libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-21 18:40:19 +01:00
Code Issues Projects Releases Packages Wiki Activity

ansible-lint - align with current Ansible recommendations

Browse source 
Use `true/false` instead of `yes/no`
Ensure use of FQCN for builtin modules
Use correct spacing in Jinja expressions
All tasks and plays must have a `name`, and the `name` string must begin with an uppercase letter
Use `ansible.posix.mount` instead of `ansible.builtin.mount`
Use `set -o pipefail` with `shell` module where supported by the platform shell

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
This commit is contained in:
Rich Megginson 2023-04-10 14:19:29 -06:00
parent 11eb7590e9
commit 70808e97fc
62 changed files with 394 additions and 382 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.ansible-lint
View file

@ -1,4 +1,2 @@
warn_list: # or 'skip_list' to silence them completely
- '306' # Shells that use pipes should set the pipefail option
exclude_paths:
- tests/roles/

11
.yamllint.yml
View file

@ -1,18 +1,9 @@
# SPDX-License-Identifier: MIT
---
extends: .yamllint_defaults.yml
# possible customizations over the base yamllint config
# skip the yaml files in the /tests/ directory
# NOTE: If you want to customize `ignore` you'll have to
# copy in all of the config from .yamllint.yml, then
# add your own - so if you want to just add /tests/ to
# be ignored, you'll have to add the ignores from the base
ignore: |
/.tox/
/.github/
# /tests/
/tests/roles/
# skip checking line length
# NOTE: the above does not apply to `rules` - you do not
# have to copy all of the rules from the base config
rules:
line-length: disable

16
.yamllint_defaults.yml
View file

@ -1,16 +0,0 @@
# SPDX-License-Identifier: MIT
---
ignore: |
/.tox/
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
truthy:
allowed-values: ["yes", "no", "true", "false"]
level: error
document-start: disable

16
README.md
View file

@ -307,14 +307,14 @@ provides. Running it will likely break your SSH access to the server!
ListenAddress:
- "0.0.0.0"
- "::"
GSSAPIAuthentication: no
GSSAPIAuthentication: false
Match:
- Condition: "Group user"
GSSAPIAuthentication: yes
sshd_UsePrivilegeSeparation: no
GSSAPIAuthentication: true
sshd_UsePrivilegeSeparation: false
sshd_match:
- Condition: "Group xusers"
X11Forwarding: yes
X11Forwarding: true
roles:
- role: willshersystems.sshd
```
@ -350,14 +350,14 @@ for example:
ListenAddress:
- "0.0.0.0"
- "::"
GSSAPIAuthentication: no
GSSAPIAuthentication: false
Match:
- Condition: "Group user"
GSSAPIAuthentication: yes
sshd_UsePrivilegeSeparation: no
GSSAPIAuthentication: true
sshd_UsePrivilegeSeparation: false
sshd_match:
- Condition: "Group xusers"
X11Forwarding: yes
X11Forwarding: true
```
You can just add a configuration snippet with the `sshd_config_namespace`

25
examples/example-accept-env.yml
View file

@ -1,14 +1,15 @@
---
- hosts: all
- name: Manage environment variables
hosts: all
tasks:
- name: Configure sshd to accept some useful environment variables
include_role:
name: ansible-sshd
vars:
sshd_config_namespace: accept-env
sshd:
# there are some handy environment variables to accept
AcceptEnv:
LANG
LS_COLORS
EDITOR
- name: Configure sshd to accept some useful environment variables
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_config_namespace: accept-env
sshd:
# there are some handy environment variables to accept
AcceptEnv:
LANG
LS_COLORS
EDITOR

27
examples/example-root-login.yml
View file

@ -1,15 +1,16 @@
---
- hosts: all
- name: Manage root login
hosts: all
tasks:
- name: Configure sshd to prevent root and password login except from particular subnet
include_role:
name: ansible-sshd
vars:
sshd:
# root login and password login is enabled only from a particular subnet
PermitRootLogin: no
PasswordAuthentication: no
Match:
- Condition: "Address 192.0.2.0/24"
PermitRootLogin: yes
PasswordAuthentication: yes
- name: Configure sshd to prevent root and password login except from particular subnet
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd:
# root login and password login is enabled only from a particular subnet
PermitRootLogin: false
PasswordAuthentication: false
Match:
- Condition: "Address 192.0.2.0/24"
PermitRootLogin: true
PasswordAuthentication: true

2
tasks/install_namespace.yml
View file

@ -10,7 +10,7 @@
block: |
{{ __sshd_compat_match_all }}
{{ lookup('template', 'sshd_config_snippet.j2') }}
create: yes
create: true
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
validate: >-
{% if not __sshd_supports_validate %}

