Add support for sysconfig on Fedora/RHEL

This is useful for opting out from system-wide cryto policy for SSH or configuring advanced use case (strong RNG seed). Fixes: #141
2025-01-09 00:40:19 +01:00 · 2020-10-06 21:11:35 +02:00 · 2020-10-06 21:11:35 +02:00 · 71b3f87308
commit 71b3f87308
parent b6e9e863d7
8 changed files with 47 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -23,6 +23,19 @@ sshd_allow_reload: true
 # If the below is true, create a backup of the config file when the template is copied
 sshd_backup: true

+# If the below is true, also install the sysconfig file with the below options
+# (useful only on Fedora and RHEL)
+sshd_sysconfig: false
+
+# If the below is true the role will override also crypto policy configuration
+sshd_sysconfig_override_crypto_policy: false
+
+# If the below is set to non-zero value, the OpenSSL random generator is
+# reseeded with the given amount of random bytes (from getrandom(2)
+# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled.
+# This is not recommended to enable if you do not have hadware random generator
+sshd_sysconfig_use_strong_rng: 0
+
 # Empty dicts to avoid errors
 sshd: {}

@ -43,3 +56,6 @@ __sshd_service: sshd
 __sshd_sftp_server: /usr/lib/openssh/sftp-server
 __sshd_defaults: {}
 __sshd_os_supported: no
+__sshd_sysconfig: false
+__sshd_sysconfig_supports_crypto_policy: false
+__sshd_sysconfig_supports_use_strong_rng: false
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -20,6 +20,18 @@
    backup: "{{ sshd_backup }}"
  notify: reload_sshd

+- name: Sysconfig configuration
+  template:
+    src: sysconfig.j2
+    dest: "/etc/sysconfig/sshd"
+    owner: "root"
+    group: "root"
+    mode: "600"
+    backup: "{{ sshd_backup }}"
+  when:
+    - sshd_sysconfig|bool
+  notify: reload_sshd
+
 - name: Install systemd service files
  block:
    - name: Install service unit file
--- a/tasks/variables.yml
+++ b/tasks/variables.yml
@ -60,3 +60,7 @@
      set_fact:
        sshd_sftp_server: "{{ __sshd_sftp_server }}"
      when: sshd_sftp_server is not defined
+    - name: Define sshd_sysconfig
+      set_fact:
+        sshd_sysconfig: "{{ __sshd_sysconfig }}"
+      when: sshd_sysconfig is not defined
--- a/templates/sysconfig.j2
+++ b/templates/sysconfig.j2
@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+{% if __sshd_sysconfig_supports_crypto_policy %}
+{%   if sshd_sysconfig_override_crypto_policy == true %}
+CRYPTO_POLICY=
+{%   endif %}
+{% endif %}
+
+{% if __sshd_sysconfig_supports_use_strong_rng %}
+SSH_USE_STRONG_RNG={{ sshd_sysconfig_use_strong_rng }}
+{% endif %}
--- a/vars/Fedora_31.yml
+++ b/vars/Fedora_31.yml
@ -23,3 +23,4 @@ __sshd_defaults:
    - XMODIFIERS
  Subsystem: "sftp {{ sshd_sftp_server }}"
 __sshd_os_supported: yes
+__sshd_sysconfig_supports_crypto_policy: true
--- a/vars/RedHat_6.yml
+++ b/vars/RedHat_6.yml
@ -19,3 +19,4 @@ __sshd_defaults:
  X11Forwarding: yes
  Subsystem: "sftp {{ sshd_sftp_server }}"
 __sshd_os_supported: yes
+__sshd_sysconfig_supports_use_strong_rng: true
--- a/vars/RedHat_7.yml
+++ b/vars/RedHat_7.yml
@ -26,3 +26,4 @@ __sshd_defaults:
    - XMODIFIERS
  Subsystem: "sftp {{ sshd_sftp_server }}"
 __sshd_os_supported: yes
+__sshd_sysconfig_supports_use_strong_rng: true
--- a/vars/RedHat_8.yml
+++ b/vars/RedHat_8.yml
@ -26,3 +26,5 @@ __sshd_defaults:
    - XMODIFIERS
  Subsystem: "sftp {{ sshd_sftp_server }}"
 __sshd_os_supported: yes
+__sshd_sysconfig_supports_use_strong_rng: true
+__sshd_sysconfig_supports_crypto_policy: true