ansible-lint - align with current Ansible recommendations

Use `true/false` instead of `yes/no`
Ensure use of FQCN for builtin modules
Use correct spacing in Jinja expressions
All tasks and plays must have a `name`, and the `name` string must begin with an uppercase letter
Use `ansible.posix.mount` instead of `ansible.builtin.mount`
Use `set -o pipefail` with `shell` module where supported by the platform shell

Signed-off-by: Rich Megginson <rmeggins@redhat.com>

.ansible-lint

@@ -1,4 +1,2 @@
-warn_list:  # or 'skip_list' to silence them completely
-  - '306'  # Shells that use pipes should set the pipefail option
 exclude_paths:
   - tests/roles/

.yamllint.yml

@@ -1,18 +1,9 @@
 # SPDX-License-Identifier: MIT
 ---
-extends: .yamllint_defaults.yml
-# possible customizations over the base yamllint config
-# skip the yaml files in the /tests/ directory
-# NOTE: If you want to customize `ignore` you'll have to
-# copy in all of the config from .yamllint.yml, then
-# add your own - so if you want to just add /tests/ to
-# be ignored, you'll have to add the ignores from the base
 ignore: |
   /.tox/
   /.github/
-# /tests/
+  /tests/roles/
 # skip checking line length
-# NOTE: the above does not apply to `rules` - you do not
-# have to copy all of the rules from the base config
 rules:
   line-length: disable

.yamllint_defaults.yml

@@ -1,16 +0,0 @@
-# SPDX-License-Identifier: MIT
----
-ignore: |
-  /.tox/
-extends: default
-rules:
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  truthy:
-    allowed-values: ["yes", "no", "true", "false"]
-    level: error
-  document-start: disable

README.md

@@ -307,14 +307,14 @@ provides. Running it will likely break your SSH access to the server!
       ListenAddress:
         - "0.0.0.0"
         - "::"
-      GSSAPIAuthentication: no
+      GSSAPIAuthentication: false
       Match:
         - Condition: "Group user"
-          GSSAPIAuthentication: yes
+          GSSAPIAuthentication: true
-    sshd_UsePrivilegeSeparation: no
+    sshd_UsePrivilegeSeparation: false
     sshd_match:
         - Condition: "Group xusers"
-          X11Forwarding: yes
+          X11Forwarding: true
   roles:
     - role: willshersystems.sshd
 ```
@@ -350,14 +350,14 @@ for example:
         ListenAddress:
           - "0.0.0.0"
           - "::"
-        GSSAPIAuthentication: no
+        GSSAPIAuthentication: false
         Match:
           - Condition: "Group user"
-            GSSAPIAuthentication: yes
+            GSSAPIAuthentication: true
-      sshd_UsePrivilegeSeparation: no
+      sshd_UsePrivilegeSeparation: false
       sshd_match:
           - Condition: "Group xusers"
-            X11Forwarding: yes
+            X11Forwarding: true
 ```
 
 You can just add a configuration snippet with the `sshd_config_namespace`

examples/example-accept-env.yml

@@ -1,8 +1,9 @@
 ---
-- hosts: all
+- name: Manage environment variables
+  hosts: all
   tasks:
     - name: Configure sshd to accept some useful environment variables
-    include_role:
+      ansible.builtin.include_role:
         name: ansible-sshd
       vars:
         sshd_config_namespace: accept-env

examples/example-root-login.yml

@@ -1,15 +1,16 @@
 ---
-- hosts: all
+- name: Manage root login
+  hosts: all
   tasks:
     - name: Configure sshd to prevent root and password login except from particular subnet
-    include_role:
+      ansible.builtin.include_role:
         name: ansible-sshd
       vars:
         sshd:
           # root login and password login is enabled only from a particular subnet
-        PermitRootLogin: no
+          PermitRootLogin: false
-        PasswordAuthentication: no
+          PasswordAuthentication: false
           Match:
             - Condition: "Address 192.0.2.0/24"
-            PermitRootLogin: yes
+              PermitRootLogin: true
-            PasswordAuthentication: yes
+              PasswordAuthentication: true

tasks/install_namespace.yml

@@ -10,7 +10,7 @@
     block: |
       {{ __sshd_compat_match_all }}
       {{ lookup('template', 'sshd_config_snippet.j2') }}
-    create: yes
+    create: true
     marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
     validate: >-
       {% if not __sshd_supports_validate %}

tasks/install_service.yml

@@ -44,3 +44,4 @@
     - ansible_connection == 'chroot'
     - ansible_os_family == 'RedHat'
     - ansible_distribution_major_version|int >= 7
+  changed_when: true

tests/tests_all_options.yml

@@ -33,11 +33,13 @@
       ansible.builtin.command: "{{ pkg_mgr | quote }} reinstall -y openssh-server"
       when:
         - ansible_facts['os_family'] == "RedHat"
+      changed_when: true
 
     - name: Unminimize image on Debian. It looks like there is no simpler way to get manual pages
-      ansible.builtin.shell: yes | unminimize
+      ansible.builtin.shell: set -eu; set -o pipefail || echo no pipefail; yes | unminimize
       when:
         - ansible_facts['distribution'] == "Ubuntu"
+      changed_when: true
 