1
tasks/install_service.yml
View file

@ -44,3 +44,4 @@
- ansible_connection == 'chroot'
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version|int >= 7
changed_when: true

9
tests/tests_all_options.yml
View file

@ -30,14 +30,16 @@
- ansible_facts['os_family'] == "RedHat"
- name: Reinstall manual pages for openssh-server on RHEL
ansible.builtin.command: "{{ pkg_mgr|quote }} reinstall -y openssh-server"
ansible.builtin.command: "{{ pkg_mgr | quote }} reinstall -y openssh-server"
when:
- ansible_facts['os_family'] == "RedHat"
changed_when: true
- name: Unminimize image on Debian. It looks like there is no simpler way to get manual pages
ansible.builtin.shell: yes | unminimize
ansible.builtin.shell: set -eu; set -o pipefail || echo no pipefail; yes | unminimize
when:
- ansible_facts['distribution'] == "Ubuntu"
changed_when: true
- name: Make sure manual pages and bash are installed on Alpine
ansible.builtin.package:
@ -61,7 +63,8 @@
- name: Get list of options from manual page
ansible.builtin.shell: >-
man sshd_config | cat
set -eu; set -o pipefail || echo no pipefail; man sshd_config | cat
changed_when: false
- name: Get list of options from manual page
ansible.builtin.shell: >-

11
tests/tests_alternative_file.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test alternative config file
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -20,7 +21,7 @@
name: nobody
group: nobody
comment: nobody
create_home: no
create_home: false
shell: /sbin/nologin
- name: Configure alternative sshd_config file
@ -36,7 +37,7 @@
AcceptEnv: LANG
Banner: /etc/issue
Ciphers: aes256-ctr
sshd_Compression: no # noqa var-naming
sshd_Compression: false # noqa var-naming
- name: Configure second alternative sshd_config file
ansible.builtin.include_role:
@ -60,9 +61,10 @@
Ciphers: aes192-ctr
HostKey:
- /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no # noqa var-naming
sshd_PasswordAuthentication: false # noqa var-naming
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -179,7 +181,6 @@
- config_stat.stat.gr_name == 'nobody'
- config_stat.stat.pw_name == 'nobody'
- config_stat.stat.mode == '0660'
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

25
tests/tests_alternative_file_role.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test alternative role file - setup tasks
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -20,11 +21,12 @@
name: nobody
group: nobody
comment: nobody
create_home: no
create_home: false
shell: /sbin/nologin
# Configure alternative sshd_config file
- hosts: all
- name: Test first alternative role file
hosts: all
roles:
- ansible-sshd
vars:
@ -37,10 +39,11 @@
AcceptEnv: LANG
Banner: /etc/issue
Ciphers: aes256-ctr
sshd_Compression: no # noqa var-naming
sshd_Compression: false # noqa var-naming
# Configure second alternative sshd_config file
- hosts: all
- name: Test first alternative role file
hosts: all
roles:
- ansible-sshd
vars:
@ -53,7 +56,8 @@
sshd_MaxStartups: 100 # noqa var-naming
# Now configure the main sshd_config file
- hosts: all
- name: Test main config file
hosts: all
roles:
- ansible-sshd
vars:
@ -63,9 +67,10 @@
Ciphers: aes192-ctr
HostKey:
- /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no # noqa var-naming
sshd_PasswordAuthentication: false # noqa var-naming
- hosts: all
- name: Verify config files are correct
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -74,9 +79,10 @@
- /etc/ssh/sshd_config_custom_second
tasks:
- name: Setup variables
include_tasks: tasks/setup.yml
ansible.builtin.include_tasks: tasks/setup.yml
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -194,7 +200,6 @@
- config_stat.stat.gr_name == 'nobody'
- config_stat.stat.pw_name == 'nobody'
- config_stat.stat.mode == '0660'
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

3
tests/tests_backup.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test backups
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config

15
tests/tests_config_namespace.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test config namespaces
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -16,11 +17,11 @@
sshd_config_file: /etc/ssh/sshd_config
sshd_config_namespace: nm1
sshd:
PasswordAuthentication: yes
PermitRootLogin: yes
PasswordAuthentication: true
PermitRootLogin: true
Match:
Condition: user root
AllowAgentForwarding: no
AllowAgentForwarding: false
- name: Add second configuration block to default configuration file
ansible.builtin.include_role:
@ -29,13 +30,14 @@
sshd_config_file: /etc/ssh/sshd_config
sshd_config_namespace: nm2
sshd:
PasswordAuthentication: no
PermitRootLogin: no
PasswordAuthentication: false
PermitRootLogin: false
Match:
Condition: Address 127.0.0.1
Banner: /etc/issue
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -111,7 +113,6 @@
- "'allowAgentforwarding no' not in nonmatching.stdout"
- "'banner /etc/issue' not in nonmatching.stdout"
- "'passwordauthentication yes' in nonmatching.stdout"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

