From 74026ba2f839ab1d5715682f6ba649f69ac7c16d Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 2 May 2022 18:38:50 +0200 Subject: [PATCH] Add support for Ubuntu 22 with drop-in directory Signed-off-by: Jakub Jelen --- README.md | 4 ++-- meta/main.yml | 1 + tests/tasks/setup.yml | 4 ++-- tests/tests_alternative_file.yml | 11 +++++++++++ tests/tests_alternative_file_role.yml | 12 ++++++++++++ tests/tests_include_present.yml | 26 +++++++++++++++++++++----- vars/Ubuntu_22.yml | 23 +++++++++++++++++++++++ 7 files changed, 72 insertions(+), 9 deletions(-) create mode 100644 vars/Ubuntu_22.yml diff --git a/README.md b/README.md index a8841b7..958a776 100644 --- a/README.md +++ b/README.md @@ -29,13 +29,13 @@ Requirements Tested on: -* Ubuntu precise, trusty, xenial, bionic, focal +* Ubuntu precise, trusty, xenial, bionic, focal, jammy * [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml) * Debian wheezy, jessie, stretch, buster, bullseye * [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml) * EL 6, 7, 8, 9 derived distributions * [![Run tests on CentOS](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml) -* Fedora 31, 32, 33, 34 +* All Fedora * [![Run tests on Fedora latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml) * FreeBSD 10.1 * OpenBSD 6.0 diff --git a/meta/main.yml b/meta/main.yml index d7dff24..0ee0184 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -20,6 +20,7 @@ galaxy_info: - xenial - bionic - focal + - jammy - name: FreeBSD version: - 10.1 diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index ca75940..e565808 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -26,5 +26,5 @@ main_sshd_config_name: 00-ansible_system_role.conf main_sshd_config_path: /etc/ssh/sshd_config.d/ when: - - ansible_facts['os_family'] == 'RedHat' - - ansible_facts['distribution_major_version']|int > 8 + - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index 45c5d76..ebf54f5 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -130,6 +130,17 @@ - "'UsePAM yes' in config.content | b64decode" when: - ansible_facts['os_family'] == 'Debian' + - ansible_facts['distribution_major_version']|int < 22 + + - name: Check Ubuntu 22 defaults are present in the first configuration file + assert: + that: + - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" + - "'KbdInteractiveAuthentication no' in config.content | b64decode" + - "'UsePAM yes' in config.content | b64decode" + when: + - ansible_facts['distribution'] == 'Ubuntu' + - ansible_facts['distribution_major_version']|int >= 22 - name: Check content of second configuration file assert: diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index d055cdf..dd95b1c 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -144,6 +144,18 @@ - "'UsePAM yes' in config.content | b64decode" when: - ansible_facts['os_family'] == 'Debian' + - ansible_facts['distribution_major_version']|int < 22 + + - name: Check Ubuntu 22 defaults are present in the first configuration file + assert: + that: + - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" + - "'KbdInteractiveAuthentication no' in config.content | b64decode" + - "'UsePAM yes' in config.content | b64decode" + when: + - ansible_facts['distribution'] == 'Ubuntu' + - ansible_facts['distribution_major_version']|int >= 22 + - name: Check content of second configuration file assert: diff --git a/tests/tests_include_present.yml b/tests/tests_include_present.yml index b1a7459..428308c 100644 --- a/tests/tests_include_present.yml +++ b/tests/tests_include_present.yml @@ -15,7 +15,8 @@ regexp: "^Include" state: absent when: - - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8 + - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) - name: Create a new configuration in drop-in directory include_role: @@ -26,7 +27,8 @@ Banner: /etc/include-issue Ciphers: aes192-ctr when: - - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8 + - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) - name: Verify the options are correctly set block: @@ -48,17 +50,31 @@ - "'Banner /etc/include-issue' in config.content | b64decode" - "'Ciphers aes192-ctr' in config.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode" - - "'Subsystem sftp /usr/libexec/sftp-server' not in config.content | b64decode" + - "'Subsystem sftp /usr/libexec/openssh/sftp-server' not in config.content | b64decode" + - "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode" - - name: Check content of the main configuration file + - name: Check common content of the main configuration file assert: that: - "'Banner /etc/include-issue' not in config_main.content | b64decode" - "'Ciphers aes192-ctr' not in config_main.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode" + + - name: Check RHEL content of the main configuration file + assert: + that: - "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode" + when: ansible_facts['os_family'] == 'RedHat' + + - name: Check Ubuntu content of the main configuration file + assert: + that: + - "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode" + when: ansible_facts['os_family'] == 'Ubuntu' + when: - - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8 + - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) tags: tests::verify diff --git a/vars/Ubuntu_22.yml b/vars/Ubuntu_22.yml new file mode 100644 index 0000000..c13f632 --- /dev/null +++ b/vars/Ubuntu_22.yml @@ -0,0 +1,23 @@ +--- +__sshd_os_supported: yes + +sshd_service: ssh +sshd_packages: + - openssh-server + - openssh-sftp-server +# Ubuntu 22.04 finally ships with drop-in directory support so we touch +# just included file with highest priority by default +__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf +__sshd_config_mode: "0644" +# the defaults here represent the defaults shipped in the main sshd_config +__sshd_defaults: + Include: /etc/ssh/sshd_config.d/*.conf + KbdInteractiveAuthentication: no + UsePAM: yes + AcceptEnv: LANG LC_* + Subsystem: "sftp /usr/lib/openssh/sftp-server" + +__sshd_runtime_directory: /run/sshd + +__sshd_drop_in_dir: /etc/ssh/sshd_config.d/ +__sshd_main_config_file: /etc/ssh/sshd_config