mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-01 07:00:17 +01:00
Add support for Ubuntu 22 with drop-in directory
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
051f5666b2
commit
74026ba2f8
7 changed files with 72 additions and 9 deletions
|
@ -29,13 +29,13 @@ Requirements
|
||||||
|
|
||||||
Tested on:
|
Tested on:
|
||||||
|
|
||||||
* Ubuntu precise, trusty, xenial, bionic, focal
|
* Ubuntu precise, trusty, xenial, bionic, focal, jammy
|
||||||
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
|
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
|
||||||
* Debian wheezy, jessie, stretch, buster, bullseye
|
* Debian wheezy, jessie, stretch, buster, bullseye
|
||||||
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
|
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
|
||||||
* EL 6, 7, 8, 9 derived distributions
|
* EL 6, 7, 8, 9 derived distributions
|
||||||
* [![Run tests on CentOS](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml)
|
* [![Run tests on CentOS](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml)
|
||||||
* Fedora 31, 32, 33, 34
|
* All Fedora
|
||||||
* [![Run tests on Fedora latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml)
|
* [![Run tests on Fedora latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml)
|
||||||
* FreeBSD 10.1
|
* FreeBSD 10.1
|
||||||
* OpenBSD 6.0
|
* OpenBSD 6.0
|
||||||
|
|
|
@ -20,6 +20,7 @@ galaxy_info:
|
||||||
- xenial
|
- xenial
|
||||||
- bionic
|
- bionic
|
||||||
- focal
|
- focal
|
||||||
|
- jammy
|
||||||
- name: FreeBSD
|
- name: FreeBSD
|
||||||
version:
|
version:
|
||||||
- 10.1
|
- 10.1
|
||||||
|
|
|
@ -26,5 +26,5 @@
|
||||||
main_sshd_config_name: 00-ansible_system_role.conf
|
main_sshd_config_name: 00-ansible_system_role.conf
|
||||||
main_sshd_config_path: /etc/ssh/sshd_config.d/
|
main_sshd_config_path: /etc/ssh/sshd_config.d/
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == 'RedHat'
|
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||||
- ansible_facts['distribution_major_version']|int > 8
|
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||||
|
|
|
@ -130,6 +130,17 @@
|
||||||
- "'UsePAM yes' in config.content | b64decode"
|
- "'UsePAM yes' in config.content | b64decode"
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == 'Debian'
|
- ansible_facts['os_family'] == 'Debian'
|
||||||
|
- ansible_facts['distribution_major_version']|int < 22
|
||||||
|
|
||||||
|
- name: Check Ubuntu 22 defaults are present in the first configuration file
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
|
||||||
|
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
|
||||||
|
- "'UsePAM yes' in config.content | b64decode"
|
||||||
|
when:
|
||||||
|
- ansible_facts['distribution'] == 'Ubuntu'
|
||||||
|
- ansible_facts['distribution_major_version']|int >= 22
|
||||||
|
|
||||||
- name: Check content of second configuration file
|
- name: Check content of second configuration file
|
||||||
assert:
|
assert:
|
||||||
|
|
|
@ -144,6 +144,18 @@
|
||||||
- "'UsePAM yes' in config.content | b64decode"
|
- "'UsePAM yes' in config.content | b64decode"
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == 'Debian'
|
- ansible_facts['os_family'] == 'Debian'
|
||||||
|
- ansible_facts['distribution_major_version']|int < 22
|
||||||
|
|
||||||
|
- name: Check Ubuntu 22 defaults are present in the first configuration file
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
|
||||||
|
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
|
||||||
|
- "'UsePAM yes' in config.content | b64decode"
|
||||||
|
when:
|
||||||
|
- ansible_facts['distribution'] == 'Ubuntu'
|
||||||
|
- ansible_facts['distribution_major_version']|int >= 22
|
||||||
|
|
||||||
|
|
||||||
- name: Check content of second configuration file
|
- name: Check content of second configuration file
|
||||||
assert:
|
assert:
|
||||||
|
|
|
@ -15,7 +15,8 @@
|
||||||
regexp: "^Include"
|
regexp: "^Include"
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8
|
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||||
|
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||||
|
|
||||||
- name: Create a new configuration in drop-in directory
|
- name: Create a new configuration in drop-in directory
|
||||||
include_role:
|
include_role:
|
||||||
|
@ -26,7 +27,8 @@
|
||||||
Banner: /etc/include-issue
|
Banner: /etc/include-issue
|
||||||
Ciphers: aes192-ctr
|
Ciphers: aes192-ctr
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8
|
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||||
|
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||||
|
|
||||||
- name: Verify the options are correctly set
|
- name: Verify the options are correctly set
|
||||||
block:
|
block:
|
||||||
|
@ -48,17 +50,31 @@
|
||||||
- "'Banner /etc/include-issue' in config.content | b64decode"
|
- "'Banner /etc/include-issue' in config.content | b64decode"
|
||||||
- "'Ciphers aes192-ctr' in config.content | b64decode"
|
- "'Ciphers aes192-ctr' in config.content | b64decode"
|
||||||
- "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode"
|
- "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode"
|
||||||
- "'Subsystem sftp /usr/libexec/sftp-server' not in config.content | b64decode"
|
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' not in config.content | b64decode"
|
||||||
|
- "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode"
|
||||||
|
|
||||||
- name: Check content of the main configuration file
|
- name: Check common content of the main configuration file
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "'Banner /etc/include-issue' not in config_main.content | b64decode"
|
- "'Banner /etc/include-issue' not in config_main.content | b64decode"
|
||||||
- "'Ciphers aes192-ctr' not in config_main.content | b64decode"
|
- "'Ciphers aes192-ctr' not in config_main.content | b64decode"
|
||||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
|
- "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
|
||||||
|
|
||||||
|
- name: Check RHEL content of the main configuration file
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
|
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
|
||||||
|
when: ansible_facts['os_family'] == 'RedHat'
|
||||||
|
|
||||||
|
- name: Check Ubuntu content of the main configuration file
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode"
|
||||||
|
when: ansible_facts['os_family'] == 'Ubuntu'
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8
|
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
|
||||||
|
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||||
|
|
||||||
tags: tests::verify
|
tags: tests::verify
|
||||||
|
|
||||||
|
|
23
vars/Ubuntu_22.yml
Normal file
23
vars/Ubuntu_22.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
__sshd_os_supported: yes
|
||||||
|
|
||||||
|
sshd_service: ssh
|
||||||
|
sshd_packages:
|
||||||
|
- openssh-server
|
||||||
|
- openssh-sftp-server
|
||||||
|
# Ubuntu 22.04 finally ships with drop-in directory support so we touch
|
||||||
|
# just included file with highest priority by default
|
||||||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
__sshd_config_mode: "0644"
|
||||||
|
# the defaults here represent the defaults shipped in the main sshd_config
|
||||||
|
__sshd_defaults:
|
||||||
|
Include: /etc/ssh/sshd_config.d/*.conf
|
||||||
|
KbdInteractiveAuthentication: no
|
||||||
|
UsePAM: yes
|
||||||
|
AcceptEnv: LANG LC_*
|
||||||
|
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||||
|
|
||||||
|
__sshd_runtime_directory: /run/sshd
|
||||||
|
|
||||||
|
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
|
||||||
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
Loading…
Reference in a new issue