9
tests/tests_default.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test default - setup
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -8,11 +9,13 @@
- name: "Backup configuration files"
ansible.builtin.include_tasks: tasks/backup.yml
- hosts: all
- name: Test defaults
hosts: all
roles:
- ansible-sshd
- hosts: all
- name: Test default - restore
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config

3
tests/tests_default_include.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test default with include tasks
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config

14
tests/tests_duplicate_role.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test duplicates - setup config1
hosts: all
vars:
sshd_config_file: /etc/ssh/dup_config1
__sshd_test_backup_files:
@ -14,13 +15,15 @@
ansible.builtin.include_role:
name: ansible-sshd
- hosts: all
- name: Test duplicates - default config
hosts: all
tasks:
- name: Configure default config
ansible.builtin.include_role:
name: ansible-sshd
- hosts: all
- name: Test duplicates - setup config2
hosts: all
vars:
sshd_config_file: /etc/ssh/dup_config2
tasks:
@ -30,10 +33,11 @@
public: true
- name: Convert exported variable to fact so that it is available in next plays
set_fact:
ansible.builtin.set_fact:
__sshd_config_file: "{{ __sshd_config_file }}"
- hosts: all
- name: Test duplicate - verify results
hosts: all
tasks:
- name: Get config1 stat
ansible.builtin.stat:

13
tests/tests_firewall_selinux.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test managing firewall and selinux from role
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -21,6 +22,7 @@
Port: 22
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -34,7 +36,6 @@
ansible.builtin.assert:
that:
- "'Port 22' in config.content | b64decode"
tags: tests::verify
##########
# Second test: non-default port
@ -50,6 +51,7 @@
Port: 222
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -63,7 +65,6 @@
ansible.builtin.assert:
that:
- "'Port 222' in config.content | b64decode"
tags: tests::verify
##########
# Third test: multiple ports
@ -80,6 +81,7 @@
- 222
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -93,7 +95,6 @@
ansible.builtin.assert:
that:
- "'Port 222' in config.content | b64decode"
tags: tests::verify
##########
# Cleanup
@ -110,7 +111,7 @@
state: disabled
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
- ansible_virtualization_type | default(None) not in __sshd_skip_virt_env
- name: Remove the modification to the selinux policy
ansible.builtin.include_role:
@ -124,4 +125,4 @@
local: true
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
- ansible_virtualization_type | default(None) not in __sshd_skip_virt_env

7
tests/tests_hostkeys.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test hostkeys
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -23,7 +24,7 @@
name: nobody
group: nobody
comment: nobody
create_home: no
create_home: false
shell: /sbin/nologin
- name: Configure sshd with alternative host keys
@ -39,6 +40,7 @@
- /tmp/ssh_host_rsa_key2
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -71,7 +73,6 @@
- privkey.stat.pw_name == 'nobody'
- privkey.stat.mode == '0664'
- pubkey.stat.exists
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

27
tests/tests_hostkeys_fips.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test hostkeys with FIPS
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -16,6 +17,10 @@
name: ansible-sshd
- name: Verify the options are correctly set
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] | int > 6
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -41,17 +46,13 @@
- "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version']|int < 9
- ansible_facts['distribution_major_version'] | int < 9
- name: Check host key was generated
ansible.builtin.assert:
that:
- privkey.stat.exists
- pubkey.stat.exists
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version']|int > 6
tags: tests::verify
- name: Fake FIPS mode
block:
@ -69,11 +70,11 @@
- name: Create a fips_enabled file
ansible.builtin.copy:
dest: "{{ fips_directory.path }}/fips_enabled"
content: 1
content: "1"
mode: "0644"
- name: Bind mount the file where we need it
ansible.builtin.mount:
ansible.posix.mount:
path: /proc/sys/crypto/fips_enabled
src: "{{ fips_directory.path }}/fips_enabled"
opts: bind
@ -98,6 +99,10 @@
name: ansible-sshd
- name: Verify the options are correctly set
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] | int > 6
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -127,15 +132,11 @@
that:
- not privkey.stat.exists
- not pubkey.stat.exists
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version']|int > 6
tags: tests::verify
- name: Remove the FIPS mode indicators
block:
- name: Unmount the file
mount:
ansible.posix.mount:
path: /proc/sys/crypto/fips_enabled
state: unmounted
failed_when: false

