mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-24 20:10:20 +01:00
Filter out Ed25519 keys from default in FIPS mode
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
71eab116bd
commit
7f69d1e69a
5 changed files with 36 additions and 3 deletions
|
@ -74,7 +74,8 @@ __sshd_defaults: {}
|
|||
__sshd_os_supported: no
|
||||
__sshd_sysconfig_supports_crypto_policy: false
|
||||
__sshd_sysconfig_supports_use_strong_rng: false
|
||||
|
||||
# The hostkeys not supported in FIPS mode, if applicable
|
||||
__sshd_hostkeys_nofips: []
|
||||
|
||||
__sshd_runtime_directory: false
|
||||
__sshd_runtime_directory_mode: "0755"
|
||||
|
|
|
@ -21,7 +21,11 @@
|
|||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||
{% set value = __sshd_defaults[key] %}
|
||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||
{% else %}
|
||||
{% set value = __sshd_defaults[key] %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{{ render_option(key,value) -}}
|
||||
{% endmacro %}
|
||||
|
|
|
@ -22,8 +22,28 @@
|
|||
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
|
||||
notify: reload_sshd
|
||||
|
||||
- name: Check the kernel FIPS mode
|
||||
slurp:
|
||||
src: /proc/sys/crypto/fips_enabled
|
||||
register: __sshd_kernel_fips_mode
|
||||
failed_when: false
|
||||
when:
|
||||
- __sshd_hostkeys_nofips != []
|
||||
|
||||
- name: Check the userspace FIPS mode
|
||||
slurp:
|
||||
src: /etc/system-fips
|
||||
register: __sshd_userspace_fips_mode
|
||||
failed_when: false
|
||||
when:
|
||||
- __sshd_hostkeys_nofips != []
|
||||
|
||||
- name: Make sure hostkeys are available and have expected permissions
|
||||
vars: &share_vars
|
||||
__sshd_fips_mode: >-
|
||||
__sshd_hostkeys_nofips != [] and \
|
||||
(__sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
|
||||
__sshd_kernel_fips_mode.content | b64decode != "0" | bool)
|
||||
# This mimics the macro body_option() in sshd_config.j2
|
||||
# The explicit to_json filter is needed for Python 2 compatibility
|
||||
__sshd_hostkeys_from_config: >-
|
||||
|
@ -32,7 +52,11 @@
|
|||
{% elif sshd['HostKey'] is defined %}
|
||||
{{ sshd['HostKey'] | to_json }}
|
||||
{% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
|
||||
{{ __sshd_defaults['HostKey'] | to_json }}
|
||||
{% if __sshd_fips_mode %}
|
||||
{{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
|
||||
{% else %}
|
||||
{{ __sshd_defaults['HostKey'] | to_json }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
[]
|
||||
{% endif %}
|
||||
|
|
|
@ -29,3 +29,5 @@ __sshd_os_supported: yes
|
|||
__sshd_sysconfig_supports_use_strong_rng: true
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
|
|
|
@ -31,3 +31,5 @@ __sshd_sysconfig_supports_use_strong_rng: true
|
|||
__sshd_sysconfig_supports_crypto_policy: true
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
|
|
Loading…
Reference in a new issue