody name: nobody
- name: Ensure the user 'nobody' exists - name: Ensure the user 'nobody' exists
user: user:
name: nobody name: nobody
group: nobody group: nobody
comment: nobody comment: nobody
create_home: no create_home: no
shell: /sbin/nologin shell: /sbin/nologin
- name: Configure sshd with alternative host keys - name: Configure sshd with alternative host keys
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# very BAD example # very BAD example
sshd_hostkey_owner: "nobody" sshd_hostkey_owner: "nobody"
sshd_hostkey_group: "nobody" sshd_hostkey_group: "nobody"
sshd_hostkey_mode: "0664" sshd_hostkey_mode: "0664"
sshd: sshd:
HostKey: HostKey:
- /tmp/ssh_host_rsa_key2 - /tmp/ssh_host_rsa_key2
- name: Verify the options are correctly set - name: Verify the options are correctly set
vars: vars:
main_sshd_config: >- main_sshd_config: >-
{{ {{
"/etc/ssh/sshd_config.d/00-ansible_system_role.conf" "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
if ansible_facts['distribution'] == 'Fedora' if ansible_facts['distribution'] == 'Fedora'
else "/etc/ssh/sshd_config" else "/etc/ssh/sshd_config"
}} }}
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- stat: - name: Get stat of private key
path: /tmp/ssh_host_rsa_key2 stat:
register: privkey path: /tmp/ssh_host_rsa_key2
register: privkey
- stat: - name: Get stat of public key
path: /tmp/ssh_host_rsa_key2.pub stat:
register: pubkey path: /tmp/ssh_host_rsa_key2.pub
register: pubkey
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: assert:
that: that:
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
- name: Check the generated host key has requested properties - name: Check the generated host key has requested properties
assert: assert:
that: that:
- privkey.stat.exists - privkey.stat.exists
- privkey.stat.gr_name == 'nobody' - privkey.stat.gr_name == 'nobody'
- privkey.stat.pw_name == 'nobody' - privkey.stat.pw_name == 'nobody'
- privkey.stat.mode == '0664' - privkey.stat.mode == '0664'
- pubkey.stat.exists - pubkey.stat.exists
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -6,52 +6,52 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /tmp/missing_ssh_host_rsa_key - /tmp/missing_ssh_host_rsa_key
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd with missing host keys and prevent their creation - name: Configure sshd with missing host keys and prevent their creation
block: block:
- name: Configure missing hostkey - name: Configure missing hostkey
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_verify_hostkeys: [] sshd_verify_hostkeys: []
sshd: sshd:
HostKey: HostKey:
- /tmp/missing_ssh_host_rsa_key - /tmp/missing_ssh_host_rsa_key
register: role_result register: role_result
- name: unreachable task - name: unreachable task
fail: fail:
msg: UNREACH msg: UNREACH
rescue: rescue:
- name: Check that we failed in the role - name: Check that we failed in the role
assert: assert:
that: that:
- ansible_failed_result.msg != 'UNREACH' - ansible_failed_result.msg != 'UNREACH'
- not role_result.changed - not role_result.changed
msg: "Role has not failed when it should have" msg: "Role has not failed when it should have"
when: when:
- ansible_facts['os_family'] != 'Debian' - ansible_facts['os_family'] != 'Debian'
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
tags: tests::verify tags: tests::verify
- name: Make sure the key was not created - name: Make sure the key was not created
file: file:
path: /tmp/missing_ssh_host_rsa_key path: /tmp/missing_ssh_host_rsa_key
state: absent state: absent
register: key register: key
failed_when: key.changed failed_when: key.changed
tags: tests::verify tags: tests::verify
- name: Make sure service is still running - name: Make sure service is still running
service: service:
name: sshd name: sshd
state: started state: started
register: result register: result
failed_when: result.changed failed_when: result.changed
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,87 +5,87 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# For Fedora containers, we need to make sure we have keys for sshd -T below # For Fedora containers, we need to make sure we have keys for sshd -T below
sshd_verify_hostkeys: sshd_verify_hostkeys:
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
sshd: sshd:
Match: Match:
Condition: "User xusers" Condition: "User xusers"
X11Forwarding: yes X11Forwarding: yes
Banner: /tmp/xusers-banner Banner: /tmp/xusers-banner
sshd_match: sshd_match:
- Condition: "User bot" - Condition: "User bot"
AllowTcpForwarding: no AllowTcpForwarding: no
Banner: /tmp/bot-banner Banner: /tmp/bot-banner
sshd_match_1: sshd_match_1:
- Condition: "User sftponly" - Condition: "User sftponly"
ForceCommand: "internal-sftp" ForceCommand: "internal-sftp"
ChrootDirectory: "/var/uploads/" ChrootDirectory: "/var/uploads/"
sshd_match_2: sshd_match_2:
- Condition: "User root" - Condition: "User root"
PasswordAuthentication: no PasswordAuthentication: no