13
tests/tests_hostkeys_missing.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test missing hostkeys
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -10,6 +11,10 @@
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with missing host keys and prevent their creation
when:
- ansible_facts['os_family'] != 'Debian'
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
tags: tests::verify
block:
- name: Configure missing hostkey
ansible.builtin.include_role:
@ -21,7 +26,7 @@
- /tmp/missing_ssh_host_rsa_key
register: role_result
- name: unreachable task
- name: Unreachable task
ansible.builtin.fail:
msg: UNREACH
@ -32,10 +37,6 @@
- ansible_failed_result.msg != 'UNREACH'
- not role_result.changed
msg: "Role has not failed when it should have"
when:
- ansible_facts['os_family'] != 'Debian'
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
tags: tests::verify
- name: Make sure the key was not created
ansible.builtin.file:

13
tests/tests_hostkeys_role.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test hostkeys via role - setup
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -23,11 +24,12 @@
name: nobody
group: nobody
comment: nobody
create_home: no
create_home: false
shell: /sbin/nologin
# invoke role through "roles"
- hosts: all
- name: Test hostkeys via role
hosts: all
roles:
- ansible-sshd
vars:
@ -39,7 +41,8 @@
HostKey:
- /tmp/ssh_host_rsa_key2
- hosts: all
- name: Test hostkeys via role - verify
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -50,6 +53,7 @@
ansible.builtin.include_tasks: tasks/setup.yml
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush metadata
ansible.builtin.meta: flush_handlers
@ -82,7 +86,6 @@
- privkey.stat.pw_name == 'nobody'
- privkey.stat.mode == '0664'
- pubkey.stat.exists
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

36
tests/tests_include_present.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test include present
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -15,8 +16,8 @@
regexp: "^Include"
state: absent
when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
- name: Create a new configuration in drop-in directory
ansible.builtin.include_role:
@ -27,10 +28,14 @@
Banner: /etc/include-issue
Ciphers: aes192-ctr
when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
- name: Verify the options are correctly set
when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -47,6 +52,7 @@
- name: Check content of drop-in configuration file
ansible.builtin.assert:
# noqa no-tabs
that:
- "'Banner /etc/include-issue' in config.content | b64decode"
- "'Ciphers aes192-ctr' in config.content | b64decode"
@ -73,16 +79,11 @@
- "config_main.content | b64decode | regex_search('Subsystem\\ssftp\\s/usr/lib/openssh/sftp-server')"
when: ansible_facts['os_family'] == 'Ubuntu'
when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml
- hosts: all
- name: Test include present - verify
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/custom_sshd_config
@ -93,7 +94,7 @@
ansible.builtin.meta: end_play
when:
ansible_facts['distribution'] != 'Ubuntu'
or ansible_facts['distribution_major_version']|int != 20
or ansible_facts['distribution_major_version'] | int != 20
- name: "Backup configuration files"
ansible.builtin.include_tasks: tasks/backup.yml
@ -101,9 +102,10 @@
- name: Create sample main configuration file
# Normally, this should not be needed. For test, however, we need a file
# different to the one in the first play.
file:
ansible.builtin.file:
path: /etc/ssh/custom_sshd_config
state: touch
mode: '0777'
- name: Create a new configuration in a custom drop-in directory
ansible.builtin.include_role:
@ -117,6 +119,7 @@
Ciphers: aes192-ctr
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -133,6 +136,7 @@
- name: Check content of custom drop-in configuration file
ansible.builtin.assert:
# noqa no-tabs
that:
- "'Banner /etc/include-issue' in custom_drop_in.content | b64decode"
- "'Ciphers aes192-ctr' in custom_drop_in.content | b64decode"
@ -153,13 +157,11 @@
register: drop_in_dir_stat
- name: Check drop in directory mode has been set correctly
assert:
ansible.builtin.assert:
that:
- drop_in_dir_stat.stat.isdir | bool
- drop_in_dir_stat.stat.mode == '0770'
msg: "effective mode: {{ drop_in_dir_stat.stat.mode }}, desired mode: 0770"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_indent.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test indentation
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -13,13 +14,14 @@
name: ansible-sshd
vars:
sshd:
PasswordAuthentication: yes
PermitRootLogin: yes
PasswordAuthentication: true
PermitRootLogin: true
Match:
Condition: user root
AllowAgentForwarding: no
AllowAgentForwarding: false
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -36,7 +38,5 @@
- "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)"
- "config.content | b64decode | regex_search('^Match user root\\n\\s+AllowAgentForwarding no$', multiline=True)"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