     - name: Make sure manual pages and bash are installed on Alpine
       ansible.builtin.package:
@@ -61,7 +63,8 @@
 
     - name: Get list of options from manual page
       ansible.builtin.shell: >-
-        man sshd_config | cat
+        set -eu; set -o pipefail || echo no pipefail; man sshd_config | cat
+      changed_when: false
 
     - name: Get list of options from manual page
       ansible.builtin.shell: >-

tests/tests_alternative_file.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test alternative config file
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -20,7 +21,7 @@
         name: nobody
         group: nobody
         comment: nobody
-        create_home: no
+        create_home: false
         shell: /sbin/nologin
 
     - name: Configure alternative sshd_config file
@@ -36,7 +37,7 @@
           AcceptEnv: LANG
           Banner: /etc/issue
           Ciphers: aes256-ctr
-        sshd_Compression: no  # noqa var-naming
+        sshd_Compression: false  # noqa var-naming
 
     - name: Configure second alternative sshd_config file
       ansible.builtin.include_role:
@@ -60,9 +61,10 @@
           Ciphers: aes192-ctr
           HostKey:
             - /tmp/ssh_host_ecdsa_key
-        sshd_PasswordAuthentication: no  # noqa var-naming
+        sshd_PasswordAuthentication: false  # noqa var-naming
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -179,7 +181,6 @@
               - config_stat.stat.gr_name == 'nobody'
               - config_stat.stat.pw_name == 'nobody'
               - config_stat.stat.mode == '0660'
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_alternative_file_role.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test alternative role file - setup tasks
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -20,11 +21,12 @@
         name: nobody
         group: nobody
         comment: nobody
-        create_home: no
+        create_home: false
         shell: /sbin/nologin
 
 # Configure alternative sshd_config file
-- hosts: all
+- name: Test first alternative role file
+  hosts: all
   roles:
     - ansible-sshd
   vars:
@@ -37,10 +39,11 @@
       AcceptEnv: LANG
       Banner: /etc/issue
       Ciphers: aes256-ctr
-    sshd_Compression: no  # noqa var-naming
+    sshd_Compression: false  # noqa var-naming
 
 # Configure second alternative sshd_config file
-- hosts: all
+- name: Test first alternative role file
+  hosts: all
   roles:
     - ansible-sshd
   vars:
@@ -53,7 +56,8 @@
     sshd_MaxStartups: 100  # noqa var-naming
 
 # Now configure the main sshd_config file
-- hosts: all
+- name: Test main config file
+  hosts: all
   roles:
     - ansible-sshd
   vars:
@@ -63,9 +67,10 @@
       Ciphers: aes192-ctr
       HostKey:
         - /tmp/ssh_host_ecdsa_key
-    sshd_PasswordAuthentication: no  # noqa var-naming
+    sshd_PasswordAuthentication: false  # noqa var-naming
 
-- hosts: all
+- name: Verify config files are correct
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -74,9 +79,10 @@
       - /etc/ssh/sshd_config_custom_second
   tasks:
     - name: Setup variables
-      include_tasks: tasks/setup.yml
+      ansible.builtin.include_tasks: tasks/setup.yml
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -194,7 +200,6 @@
               - config_stat.stat.gr_name == 'nobody'
               - config_stat.stat.pw_name == 'nobody'
               - config_stat.stat.mode == '0660'
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_backup.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test backups
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config

tests/tests_config_namespace.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test config namespaces
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -16,11 +17,11 @@
         sshd_config_file: /etc/ssh/sshd_config
         sshd_config_namespace: nm1
         sshd:
-          PasswordAuthentication: yes
+          PasswordAuthentication: true
-          PermitRootLogin: yes
+          PermitRootLogin: true
           Match:
             Condition: user root
-            AllowAgentForwarding: no
+            AllowAgentForwarding: false
 
     - name: Add second configuration block to default configuration file
       ansible.builtin.include_role:
@@ -29,13 +30,14 @@
         sshd_config_file: /etc/ssh/sshd_config
         sshd_config_namespace: nm2
         sshd:
-          PasswordAuthentication: no
+          PasswordAuthentication: false
-          PermitRootLogin: no
+          PermitRootLogin: false
           Match:
             Condition: Address 127.0.0.1
             Banner: /etc/issue
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -111,7 +113,6 @@
               - "'allowAgentforwarding no' not in nonmatching.stdout"
               - "'banner /etc/issue' not in nonmatching.stdout"
               - "'passwordauthentication yes' in nonmatching.stdout"
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_default.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test default - setup
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -8,11 +9,13 @@
     - name: "Backup configuration files"
       ansible.builtin.include_tasks: tasks/backup.yml
 
-- hosts: all
+- name: Test defaults
+  hosts: all
   roles:
     - ansible-sshd
 
-- hosts: all
+- name: Test default - restore
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config

tests/tests_default_include.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test default with include tasks
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config

tests/tests_duplicate_role.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test duplicates - setup config1
+  hosts: all
   vars:
     sshd_config_file: /etc/ssh/dup_config1
     __sshd_test_backup_files:
@@ -14,13 +15,15 @@
       ansible.builtin.include_role:
         name: ansible-sshd
 