AllowTcpForwarding: yes AllowTcpForwarding: yes
- name: Verify the options are correctly set - name: Verify the options are correctly set
vars: vars:
main_sshd_config: >- main_sshd_config: >-
{{ {{
"/etc/ssh/sshd_config.d/00-ansible_system_role.conf" "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
if ansible_facts['distribution'] == 'Fedora' if ansible_facts['distribution'] == 'Fedora'
else "/etc/ssh/sshd_config" else "/etc/ssh/sshd_config"
}} }}
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: List effective configuration using sshd -T for xusers - name: List effective configuration using sshd -T for xusers
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
register: xusers_effective register: xusers_effective
- name: List effective configuration using sshd -T for bot - name: List effective configuration using sshd -T for bot
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
register: bot_effective register: bot_effective
- name: List effective configuration using sshd -T for sftponly - name: List effective configuration using sshd -T for sftponly
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
register: sftponly_effective register: sftponly_effective
- name: List effective configuration using sshd -T for root - name: List effective configuration using sshd -T for root
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
register: root_effective register: root_effective
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the options are effective - name: Check the options are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'x11forwarding yes' in xusers_effective.stdout" - "'x11forwarding yes' in xusers_effective.stdout"
- "'banner /tmp/xusers-banner' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
- "'allowtcpforwarding no' in bot_effective.stdout" - "'allowtcpforwarding no' in bot_effective.stdout"
- "'banner /tmp/bot-banner' in bot_effective.stdout" - "'banner /tmp/bot-banner' in bot_effective.stdout"
- "'forcecommand internal-sftp' in sftponly_effective.stdout" - "'forcecommand internal-sftp' in sftponly_effective.stdout"
- "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout"
- "'passwordauthentication no' in root_effective.stdout" - "'passwordauthentication no' in root_effective.stdout"
- "'allowtcpforwarding yes' in root_effective.stdout" - "'allowtcpforwarding yes' in root_effective.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: assert:
that: that:
- "'Match User xusers' in config.content | b64decode" - "'Match User xusers' in config.content | b64decode"
- "'Match User bot' in config.content | b64decode" - "'Match User bot' in config.content | b64decode"
- "'Match User sftponly' in config.content | b64decode" - "'Match User sftponly' in config.content | b64decode"
- "'Match User root' in config.content | b64decode" - "'Match User root' in config.content | b64decode"
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,85 +5,85 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# For Fedora containers, we need to make sure we have keys for sshd -T below # For Fedora containers, we need to make sure we have keys for sshd -T below
sshd_verify_hostkeys: sshd_verify_hostkeys:
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
sshd: sshd:
Match: Match:
- Condition: "User xusers" - Condition: "User xusers"
X11Forwarding: yes X11Forwarding: yes
Banner: /tmp/xusers-banner Banner: /tmp/xusers-banner
- Condition: "User bot" - Condition: "User bot"
AllowTcpForwarding: no AllowTcpForwarding: no
Banner: /tmp/bot-banner Banner: /tmp/bot-banner
sshd_match: sshd_match:
- Condition: "User sftponly" - Condition: "User sftponly"
ForceCommand: "internal-sftp" ForceCommand: "internal-sftp"
ChrootDirectory: "/var/uploads/" ChrootDirectory: "/var/uploads/"
- Condition: "User root" - Condition: "User root"
PasswordAuthentication: no PasswordAuthentication: no
AllowTcpForwarding: yes AllowTcpForwarding: yes
- name: Verify the options are correctly set - name: Verify the options are correctly set
vars: vars:
main_sshd_config: >- main_sshd_config: >-
{{ {{
"/etc/ssh/sshd_config.d/00-ansible_system_role.conf" "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
if ansible_facts['distribution'] == 'Fedora' if ansible_facts['distribution'] == 'Fedora'
else "/etc/ssh/sshd_config" else "/etc/ssh/sshd_config"
}} }}
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: List effective configuration using sshd -T for xusers - name: List effective configuration using sshd -T for xusers
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
register: xusers_effective register: xusers_effective
- name: List effective configuration using sshd -T for bot - name: List effective configuration using sshd -T for bot
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
register: bot_effective register: bot_effective
- name: List effective configuration using sshd -T for sftponly - name: List effective configuration using sshd -T for sftponly