13
tests/tests_match.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test match blocks
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -18,11 +19,11 @@
sshd:
Match:
Condition: "User xusers"
X11Forwarding: yes
X11Forwarding: true
Banner: /tmp/xusers-banner
sshd_match:
- Condition: "User bot"
AllowTcpForwarding: no
AllowTcpForwarding: false
Banner: /tmp/bot-banner
sshd_match_1:
- Condition: "User sftponly"
@ -30,10 +31,11 @@
ChrootDirectory: "/var/uploads/"
sshd_match_2:
- Condition: "User root"
PasswordAuthentication: no
AllowTcpForwarding: yes
PasswordAuthentication: false
AllowTcpForwarding: true
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -83,7 +85,6 @@
- "'Match User bot' in config.content | b64decode"
- "'Match User sftponly' in config.content | b64decode"
- "'Match User root' in config.content | b64decode"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

13
tests/tests_match_iterate.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test match iterate
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -18,20 +19,21 @@
sshd:
Match:
- Condition: "User xusers"
X11Forwarding: yes
X11Forwarding: true
Banner: /tmp/xusers-banner
- Condition: "User bot"
AllowTcpForwarding: no
AllowTcpForwarding: false
Banner: /tmp/bot-banner
sshd_match:
- Condition: "User sftponly"
ForceCommand: "internal-sftp"
ChrootDirectory: "/var/uploads/"
- Condition: "User root"
PasswordAuthentication: no
AllowTcpForwarding: yes
PasswordAuthentication: false
AllowTcpForwarding: true
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -81,7 +83,6 @@
- "'Match User bot' in config.content | b64decode"
- "'Match User sftponly' in config.content | b64decode"
- "'Match User root' in config.content | b64decode"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

5
tests/tests_os_defaults.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test OS default settings
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -49,7 +50,7 @@
when: __sshd_defaults.Include is defined
- name: Check drop in directory mode has not changed
assert:
ansible.builtin.assert:
that:
- drop_in_dir_stat.stat.mode == __sshd_drop_in_dir_mode
when: __sshd_defaults.Include is defined

5
tests/tests_precedence.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test precedence
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -27,6 +28,7 @@
sshd_HostKey: /tmp/ssh_host_rsa_key
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush metadata
ansible.builtin.meta: flush_handlers
@ -55,7 +57,6 @@
- "'Banner /etc/good-issue' in config.content | b64decode"
- "'Ciphers aes128-ctr' in config.content | b64decode"
- "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

5
tests/tests_set_common.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test some common options
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -20,6 +21,7 @@
sshd_config_file: /etc/ssh/sshd_config
- name: Verify the options are correctly set
tags: tests::verify
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -50,7 +52,6 @@
- "'Banner /etc/issue' in config.content | b64decode"
- "'Ciphers aes256-ctr' in config.content | b64decode"
- "'Subsystem sftp internal-sftp' in config.content | b64decode"
tags: tests::verify
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

23
tests/tests_set_uncommon.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test uncommon options
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -9,6 +10,8 @@
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with uncommon options, making sure it keeps running
when:
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
block:
- name: Configure ssh with unsupported options
ansible.builtin.include_role:
@ -17,20 +20,20 @@
sshd:
# Unsupported in new versions, but ignored ?
Protocol: 1
UsePrivilegeSeparation: no
UseLogin: yes
UsePrivilegeSeparation: false
UseLogin: true
# Debian only
DebianBanner: /etc/motd
# Used in FreeBSD ?
VersionAddendum: FreeBSD-20180909
# HPN only
HPNDisabled: yes
HPNDisabled: true
HPNBufferSize: 2MB
TcpRcvBufPoll: yes
NoneEnabled: yes
TcpRcvBufPoll: true
NoneEnabled: true
# some builds might be without kerberos/GSSAPI
KerberosAuthentication: yes
GSSAPIStoreCredentialsOnRekey: yes
KerberosAuthentication: true
GSSAPIStoreCredentialsOnRekey: true
# SSHv1 options
KeyRegenerationInterval: 1h
ServerKeyBits: 1024
@ -38,7 +41,7 @@
RDomain: 2
register: role_result
- name: unreachable task
- name: Unreachable task
ansible.builtin.fail:
msg: UNREACH
rescue:
@ -48,8 +51,6 @@
- ansible_failed_result.msg != 'UNREACH'
- not role_result.changed
msg: "Role has not failed when it should have"
when:
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Make sure service is still running
ansible.builtin.service:

3
tests/tests_sshd_enable.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test sshd enable
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config