-- hosts: all
+- name: Test duplicates - default config
+  hosts: all
   tasks:
     - name: Configure default config
       ansible.builtin.include_role:
         name: ansible-sshd
 
-- hosts: all
+- name: Test duplicates - setup config2
+  hosts: all
   vars:
     sshd_config_file: /etc/ssh/dup_config2
   tasks:
@@ -30,10 +33,11 @@
         public: true
 
     - name: Convert exported variable to fact so that it is available in next plays
-      set_fact:
+      ansible.builtin.set_fact:
         __sshd_config_file: "{{ __sshd_config_file }}"
 
-- hosts: all
+- name: Test duplicate - verify results
+  hosts: all
   tasks:
     - name: Get config1 stat
       ansible.builtin.stat:

tests/tests_firewall_selinux.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test managing firewall and selinux from role
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -21,6 +22,7 @@
           Port: 22
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -34,7 +36,6 @@
           ansible.builtin.assert:
             that:
               - "'Port 22' in config.content | b64decode"
-      tags: tests::verify
 
     ##########
     # Second test: non-default port
@@ -50,6 +51,7 @@
           Port: 222
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -63,7 +65,6 @@
           ansible.builtin.assert:
             that:
               - "'Port 222' in config.content | b64decode"
-      tags: tests::verify
 
     ##########
     # Third test: multiple ports
@@ -80,6 +81,7 @@
             - 222
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -93,7 +95,6 @@
           ansible.builtin.assert:
             that:
               - "'Port 222' in config.content | b64decode"
-      tags: tests::verify
 
     ##########
     # Cleanup

tests/tests_hostkeys.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test hostkeys
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -23,7 +24,7 @@
         name: nobody
         group: nobody
         comment: nobody
-        create_home: no
+        create_home: false
         shell: /sbin/nologin
 
     - name: Configure sshd with alternative host keys
@@ -39,6 +40,7 @@
             - /tmp/ssh_host_rsa_key2
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -71,7 +73,6 @@
               - privkey.stat.pw_name == 'nobody'
               - privkey.stat.mode == '0664'
               - pubkey.stat.exists
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_hostkeys_fips.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test hostkeys with FIPS
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -16,6 +17,10 @@
         name: ansible-sshd
 
     - name: Verify the options are correctly set
+      when:
+        - ansible_facts['os_family'] == 'RedHat'
+        - ansible_facts['distribution_major_version'] | int > 6
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -48,10 +53,6 @@
             that:
               - privkey.stat.exists
               - pubkey.stat.exists
-      when:
-        - ansible_facts['os_family'] == 'RedHat'
-        - ansible_facts['distribution_major_version']|int > 6
-      tags: tests::verify
 
     - name: Fake FIPS mode
       block:
@@ -69,11 +70,11 @@
         - name: Create a fips_enabled file
           ansible.builtin.copy:
             dest: "{{ fips_directory.path }}/fips_enabled"
-            content: 1
+            content: "1"
             mode: "0644"
 
         - name: Bind mount the file where we need it
-          ansible.builtin.mount:
+          ansible.posix.mount:
             path: /proc/sys/crypto/fips_enabled
             src: "{{ fips_directory.path }}/fips_enabled"
             opts: bind
@@ -98,6 +99,10 @@
         name: ansible-sshd
 
     - name: Verify the options are correctly set
+      when:
+        - ansible_facts['os_family'] == 'RedHat'
+        - ansible_facts['distribution_major_version'] | int > 6
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -127,15 +132,11 @@
             that:
               - not privkey.stat.exists
               - not pubkey.stat.exists
-      when:
-        - ansible_facts['os_family'] == 'RedHat'
-        - ansible_facts['distribution_major_version']|int > 6
-      tags: tests::verify
 
     - name: Remove the FIPS mode indicators
       block:
         - name: Unmount the file
-          mount:
+          ansible.posix.mount:
             path: /proc/sys/crypto/fips_enabled
             state: unmounted
           failed_when: false

tests/tests_hostkeys_missing.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test missing hostkeys
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -10,6 +11,10 @@
       ansible.builtin.include_tasks: tasks/backup.yml
 
     - name: Configure sshd with missing host keys and prevent their creation
+      when:
+        - ansible_facts['os_family'] != 'Debian'
+        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
+      tags: tests::verify
       block:
         - name: Configure missing hostkey
           ansible.builtin.include_role:
@@ -21,7 +26,7 @@
                 - /tmp/missing_ssh_host_rsa_key
           register: role_result
 
-        - name: unreachable task
+        - name: Unreachable task
           ansible.builtin.fail:
             msg: UNREACH
 
@@ -32,10 +37,6 @@
               - ansible_failed_result.msg != 'UNREACH'
               - not role_result.changed
             msg: "Role has not failed when it should have"
-      when:
-        - ansible_facts['os_family'] != 'Debian'
-        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
-      tags: tests::verify
 
     - name: Make sure the key was not created
       ansible.builtin.file:

tests/tests_hostkeys_role.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test hostkeys via role - setup
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -23,11 +24,12 @@
         name: nobody
         group: nobody
         comment: nobody
-        create_home: no
+        create_home: false
         shell: /sbin/nologin
 