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
register: sftponly_effective register: sftponly_effective
- name: List effective configuration using sshd -T for root - name: List effective configuration using sshd -T for root
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
register: root_effective register: root_effective
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the options are effective - name: Check the options are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'x11forwarding yes' in xusers_effective.stdout" - "'x11forwarding yes' in xusers_effective.stdout"
- "'banner /tmp/xusers-banner' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
- "'allowtcpforwarding no' in bot_effective.stdout" - "'allowtcpforwarding no' in bot_effective.stdout"
- "'banner /tmp/bot-banner' in bot_effective.stdout" - "'banner /tmp/bot-banner' in bot_effective.stdout"
- "'forcecommand internal-sftp' in sftponly_effective.stdout" - "'forcecommand internal-sftp' in sftponly_effective.stdout"
- "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout"
- "'passwordauthentication no' in root_effective.stdout" - "'passwordauthentication no' in root_effective.stdout"
- "'allowtcpforwarding yes' in root_effective.stdout" - "'allowtcpforwarding yes' in root_effective.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: assert:
that: that:
- "'Match User xusers' in config.content | b64decode" - "'Match User xusers' in config.content | b64decode"
- "'Match User bot' in config.content | b64decode" - "'Match User bot' in config.content | b64decode"
- "'Match User sftponly' in config.content | b64decode" - "'Match User sftponly' in config.content | b64decode"
- "'Match User root' in config.content | b64decode" - "'Match User root' in config.content | b64decode"
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -7,32 +7,38 @@
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_rsa_key.pub - /etc/ssh/ssh_host_rsa_key.pub
tasks: tasks:
- name: Backup configuration files - name: Backup configuration files
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Show effective configuration before running role (system defaults) - name: Show effective configuration before running role (system defaults)
shell: > shell: |
if test ! -f /etc/ssh/ssh_host_rsa_key; then set -eu
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' if set -o | grep pipefail 2>&1 /dev/null ; then
fi; set -o pipefail
sshd -T fi
register: runtime_before if test ! -f /etc/ssh/ssh_host_rsa_key; then
- name: Configure sshd ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
include_role: fi
name: ansible-sshd sshd -T
- name: Show effective configuration after running role (role defaults) register: runtime_before
shell: sshd -T changed_when: false
register: runtime_after - name: Configure sshd
- debug: include_role:
var: ansible_facts['distribution'] name: ansible-sshd
- debug: - name: Show effective configuration after running role (role defaults)
var: ansible_facts['distribution_major_version'] command: sshd -T
- name: Check that the effective configuration did not change from OS defaults register: runtime_after
assert: changed_when: false
that: - debug:
- runtime_before.stdout == runtime_after.stdout var: ansible_facts['distribution']
when: - debug:
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') var: ansible_facts['distribution_major_version']
- name: Check that the effective configuration did not change from OS defaults
assert:
that:
- runtime_before.stdout == runtime_after.stdout
when:
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Restore configuration files - name: Restore configuration files
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -6,61 +6,61 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /tmp/ssh_host_rsa_key - /tmp/ssh_host_rsa_key
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Remove host key before the test - name: Remove host key before the test
file: file:
path: /tmp/ssh_host_rsa_key path: /tmp/ssh_host_rsa_key
state: absent state: absent
- name: Configure sshd - name: Configure sshd
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes256-ctr Ciphers: aes256-ctr
HostKey: /etc/ssh/ssh_host_rsa_key HostKey: /etc/ssh/ssh_host_rsa_key
sshd_Ciphers: aes128-ctr sshd_Ciphers: aes128-ctr
sshd_Banner: /etc/good-issue sshd_Banner: /etc/good-issue
sshd_HostKey: /tmp/ssh_host_rsa_key sshd_HostKey: /tmp/ssh_host_rsa_key
- name: Verify the options are correctly set - name: Verify the options are correctly set
vars: vars:
main_sshd_config: >- main_sshd_config: >-
{{ {{
"/etc/ssh/sshd_config.d/00-ansible_system_role.conf" "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
if ansible_facts['distribution'] == 'Fedora' if ansible_facts['distribution'] == 'Fedora'
else "/etc/ssh/sshd_config" else "/etc/ssh/sshd_config"
}} }}