13
tests/tests_sysconfig.yml
View file

@ -1,5 +1,6 @@
---
- hosts: all
- name: Test sysconfig
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
@ -18,6 +19,11 @@
sshd_sysconfig_use_strong_rng: 32
- name: Verify the options are correctly set
tags: tests::verify
when:
- ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution'] != 'Fedora'
- ansible_facts['distribution_major_version']|int < 9
block:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
@ -74,11 +80,6 @@
- "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode"
- "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode"
- "'RNG=|32|' in evaluation.stdout"
tags: tests::verify
when:
- ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution'] != 'Fedora'
- ansible_facts['distribution_major_version']|int < 9
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml

8
vars/AIX.yml
View file

@ -7,8 +7,8 @@ __sshd_sftp_server: /usr/sbin/sftp-server
__sshd_config_group: system
__sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true
sshd_install_service: no
sshd_manage_service: no
sshd_allow_reload: yes
sshd_install_service: false
sshd_manage_service: falselse
sshd_allow_reload: true

8
vars/Alpine.yml
View file

@ -3,8 +3,8 @@ __sshd_packages:
- openssh
__sshd_defaults:
AuthorizedKeysFile: .ssh/authorized_keys
AllowTcpForwarding: no
GatewayPorts: no
X11Forwarding: no
AllowTcpForwarding: false
GatewayPorts: false
X11Forwarding: false
Subsystem: 'sftp internal-sftp'
__sshd_os_supported: yes
__sshd_os_supported: true

12
vars/Amazon.yml
View file

@ -8,11 +8,11 @@ __sshd_defaults:
SyslogFacility: AUTHPRIV
PermitRootLogin: forced-commands-only
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: no
ChallengeResponseAuthentication: no
UsePAM: yes
X11Forwarding: yes
PrintLastLog: yes
PasswordAuthentication: false
ChallengeResponseAuthentication: false
UsePAM: true
X11Forwarding: true
PrintLastLog: true
UsePrivilegeSeparation: sandbox
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@ -20,4 +20,4 @@ __sshd_defaults:
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true

8
vars/Arch Linux.yml
View file

@ -4,8 +4,8 @@ __sshd_packages:
__sshd_sftp_server: /usr/lib/ssh/sftp-server
__sshd_defaults:
AuthorizedKeysFile: .ssh/authorized_keys
ChallengeResponseAuthentication: no
PrintMotd: no
ChallengeResponseAuthentication: false
PrintMotd: false
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true

8
vars/Archlinux.yml
View file

@ -4,8 +4,8 @@ __sshd_packages:
__sshd_sftp_server: /usr/lib/ssh/sftp-server
__sshd_defaults:
AuthorizedKeysFile: .ssh/authorized_keys
ChallengeResponseAuthentication: no
PrintMotd: no
ChallengeResponseAuthentication: false
PrintMotd: false
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true

10
vars/Container Linux by CoreOS.yml
View file

@ -6,8 +6,8 @@ __sshd_sftp_server: internal-sftp
__sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}"
ClientAliveInterval: 180
UseDNS: no
UsePAM: yes
PrintLastLog: no
PrintMotd: no
__sshd_os_supported: yes
UseDNS: false
UsePAM: true
PrintLastLog: false
PrintMotd: false
__sshd_os_supported: true

32
vars/Debian.yml
View file

@ -10,28 +10,28 @@ __sshd_defaults:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
UsePrivilegeSeparation: true
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
PermitRootLogin: true
StrictModes: true
RSAAuthentication: true
PubkeyAuthentication: true
IgnoreRhosts: true
RhostsRSAAuthentication: false
HostbasedAuthentication: false
PermitEmptyPasswords: false
ChallengeResponseAuthentication: false
X11Forwarding: true
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
PrintMotd: false
PrintLastLog: true
TCPKeepAlive: true
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

10
vars/Debian_10.yml
View file

@ -5,11 +5,11 @@ __sshd_packages:
- openssh-sftp-server
__sshd_config_mode: "0644"
__sshd_defaults:
ChallengeResponseAuthentication: no
X11Forwarding: yes
PrintMotd: no
ChallengeResponseAuthentication: false
X11Forwarding: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

10
vars/Debian_11.yml
View file

@ -5,11 +5,11 @@ __sshd_packages:
- openssh-sftp-server
__sshd_config_mode: "0644"
__sshd_defaults:
ChallengeResponseAuthentication: no
X11Forwarding: yes
PrintMotd: no
ChallengeResponseAuthentication: false
X11Forwarding: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

30
vars/Debian_8.yml
View file

@ -12,28 +12,28 @@ __sshd_defaults:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: yes
UsePrivilegeSeparation: true
KeyRegenerationInterval: 3600
ServerKeyBits: 1024
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: without-password
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
StrictModes: true
RSAAuthentication: true
PubkeyAuthentication: true
IgnoreRhosts: true
RhostsRSAAuthentication: false
HostbasedAuthentication: false
PermitEmptyPasswords: false
ChallengeResponseAuthentication: false
X11Forwarding: true
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
PrintMotd: false
PrintLastLog: true
TCPKeepAlive: true
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