 # invoke role through "roles"
-- hosts: all
+- name: Test hostkeys via role
+  hosts: all
   roles:
     - ansible-sshd
   vars:
@@ -39,7 +41,8 @@
       HostKey:
         - /tmp/ssh_host_rsa_key2
 
-- hosts: all
+- name: Test hostkeys via role - verify
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -50,6 +53,7 @@
       ansible.builtin.include_tasks: tasks/setup.yml
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush metadata
           ansible.builtin.meta: flush_handlers
@@ -82,7 +86,6 @@
               - privkey.stat.pw_name == 'nobody'
               - privkey.stat.mode == '0664'
               - pubkey.stat.exists
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_include_present.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test include present
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -31,6 +32,10 @@
           (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
 
     - name: Verify the options are correctly set
+      when:
+        - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
+          (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22)
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -47,6 +52,7 @@
 
         - name: Check content of drop-in configuration file
           ansible.builtin.assert:
+            # noqa no-tabs
             that:
               - "'Banner /etc/include-issue' in config.content | b64decode"
               - "'Ciphers aes192-ctr' in config.content | b64decode"
@@ -73,16 +79,11 @@
               - "config_main.content | b64decode | regex_search('Subsystem\\ssftp\\s/usr/lib/openssh/sftp-server')"
           when: ansible_facts['os_family'] == 'Ubuntu'
 
-      when:
-        - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
-          (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
-
-      tags: tests::verify
-
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml
 
-- hosts: all
+- name: Test include present - verify
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/custom_sshd_config
@@ -101,9 +102,10 @@
     - name: Create sample main configuration file
       # Normally, this should not be needed. For test, however, we need a file
       # different to the one in the first play.
-      file:
+      ansible.builtin.file:
         path: /etc/ssh/custom_sshd_config
         state: touch
+        mode: '0777'
 
     - name: Create a new configuration in a custom drop-in directory
       ansible.builtin.include_role:
@@ -117,6 +119,7 @@
           Ciphers: aes192-ctr
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -133,6 +136,7 @@
 
         - name: Check content of custom drop-in configuration file
           ansible.builtin.assert:
+            # noqa no-tabs
             that:
               - "'Banner /etc/include-issue' in custom_drop_in.content | b64decode"
               - "'Ciphers aes192-ctr' in custom_drop_in.content | b64decode"
@@ -153,13 +157,11 @@
           register: drop_in_dir_stat
 
         - name: Check drop in directory mode has been set correctly
-          assert:
+          ansible.builtin.assert:
             that:
               - drop_in_dir_stat.stat.isdir | bool
               - drop_in_dir_stat.stat.mode == '0770'
             msg: "effective mode: {{ drop_in_dir_stat.stat.mode }}, desired mode: 0770"
 
-      tags: tests::verify
-
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_indent.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test indentation
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -13,13 +14,14 @@
         name: ansible-sshd
       vars:
         sshd:
-          PasswordAuthentication: yes
+          PasswordAuthentication: true
-          PermitRootLogin: yes
+          PermitRootLogin: true
           Match:
             Condition: user root
-            AllowAgentForwarding: no
+            AllowAgentForwarding: false
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -36,7 +38,5 @@
               - "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)"
               - "config.content | b64decode | regex_search('^Match user root\\n\\s+AllowAgentForwarding no$', multiline=True)"
 
-      tags: tests::verify
-
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_match.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test match blocks
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -18,11 +19,11 @@
         sshd:
           Match:
             Condition: "User xusers"
-            X11Forwarding: yes
+            X11Forwarding: true
             Banner: /tmp/xusers-banner
         sshd_match:
           - Condition: "User bot"
-            AllowTcpForwarding: no
+            AllowTcpForwarding: false
             Banner: /tmp/bot-banner
         sshd_match_1:
           - Condition: "User sftponly"
@@ -30,10 +31,11 @@
             ChrootDirectory: "/var/uploads/"
         sshd_match_2:
           - Condition: "User root"
-            PasswordAuthentication: no
+            PasswordAuthentication: false
-            AllowTcpForwarding: yes
+            AllowTcpForwarding: true
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -83,7 +85,6 @@
               - "'Match User bot' in config.content | b64decode"
               - "'Match User sftponly' in config.content | b64decode"
               - "'Match User root' in config.content | b64decode"
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_match_iterate.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test match iterate
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -18,20 +19,21 @@
         sshd:
           Match:
             - Condition: "User xusers"
-              X11Forwarding: yes
+              X11Forwarding: true
               Banner: /tmp/xusers-banner
             - Condition: "User bot"
-              AllowTcpForwarding: no
+              AllowTcpForwarding: false
               Banner: /tmp/bot-banner
         sshd_match:
           - Condition: "User sftponly"
             ForceCommand: "internal-sftp"
             ChrootDirectory: "/var/uploads/"
           - Condition: "User root"
-            PasswordAuthentication: no
+            PasswordAuthentication: false
-            AllowTcpForwarding: yes
+            AllowTcpForwarding: true
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -81,7 +83,6 @@
               - "'Match User bot' in config.content | b64decode"
               - "'Match User sftponly' in config.content | b64decode"
               - "'Match User root' in config.content | b64decode"
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_os_defaults.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test OS default settings
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -49,7 +50,7 @@
       when: __sshd_defaults.Include is defined
 