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: List effective configuration using sshd -T - name: List effective configuration using sshd -T
command: sshd -T command: sshd -T
register: runtime register: runtime
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the sshd_* values are effective in runtime - name: Check the sshd_* values are effective in runtime
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'banner /etc/good-issue' in runtime.stdout" - "'banner /etc/good-issue' in runtime.stdout"
- "'ciphers aes128-ctr' in runtime.stdout" - "'ciphers aes128-ctr' in runtime.stdout"
- "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: assert:
that: that:
- "'Banner /etc/good-issue' in config.content | b64decode" - "'Banner /etc/good-issue' in config.content | b64decode"
- "'Ciphers aes128-ctr' in config.content | b64decode" - "'Ciphers aes128-ctr' in config.content | b64decode"
- "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode" - "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode"
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,50 +5,50 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
AcceptEnv: LANG AcceptEnv: LANG
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes256-ctr Ciphers: aes256-ctr
Subsystem: "sftp internal-sftp" Subsystem: "sftp internal-sftp"
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: List effective configuration using sshd -T - name: List effective configuration using sshd -T
command: sshd -T command: sshd -T
register: runtime register: runtime
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config register: config
- name: Check the options are effective - name: Check the options are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'acceptenv LANG' in runtime.stdout" - "'acceptenv LANG' in runtime.stdout"
- "'banner /etc/issue' in runtime.stdout" - "'banner /etc/issue' in runtime.stdout"
- "'ciphers aes256-ctr' in runtime.stdout" - "'ciphers aes256-ctr' in runtime.stdout"
- "'subsystem sftp internal-sftp' in runtime.stdout" - "'subsystem sftp internal-sftp' in runtime.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: assert:
that: that:
- "'AcceptEnv LANG' in config.content | b64decode" - "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode"
- "'Ciphers aes256-ctr' in config.content | b64decode" - "'Ciphers aes256-ctr' in config.content | b64decode"
- "'Subsystem sftp internal-sftp' in config.content | b64decode" - "'Subsystem sftp internal-sftp' in config.content | b64decode"
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,57 +5,57 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd with uncommon options, making sure it keeps running - name: Configure sshd with uncommon options, making sure it keeps running
block: block:
- name: Configure ssh with unsupported options - name: Configure ssh with unsupported options
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
# Unsupported in new versions, but ignored ? # Unsupported in new versions, but ignored ?
Protocol: 1 Protocol: 1
UsePrivilegeSeparation: no UsePrivilegeSeparation: no
UseLogin: yes UseLogin: yes
# Debian only # Debian only
DebianBanner: /etc/motd DebianBanner: /etc/motd
# Used in FreeBSD ? # Used in FreeBSD ?
VersionAddendum: FreeBSD-20180909 VersionAddendum: FreeBSD-20180909
# HPN only # HPN only
HPNDisabled: yes HPNDisabled: yes
HPNBufferSize: 2MB HPNBufferSize: 2MB
TcpRcvBufPoll: yes TcpRcvBufPoll: yes
NoneEnabled: yes NoneEnabled: yes
# some builds might be without kerberos/GSSAPI # some builds might be without kerberos/GSSAPI
KerberosAuthentication: yes KerberosAuthentication: yes
GSSAPIStoreCredentialsOnRekey: yes GSSAPIStoreCredentialsOnRekey: yes
# SSHv1 options # SSHv1 options
KeyRegenerationInterval: 1h KeyRegenerationInterval: 1h
ServerKeyBits: 1024 ServerKeyBits: 1024
# This one is pretty new, but works on OpenBSD only # This one is pretty new, but works on OpenBSD only
RDomain: 2 RDomain: 2
register: role_result register: role_result
- name: unreachable task - name: unreachable task
fail: fail:
msg: UNREACH msg: UNREACH
rescue: rescue:
- name: Check that we failed in the role - name: Check that we failed in the role
assert: assert:
that: that:
- ansible_failed_result.msg != 'UNREACH' - ansible_failed_result.msg != 'UNREACH'
- not role_result.changed - not role_result.changed
msg: "Role has not failed when it should have" msg: "Role has not failed when it should have"
- name: Make sure service is still running - name: Make sure service is still running
service: service:
name: sshd name: sshd
state: started state: started
register: result register: result
failed_when: result.changed failed_when: result.changed
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -5,43 +5,48 @@
- /etc/ssh/sshd_config - /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd with the role disabled - name: Configure sshd with the role disabled
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_enable: false sshd_enable: false