10
vars/Debian_9.yml
View file

@ -5,11 +5,11 @@ __sshd_packages:
- openssh-sftp-server
__sshd_config_mode: "0644"
__sshd_defaults:
ChallengeResponseAuthentication: no
X11Forwarding: yes
PrintMotd: no
ChallengeResponseAuthentication: false
X11Forwarding: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

2
vars/Fedora.yml
View file

@ -1,5 +1,5 @@
---
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_packages:
- openssh

14
vars/Fedora_31.yml
View file

@ -10,19 +10,19 @@ __sshd_defaults:
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
PasswordAuthentication: true
ChallengeResponseAuthentication: false
GSSAPIAuthentication: true
GSSAPICleanupCredentials: false
UsePAM: true
X11Forwarding: true
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_sysconfig_supports_crypto_policy: true
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"

2
vars/Fedora_37.yml
View file

@ -1,5 +1,5 @@
---
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_packages:
- openssh

2
vars/FreeBSD.yml
View file

@ -4,4 +4,4 @@ __sshd_config_mode: "0644"
__sshd_sftp_server: /usr/libexec/sftp-server
__sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true

22
vars/Gentoo.yml
View file

@ -5,7 +5,7 @@ __sshd_sftp_server: /usr/lib64/misc/sftp-server
__sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}"
# Replace tcp keepalive with unspoofable keepalive
TCPKeepAlive: no
TCPKeepAlive: false
ClientAliveInterval: 300
ClientAliveCountMax: 2
# Secure cipher and algorithm settings
@ -18,15 +18,15 @@ __sshd_defaults:
MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
AuthorizedKeysFile: .ssh/authorized_keys
# Security settings
PasswordAuthentication: no
ChallengeResponseAuthentication: no
PermitRootLogin: no
PasswordAuthentication: false
ChallengeResponseAuthentication: false
PermitRootLogin: false
# Login settings
UsePAM: yes
PrintMotd: no
PrintLastLog: yes
UsePAM: true
PrintMotd: false
PrintLastLog: true
# Disable most forwarding types for more security
AllowAgentForwarding: no
AllowTcpForwarding: no
AllowStreamLocalForwarding: no
__sshd_os_supported: yes
AllowAgentForwarding: false
AllowTcpForwarding: false
AllowStreamLocalForwarding: false
__sshd_os_supported: true

4
vars/OpenBSD.yml
View file

@ -5,5 +5,5 @@ __sshd_sftp_server: /usr/libexec/sftp-server
__sshd_defaults:
AuthorizedKeysFile: .ssh/authorized_keys
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_manage_var_run: no
__sshd_os_supported: true
__sshd_manage_var_run: false

2
vars/OpenWrt.yml
View file

@ -11,4 +11,4 @@ __sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ed25519_key
__sshd_os_supported: yes
__sshd_os_supported: true

14
vars/RedHat_6.yml
View file

@ -8,18 +8,18 @@ __sshd_defaults:
- /etc/ssh/ssh_host_rsa_key
Protocol: 2
SyslogFacility: AUTHPRIV
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
PasswordAuthentication: true
ChallengeResponseAuthentication: false
GSSAPIAuthentication: true
GSSAPICleanupCredentials: true
UsePAM: true
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
X11Forwarding: yes
X11Forwarding: true
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_sysconfig_supports_use_strong_rng: true
__sshd_compat_match_all: Match address *

14
vars/RedHat_7.yml
View file

@ -10,14 +10,14 @@ __sshd_defaults:
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
PasswordAuthentication: true
ChallengeResponseAuthentication: false
GSSAPIAuthentication: true
GSSAPICleanupCredentials: false
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes
X11Forwarding: yes
UsePAM: true
X11Forwarding: true
UsePrivilegeSeparation: sandbox
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@ -25,7 +25,7 @@ __sshd_defaults:
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_sysconfig_supports_use_strong_rng: true
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"

18
vars/RedHat_8.yml
View file

@ -10,23 +10,23 @@ __sshd_defaults:
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
PermitRootLogin: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
PasswordAuthentication: true
PermitRootLogin: true
ChallengeResponseAuthentication: false
GSSAPIAuthentication: true
GSSAPICleanupCredentials: false
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes
X11Forwarding: yes
PrintMotd: no
UsePAM: true
X11Forwarding: true
PrintMotd: false
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_sysconfig_supports_use_strong_rng: true
__sshd_sysconfig_supports_crypto_policy: true
__sshd_hostkey_group: ssh_keys

2
vars/RedHat_9.yml
View file

@ -1,5 +1,5 @@
---
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_packages:
- openssh

14
vars/Suse.yml
View file

@ -9,16 +9,16 @@ __sshd_defaults:
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTH
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
PasswordAuthentication: true
ChallengeResponseAuthentication: false
GSSAPIAuthentication: true
GSSAPICleanupCredentials: false
UsePAM: true
X11Forwarding: true
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true

32
vars/Ubuntu_12.yml
View file

@ -10,27 +10,27 @@ __sshd_defaults:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
UsePrivilegeSeparation: true
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
PermitRootLogin: true
StrictModes: true
RSAAuthentication: true
PubkeyAuthentication: true
IgnoreRhosts: true
RhostsRSAAuthentication: false
HostbasedAuthentication: false
PermitEmptyPasswords: false
ChallengeResponseAuthentication: false
X11Forwarding: true
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
PrintMotd: false
PrintLastLog: true
TCPKeepAlive: true
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true

30
vars/Ubuntu_14.yml
View file

@ -12,27 +12,27 @@ __sshd_defaults:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: yes
UsePrivilegeSeparation: true
KeyRegenerationInterval: 3600
ServerKeyBits: 1024
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: without-password
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
StrictModes: true
RSAAuthentication: true
PubkeyAuthentication: true
IgnoreRhosts: true
RhostsRSAAuthentication: false
HostbasedAuthentication: false
PermitEmptyPasswords: false
ChallengeResponseAuthentication: false
X11Forwarding: true
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
PrintMotd: false
PrintLastLog: true
TCPKeepAlive: true
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
__sshd_os_supported: yes
UsePAM: true
__sshd_os_supported: true

32
vars/Ubuntu_16.yml
View file

@ -12,29 +12,29 @@ __sshd_defaults:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: yes
UsePrivilegeSeparation: true
KeyRegenerationInterval: 3600
ServerKeyBits: 1024
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: prohibit-password
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
StrictModes: true
RSAAuthentication: true
PubkeyAuthentication: true
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
IgnoreRhosts: true
RhostsRSAAuthentication: false
HostbasedAuthentication: false
PermitEmptyPasswords: false
ChallengeResponseAuthentication: false
X11Forwarding: true
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
PrintMotd: false
PrintLastLog: true
TCPKeepAlive: true
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
UsePAM: yes
UseDNS: no
__sshd_os_supported: yes
UsePAM: true
UseDNS: false
__sshd_os_supported: true

12
vars/Ubuntu_18.yml
View file

@ -5,12 +5,12 @@ __sshd_packages:
- openssh-sftp-server
__sshd_config_mode: "0644"
__sshd_defaults:
PasswordAuthentication: no
ChallengeResponseAuthentication: no
UsePAM: yes
X11Forwarding: yes
PrintMotd: no
PasswordAuthentication: false
ChallengeResponseAuthentication: false
UsePAM: true
X11Forwarding: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

10
vars/Ubuntu_20.yml
View file

@ -5,11 +5,11 @@ __sshd_packages:
- openssh-sftp-server
__sshd_config_mode: "0644"
__sshd_defaults:
ChallengeResponseAuthentication: no
UsePAM: yes
X11Forwarding: yes
PrintMotd: no
ChallengeResponseAuthentication: false
UsePAM: true
X11Forwarding: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server"
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_runtime_directory: /run/sshd

6
vars/Ubuntu_22.yml
View file

@ -1,5 +1,5 @@
---
__sshd_os_supported: yes
__sshd_os_supported: true
__sshd_service: ssh
__sshd_packages:
@ -12,8 +12,8 @@ __sshd_config_mode: "0644"
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication: no
UsePAM: yes
KbdInteractiveAuthentication: false
UsePAM: true
AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server"

2
vars/main.yml
View file

@ -27,7 +27,7 @@ __sshd_service: sshd
__sshd_sftp_server: /usr/lib/openssh/sftp-server
__sshd_defaults: {}
__sshd_os_supported: no
__sshd_os_supported: false
__sshd_sysconfig_supports_crypto_policy: false
__sshd_sysconfig_supports_use_strong_rng: false

6
vars/openSUSE Leap_15.yml
View file

@ -4,11 +4,11 @@ __sshd_packages:
__sshd_sftp_server: /usr/lib/ssh/sftp-server
__sshd_defaults:
AuthorizedKeysFile: .ssh/authorized_keys
UsePAM: yes
X11Forwarding: yes
UsePAM: true
X11Forwarding: true
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL
Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_os_supported: true