     - name: Check drop in directory mode has not changed
-      assert:
+      ansible.builtin.assert:
         that:
           - drop_in_dir_stat.stat.mode == __sshd_drop_in_dir_mode
       when: __sshd_defaults.Include is defined

tests/tests_precedence.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test precedence
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -27,6 +28,7 @@
         sshd_HostKey: /tmp/ssh_host_rsa_key
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush metadata
           ansible.builtin.meta: flush_handlers
@@ -55,7 +57,6 @@
               - "'Banner /etc/good-issue' in config.content | b64decode"
               - "'Ciphers aes128-ctr' in config.content | b64decode"
               - "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode"
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_set_common.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test some common options
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -20,6 +21,7 @@
         sshd_config_file: /etc/ssh/sshd_config
 
     - name: Verify the options are correctly set
+      tags: tests::verify
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -50,7 +52,6 @@
               - "'Banner /etc/issue' in config.content | b64decode"
               - "'Ciphers aes256-ctr' in config.content | b64decode"
               - "'Subsystem sftp internal-sftp' in config.content | b64decode"
-      tags: tests::verify
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_set_uncommon.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test uncommon options
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -9,6 +10,8 @@
       ansible.builtin.include_tasks: tasks/backup.yml
 
     - name: Configure sshd with uncommon options, making sure it keeps running
+      when:
+        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
       block:
         - name: Configure ssh with unsupported options
           ansible.builtin.include_role:
@@ -17,20 +20,20 @@
             sshd:
               # Unsupported in new versions, but ignored ?
               Protocol: 1
-              UsePrivilegeSeparation: no
+              UsePrivilegeSeparation: false
-              UseLogin: yes
+              UseLogin: true
               # Debian only
               DebianBanner: /etc/motd
               # Used in FreeBSD ?
               VersionAddendum: FreeBSD-20180909
               # HPN only
-              HPNDisabled: yes
+              HPNDisabled: true
               HPNBufferSize: 2MB
-              TcpRcvBufPoll: yes
+              TcpRcvBufPoll: true
-              NoneEnabled: yes
+              NoneEnabled: true
               # some builds might be without kerberos/GSSAPI
-              KerberosAuthentication: yes
+              KerberosAuthentication: true
-              GSSAPIStoreCredentialsOnRekey: yes
+              GSSAPIStoreCredentialsOnRekey: true
               # SSHv1 options
               KeyRegenerationInterval: 1h
               ServerKeyBits: 1024
@@ -38,7 +41,7 @@
               RDomain: 2
           register: role_result
 
-        - name: unreachable task
+        - name: Unreachable task
           ansible.builtin.fail:
             msg: UNREACH
       rescue:
@@ -48,8 +51,6 @@
               - ansible_failed_result.msg != 'UNREACH'
               - not role_result.changed
             msg: "Role has not failed when it should have"
-      when:
-        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
 
     - name: Make sure service is still running
       ansible.builtin.service:

tests/tests_sshd_enable.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test sshd enable
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config

tests/tests_sysconfig.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Test sysconfig
+  hosts: all
   vars:
     __sshd_test_backup_files:
       - /etc/ssh/sshd_config
@@ -18,6 +19,11 @@
         sshd_sysconfig_use_strong_rng: 32
 
     - name: Verify the options are correctly set
+      tags: tests::verify
+      when:
+        - ansible_facts['os_family'] == "RedHat"
+        - ansible_facts['distribution'] != 'Fedora'
+        - ansible_facts['distribution_major_version']|int < 9
       block:
         - name: Flush handlers
           ansible.builtin.meta: flush_handlers
@@ -74,11 +80,6 @@
               - "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode"
               - "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode"
               - "'RNG=|32|' in evaluation.stdout"
-      tags: tests::verify
-      when:
-        - ansible_facts['os_family'] == "RedHat"
-        - ansible_facts['distribution'] != 'Fedora'
-        - ansible_facts['distribution_major_version']|int < 9
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

vars/AIX.yml

@@ -7,8 +7,8 @@ __sshd_sftp_server: /usr/sbin/sftp-server
 __sshd_config_group: system
 __sshd_defaults:
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 
-sshd_install_service: no
+sshd_install_service: false
-sshd_manage_service: no
+sshd_manage_service: falselse
-sshd_allow_reload: yes
+sshd_allow_reload: true

vars/Alpine.yml

@@ -3,8 +3,8 @@ __sshd_packages:
   - openssh
 __sshd_defaults:
   AuthorizedKeysFile: .ssh/authorized_keys
-  AllowTcpForwarding: no
+  AllowTcpForwarding: false
-  GatewayPorts: no
+  GatewayPorts: false
-  X11Forwarding: no
+  X11Forwarding: false
   Subsystem: 'sftp internal-sftp'
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Amazon.yml

@@ -8,11 +8,11 @@ __sshd_defaults:
   SyslogFacility: AUTHPRIV
   PermitRootLogin: forced-commands-only
   AuthorizedKeysFile: .ssh/authorized_keys
-  PasswordAuthentication: no
+  PasswordAuthentication: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintLastLog: yes
+  PrintLastLog: true
   UsePrivilegeSeparation: sandbox
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -20,4 +20,4 @@ __sshd_defaults:
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Arch Linux.yml