sshd: sshd:
AcceptEnv: XDG_* AcceptEnv: XDG_*
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes256-ctr,aes128-ctr Ciphers: aes256-ctr,aes128-ctr
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config register: config
- name: Print effective configuration - name: Print effective configuration
shell: > shell: |
if test ! -f /etc/ssh/ssh_host_rsa_key; then set -eu
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' if set -o | grep pipefail 2>&1 /dev/null ; then
fi; set -o pipefail
sshd -T fi
register: runtime if test ! -f /etc/ssh/ssh_host_rsa_key; then
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
fi
sshd -T
register: runtime
changed_when: false
- name: Check the options were not applied - name: Check the options were not applied
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'Acceptenv XDG_*' not in config.content | b64decode" - "'Acceptenv XDG_*' not in config.content | b64decode"
- "'Banner /etc/issue' not in config.content | b64decode" - "'Banner /etc/issue' not in config.content | b64decode"
- "'Ciphers aes256-ctr,aes128-ctr' not in config.content | b64decode" - "'Ciphers aes256-ctr,aes128-ctr' not in config.content | b64decode"
- "'acceptenv XDG_*' not in runtime.stdout" - "'acceptenv XDG_*' not in runtime.stdout"
- "'banner /etc/issue' not in runtime.stdout" - "'banner /etc/issue' not in runtime.stdout"
- "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout" - "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout"
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -6,67 +6,77 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/sysconfig/sshd - /etc/sysconfig/sshd
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_sysconfig: true sshd_sysconfig: true
sshd_sysconfig_override_crypto_policy: true sshd_sysconfig_override_crypto_policy: true
sshd_sysconfig_use_strong_rng: 32 sshd_sysconfig_use_strong_rng: 32
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: slurp:
src: /etc/sysconfig/sshd src: /etc/sysconfig/sshd
register: config register: config
- name: Evaluate sysconfig similarly as systemd - name: Evaluate sysconfig similarly as systemd
shell: | shell: |
source /etc/sysconfig/sshd set -eu
echo "CP=|$CRYPTO_POLICY|" if set -o | grep pipefail 2>&1 /dev/null ; then
echo "RNG=|$SSH_USE_STRONG_RNG|" set -o pipefail
register: evaluation fi
source /etc/sysconfig/sshd
echo "CP=|${CRYPTO_POLICY:-}|"
echo "RNG=|${SSH_USE_STRONG_RNG:-}|"
register: evaluation
changed_when: false
- name: Evaluate sysconfig similarly as systemd on RHEL 8 - name: Evaluate sysconfig similarly as systemd on RHEL 8
shell: | shell: |
source /etc/crypto-policies/back-ends/opensshserver.config set -eu
source /etc/sysconfig/sshd if set -o | grep pipefail 2>&1 /dev/null ; then
echo "CP=|$CRYPTO_POLICY|" set -o pipefail
echo "RNG=|$SSH_USE_STRONG_RNG|" fi
register: evaluation8 source /etc/crypto-policies/back-ends/opensshserver.config
when: source /etc/sysconfig/sshd
- ansible_facts['os_family'] == "RedHat" echo "CP=|${CRYPTO_POLICY:-}|"
- ansible_facts['distribution_major_version'] == "8" echo "RNG=|${SSH_USE_STRONG_RNG:-}|"
register: evaluation8
changed_when: false
when:
- ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution_major_version'] == "8"
- name: Check the crypto policies is overridden in RHEL 8 - name: Check the crypto policies is overridden in RHEL 8
assert: assert:
that: that:
- "'CRYPTO_POLICY=' in config.content | b64decode" - "'CRYPTO_POLICY=' in config.content | b64decode"
# these are string variants in default configuration file # these are string variants in default configuration file
- "'# CRYPTO_POLICY=' not in config.content | b64decode" - "'# CRYPTO_POLICY=' not in config.content | b64decode"
- "'CP=||' in evaluation8.stdout" - "'CP=||' in evaluation8.stdout"
when: when:
- ansible_facts['os_family'] == "RedHat" - ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution_major_version'] == "8" - ansible_facts['distribution_major_version'] == "8"
- name: Check the RNG options are in configuration file - name: Check the RNG options are in configuration file
assert: assert:
that: that:
- "'SSH_USE_STRONG_RNG=32' in config.content | b64decode" - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode"
# these are string variants in default configuration file # these are string variants in default configuration file
- "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode" - "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode"
- "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode" - "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode"
- "'RNG=|32|' in evaluation.stdout" - "'RNG=|32|' in evaluation.stdout"
tags: tests::verify tags: tests::verify
when: when:
- ansible_facts['os_family'] == "RedHat" - ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution'] != 'Fedora' - ansible_facts['distribution'] != 'Fedora'
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml