Add support for Ubuntu 22 with drop-in directory

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2022-05-02 18:38:50 +02:00 committed by Jakub Jelen
parent 051f5666b2
commit 74026ba2f8
7 changed files with 72 additions and 9 deletions

View file

@ -29,13 +29,13 @@ Requirements
Tested on: Tested on:
* Ubuntu precise, trusty, xenial, bionic, focal * Ubuntu precise, trusty, xenial, bionic, focal, jammy
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml) * [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
* Debian wheezy, jessie, stretch, buster, bullseye * Debian wheezy, jessie, stretch, buster, bullseye
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml) * [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
* EL 6, 7, 8, 9 derived distributions * EL 6, 7, 8, 9 derived distributions
* [![Run tests on CentOS](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml) * [![Run tests on CentOS](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml)
* Fedora 31, 32, 33, 34 * All Fedora
* [![Run tests on Fedora latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml) * [![Run tests on Fedora latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml)
* FreeBSD 10.1 * FreeBSD 10.1
* OpenBSD 6.0 * OpenBSD 6.0

View file

@ -20,6 +20,7 @@ galaxy_info:
- xenial - xenial
- bionic - bionic
- focal - focal
- jammy
- name: FreeBSD - name: FreeBSD
version: version:
- 10.1 - 10.1

View file

@ -26,5 +26,5 @@
main_sshd_config_name: 00-ansible_system_role.conf main_sshd_config_name: 00-ansible_system_role.conf
main_sshd_config_path: /etc/ssh/sshd_config.d/ main_sshd_config_path: /etc/ssh/sshd_config.d/
when: when:
- ansible_facts['os_family'] == 'RedHat' - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
- ansible_facts['distribution_major_version']|int > 8 (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)

View file

@ -130,6 +130,17 @@
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
when: when:
- ansible_facts['os_family'] == 'Debian' - ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version']|int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file
assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode"
when:
- ansible_facts['distribution'] == 'Ubuntu'
- ansible_facts['distribution_major_version']|int >= 22
- name: Check content of second configuration file - name: Check content of second configuration file
assert: assert:

View file

@ -144,6 +144,18 @@
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
when: when:
- ansible_facts['os_family'] == 'Debian' - ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version']|int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file
assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode"
when:
- ansible_facts['distribution'] == 'Ubuntu'
- ansible_facts['distribution_major_version']|int >= 22
- name: Check content of second configuration file - name: Check content of second configuration file
assert: assert:

View file

@ -15,7 +15,8 @@
regexp: "^Include" regexp: "^Include"
state: absent state: absent
when: when:
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8 - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
- name: Create a new configuration in drop-in directory - name: Create a new configuration in drop-in directory
include_role: include_role:
@ -26,7 +27,8 @@
Banner: /etc/include-issue Banner: /etc/include-issue
Ciphers: aes192-ctr Ciphers: aes192-ctr
when: when:
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8 - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
@ -48,17 +50,31 @@
- "'Banner /etc/include-issue' in config.content | b64decode" - "'Banner /etc/include-issue' in config.content | b64decode"
- "'Ciphers aes192-ctr' in config.content | b64decode" - "'Ciphers aes192-ctr' in config.content | b64decode"
- "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode"
- "'Subsystem sftp /usr/libexec/sftp-server' not in config.content | b64decode" - "'Subsystem sftp /usr/libexec/openssh/sftp-server' not in config.content | b64decode"
- "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode"
- name: Check content of the main configuration file - name: Check common content of the main configuration file
assert: assert:
that: that:
- "'Banner /etc/include-issue' not in config_main.content | b64decode" - "'Banner /etc/include-issue' not in config_main.content | b64decode"
- "'Ciphers aes192-ctr' not in config_main.content | b64decode" - "'Ciphers aes192-ctr' not in config_main.content | b64decode"
- "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
- name: Check RHEL content of the main configuration file
assert:
that:
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode" - "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
when: ansible_facts['os_family'] == 'RedHat'
- name: Check Ubuntu content of the main configuration file
assert:
that:
- "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode"
when: ansible_facts['os_family'] == 'Ubuntu'
when: when:
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8 - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
tags: tests::verify tags: tests::verify

23
vars/Ubuntu_22.yml Normal file
View file

@ -0,0 +1,23 @@
---
__sshd_os_supported: yes
sshd_service: ssh
sshd_packages:
- openssh-server
- openssh-sftp-server
# Ubuntu 22.04 finally ships with drop-in directory support so we touch
# just included file with highest priority by default
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_config_mode: "0644"
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication: no
UsePAM: yes
AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server"
__sshd_runtime_directory: /run/sshd
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
__sshd_main_config_file: /etc/ssh/sshd_config