@@ -4,8 +4,8 @@ __sshd_packages:
 __sshd_sftp_server: /usr/lib/ssh/sftp-server
 __sshd_defaults:
   AuthorizedKeysFile: .ssh/authorized_keys
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  PrintMotd: no
+  PrintMotd: false
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Archlinux.yml

@@ -4,8 +4,8 @@ __sshd_packages:
 __sshd_sftp_server: /usr/lib/ssh/sftp-server
 __sshd_defaults:
   AuthorizedKeysFile: .ssh/authorized_keys
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  PrintMotd: no
+  PrintMotd: false
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Container Linux by CoreOS.yml

@@ -6,8 +6,8 @@ __sshd_sftp_server: internal-sftp
 __sshd_defaults:
   Subsystem: "sftp {{ __sshd_sftp_server }}"
   ClientAliveInterval: 180
-  UseDNS: no
+  UseDNS: false
-  UsePAM: yes
+  UsePAM: true
-  PrintLastLog: no
+  PrintLastLog: false
-  PrintMotd: no
+  PrintMotd: false
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Debian.yml

@@ -10,28 +10,28 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
-  UsePrivilegeSeparation: yes
+  UsePrivilegeSeparation: true
   KeyRegenerationInterval: 3600
   ServerKeyBits: 768
   SyslogFacility: AUTH
   LogLevel: INFO
   LoginGraceTime: 120
-  PermitRootLogin: yes
+  PermitRootLogin: true
-  StrictModes: yes
+  StrictModes: true
-  RSAAuthentication: yes
+  RSAAuthentication: true
-  PubkeyAuthentication: yes
+  PubkeyAuthentication: true
-  IgnoreRhosts: yes
+  IgnoreRhosts: true
-  RhostsRSAAuthentication: no
+  RhostsRSAAuthentication: false
-  HostbasedAuthentication: no
+  HostbasedAuthentication: false
-  PermitEmptyPasswords: no
+  PermitEmptyPasswords: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
   X11DisplayOffset: 10
-  PrintMotd: no
+  PrintMotd: false
-  PrintLastLog: yes
+  PrintLastLog: true
-  TCPKeepAlive: yes
+  TCPKeepAlive: true
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Debian_10.yml

@@ -5,11 +5,11 @@ __sshd_packages:
   - openssh-sftp-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintMotd: no
+  PrintMotd: false
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Debian_11.yml

@@ -5,11 +5,11 @@ __sshd_packages:
   - openssh-sftp-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintMotd: no
+  PrintMotd: false
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Debian_8.yml

@@ -12,28 +12,28 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
     - /etc/ssh/ssh_host_ed25519_key
-  UsePrivilegeSeparation: yes
+  UsePrivilegeSeparation: true
   KeyRegenerationInterval: 3600
   ServerKeyBits: 1024
   SyslogFacility: AUTH
   LogLevel: INFO
   LoginGraceTime: 120
   PermitRootLogin: without-password
-  StrictModes: yes
+  StrictModes: true
-  RSAAuthentication: yes
+  RSAAuthentication: true
-  PubkeyAuthentication: yes
+  PubkeyAuthentication: true
-  IgnoreRhosts: yes
+  IgnoreRhosts: true
-  RhostsRSAAuthentication: no
+  RhostsRSAAuthentication: false
-  HostbasedAuthentication: no
+  HostbasedAuthentication: false
-  PermitEmptyPasswords: no
+  PermitEmptyPasswords: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
   X11DisplayOffset: 10
-  PrintMotd: no
+  PrintMotd: false
-  PrintLastLog: yes
+  PrintLastLog: true
-  TCPKeepAlive: yes
+  TCPKeepAlive: true
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Debian_9.yml

@@ -5,11 +5,11 @@ __sshd_packages:
   - openssh-sftp-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintMotd: no
+  PrintMotd: false
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Fedora.yml

@@ -1,5 +1,5 @@
 ---
-__sshd_os_supported: yes
+__sshd_os_supported: true
 
 __sshd_packages:
   - openssh

vars/Fedora_31.yml

@@ -10,19 +10,19 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_ed25519_key
   SyslogFacility: AUTHPRIV
   AuthorizedKeysFile: .ssh/authorized_keys
-  PasswordAuthentication: yes
+  PasswordAuthentication: true
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  GSSAPIAuthentication: yes
+  GSSAPIAuthentication: true
-  GSSAPICleanupCredentials: no
+  GSSAPICleanupCredentials: false
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
     - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_sysconfig_supports_crypto_policy: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"

vars/Fedora_37.yml

@@ -1,5 +1,5 @@
 ---
-__sshd_os_supported: yes
+__sshd_os_supported: true
 
 __sshd_packages:
   - openssh

vars/FreeBSD.yml

@@ -4,4 +4,4 @@ __sshd_config_mode: "0644"
 __sshd_sftp_server: /usr/libexec/sftp-server
 __sshd_defaults:
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Gentoo.yml

@@ -5,7 +5,7 @@ __sshd_sftp_server: /usr/lib64/misc/sftp-server
 __sshd_defaults:
   Subsystem: "sftp {{ __sshd_sftp_server }}"
   # Replace tcp keepalive with unspoofable keepalive
-  TCPKeepAlive: no
+  TCPKeepAlive: false
   ClientAliveInterval: 300
   ClientAliveCountMax: 2
   # Secure cipher and algorithm settings
@@ -18,15 +18,15 @@ __sshd_defaults:
   MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
   AuthorizedKeysFile: .ssh/authorized_keys
   # Security settings
-  PasswordAuthentication: no
+  PasswordAuthentication: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  PermitRootLogin: no
+  PermitRootLogin: false
   # Login settings
-  UsePAM: yes
+  UsePAM: true
-  PrintMotd: no
+  PrintMotd: false
-  PrintLastLog: yes
+  PrintLastLog: true
   # Disable most forwarding types for more security
-  AllowAgentForwarding: no
+  AllowAgentForwarding: false
-  AllowTcpForwarding: no
+  AllowTcpForwarding: false
-  AllowStreamLocalForwarding: no
+  AllowStreamLocalForwarding: false
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/OpenBSD.yml

@@ -5,5 +5,5 @@ __sshd_sftp_server: /usr/libexec/sftp-server
 __sshd_defaults:
   AuthorizedKeysFile: .ssh/authorized_keys
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
-__sshd_manage_var_run: no
+__sshd_manage_var_run: false

vars/OpenWrt.yml

@@ -11,4 +11,4 @@ __sshd_defaults:
   HostKey:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_ed25519_key
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/RedHat_6.yml

@@ -8,18 +8,18 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_rsa_key
   Protocol: 2
   SyslogFacility: AUTHPRIV
-  PasswordAuthentication: yes
+  PasswordAuthentication: true
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  GSSAPIAuthentication: yes
+  GSSAPIAuthentication: true
-  GSSAPICleanupCredentials: yes
+  GSSAPICleanupCredentials: true
-  UsePAM: yes
+  UsePAM: true
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
     - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
-  X11Forwarding: yes
+  X11Forwarding: true
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_compat_match_all: Match address *

vars/RedHat_7.yml

@@ -10,14 +10,14 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_ed25519_key
   SyslogFacility: AUTHPRIV
   AuthorizedKeysFile: .ssh/authorized_keys
-  PasswordAuthentication: yes
+  PasswordAuthentication: true
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  GSSAPIAuthentication: yes
+  GSSAPIAuthentication: true
-  GSSAPICleanupCredentials: no
+  GSSAPICleanupCredentials: false
   # Note that UsePAM: no is not supported under RHEL/CentOS. See
   # https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
   UsePrivilegeSeparation: sandbox
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -25,7 +25,7 @@ __sshd_defaults:
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"

vars/RedHat_8.yml

@@ -10,23 +10,23 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_ed25519_key
   SyslogFacility: AUTHPRIV
   AuthorizedKeysFile: .ssh/authorized_keys
-  PasswordAuthentication: yes
+  PasswordAuthentication: true
-  PermitRootLogin: yes
+  PermitRootLogin: true
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  GSSAPIAuthentication: yes
+  GSSAPIAuthentication: true
-  GSSAPICleanupCredentials: no
+  GSSAPICleanupCredentials: false
   # Note that UsePAM: no is not supported under RHEL/CentOS. See
   # https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintMotd: no
+  PrintMotd: false
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
     - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_sysconfig_supports_crypto_policy: true
 __sshd_hostkey_group: ssh_keys

vars/RedHat_9.yml

@@ -1,5 +1,5 @@
 ---
-__sshd_os_supported: yes
+__sshd_os_supported: true
 
 __sshd_packages:
   - openssh

vars/Suse.yml

@@ -9,16 +9,16 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_ed25519_key
   SyslogFacility: AUTH
   AuthorizedKeysFile: .ssh/authorized_keys
-  PasswordAuthentication: yes
+  PasswordAuthentication: true
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  GSSAPIAuthentication: yes
+  GSSAPIAuthentication: true
-  GSSAPICleanupCredentials: no
+  GSSAPICleanupCredentials: false
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
     - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Ubuntu_12.yml

@@ -10,27 +10,27 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
-  UsePrivilegeSeparation: yes
+  UsePrivilegeSeparation: true
   KeyRegenerationInterval: 3600
   ServerKeyBits: 768
   SyslogFacility: AUTH
   LogLevel: INFO
   LoginGraceTime: 120
-  PermitRootLogin: yes
+  PermitRootLogin: true
-  StrictModes: yes
+  StrictModes: true
-  RSAAuthentication: yes
+  RSAAuthentication: true
-  PubkeyAuthentication: yes
+  PubkeyAuthentication: true
-  IgnoreRhosts: yes
+  IgnoreRhosts: true
-  RhostsRSAAuthentication: no
+  RhostsRSAAuthentication: false
-  HostbasedAuthentication: no
+  HostbasedAuthentication: false
-  PermitEmptyPasswords: no
+  PermitEmptyPasswords: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
   X11DisplayOffset: 10
-  PrintMotd: no
+  PrintMotd: false
-  PrintLastLog: yes
+  PrintLastLog: true
-  TCPKeepAlive: yes
+  TCPKeepAlive: true
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Ubuntu_14.yml

@@ -12,27 +12,27 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
     - /etc/ssh/ssh_host_ed25519_key
-  UsePrivilegeSeparation: yes
+  UsePrivilegeSeparation: true
   KeyRegenerationInterval: 3600
   ServerKeyBits: 1024
   SyslogFacility: AUTH
   LogLevel: INFO
   LoginGraceTime: 120
   PermitRootLogin: without-password
-  StrictModes: yes
+  StrictModes: true
-  RSAAuthentication: yes
+  RSAAuthentication: true
-  PubkeyAuthentication: yes
+  PubkeyAuthentication: true
-  IgnoreRhosts: yes
+  IgnoreRhosts: true
-  RhostsRSAAuthentication: no
+  RhostsRSAAuthentication: false
-  HostbasedAuthentication: no
+  HostbasedAuthentication: false
-  PermitEmptyPasswords: no
+  PermitEmptyPasswords: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
   X11DisplayOffset: 10
-  PrintMotd: no
+  PrintMotd: false
-  PrintLastLog: yes
+  PrintLastLog: true
-  TCPKeepAlive: yes
+  TCPKeepAlive: true
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Ubuntu_16.yml

@@ -12,29 +12,29 @@ __sshd_defaults:
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
     - /etc/ssh/ssh_host_ed25519_key
-  UsePrivilegeSeparation: yes
+  UsePrivilegeSeparation: true
   KeyRegenerationInterval: 3600
   ServerKeyBits: 1024
   SyslogFacility: AUTH
   LogLevel: INFO
   LoginGraceTime: 120
   PermitRootLogin: prohibit-password
-  StrictModes: yes
+  StrictModes: true
-  RSAAuthentication: yes
+  RSAAuthentication: true
-  PubkeyAuthentication: yes
+  PubkeyAuthentication: true
   AuthorizedKeysFile: "%h/.ssh/authorized_keys"
-  IgnoreRhosts: yes
+  IgnoreRhosts: true
-  RhostsRSAAuthentication: no
+  RhostsRSAAuthentication: false
-  HostbasedAuthentication: no
+  HostbasedAuthentication: false
-  PermitEmptyPasswords: no
+  PermitEmptyPasswords: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  X11Forwarding: yes
+  X11Forwarding: true
   X11DisplayOffset: 10
-  PrintMotd: no
+  PrintMotd: false
-  PrintLastLog: yes
+  PrintLastLog: true
-  TCPKeepAlive: yes
+  TCPKeepAlive: true
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-  UsePAM: yes
+  UsePAM: true
-  UseDNS: no
+  UseDNS: false
-__sshd_os_supported: yes
+__sshd_os_supported: true

vars/Ubuntu_18.yml

@@ -5,12 +5,12 @@ __sshd_packages:
   - openssh-sftp-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
-  PasswordAuthentication: no
+  PasswordAuthentication: false
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintMotd: no
+  PrintMotd: false
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Ubuntu_20.yml

@@ -5,11 +5,11 @@ __sshd_packages:
   - openssh-sftp-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
-  ChallengeResponseAuthentication: no
+  ChallengeResponseAuthentication: false
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
-  PrintMotd: no
+  PrintMotd: false
   AcceptEnv: LANG LC_*
   Subsystem: "sftp  /usr/lib/openssh/sftp-server"
-__sshd_os_supported: yes
+__sshd_os_supported: true
 __sshd_runtime_directory: /run/sshd

vars/Ubuntu_22.yml

@@ -1,5 +1,5 @@
 ---
-__sshd_os_supported: yes
+__sshd_os_supported: true
 
 __sshd_service: ssh
 __sshd_packages:
@@ -12,8 +12,8 @@ __sshd_config_mode: "0644"
 # the defaults here represent the defaults shipped in the main sshd_config
 __sshd_defaults:
   Include: /etc/ssh/sshd_config.d/*.conf
-  KbdInteractiveAuthentication: no
+  KbdInteractiveAuthentication: false
-  UsePAM: yes
+  UsePAM: true
   AcceptEnv: LANG LC_*
   Subsystem: "sftp  /usr/lib/openssh/sftp-server"
 

vars/main.yml

@@ -27,7 +27,7 @@ __sshd_service: sshd
 __sshd_sftp_server: /usr/lib/openssh/sftp-server
 
 __sshd_defaults: {}
-__sshd_os_supported: no
+__sshd_os_supported: false
 __sshd_sysconfig_supports_crypto_policy: false
 __sshd_sysconfig_supports_use_strong_rng: false
 

vars/openSUSE Leap_15.yml

@@ -4,11 +4,11 @@ __sshd_packages:
 __sshd_sftp_server: /usr/lib/ssh/sftp-server
 __sshd_defaults:
   AuthorizedKeysFile: .ssh/authorized_keys
-  UsePAM: yes
+  UsePAM: true
-  X11Forwarding: yes
+  X11Forwarding: true
   AcceptEnv:
     - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
     - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
     - LC_IDENTIFICATION LC_ALL
   Subsystem: "sftp {{ __sshd_sftp_server }}"
-__sshd_os_supported: yes
+__sshd_os_supported: true