diff --git a/defaults/main.yml b/defaults/main.yml index a6c2631..7cfff54 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,6 +23,19 @@ sshd_allow_reload: true # If the below is true, create a backup of the config file when the template is copied sshd_backup: true +# If the below is true, also install the sysconfig file with the below options +# (useful only on Fedora and RHEL) +sshd_sysconfig: false + +# If the below is true the role will override also crypto policy configuration +sshd_sysconfig_override_crypto_policy: false + +# If the below is set to non-zero value, the OpenSSL random generator is +# reseeded with the given amount of random bytes (from getrandom(2) +# with GRND_RANDOM or /dev/random). Minimum is 14 bytes when enabled. +# This is not recommended to enable if you do not have hadware random generator +sshd_sysconfig_use_strong_rng: 0 + # Empty dicts to avoid errors sshd: {} @@ -43,3 +56,6 @@ __sshd_service: sshd __sshd_sftp_server: /usr/lib/openssh/sftp-server __sshd_defaults: {} __sshd_os_supported: no +__sshd_sysconfig: false +__sshd_sysconfig_supports_crypto_policy: false +__sshd_sysconfig_supports_use_strong_rng: false diff --git a/tasks/install.yml b/tasks/install.yml index 99b6f88..29bd60b 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -20,6 +20,18 @@ backup: "{{ sshd_backup }}" notify: reload_sshd +- name: Sysconfig configuration + template: + src: sysconfig.j2 + dest: "/etc/sysconfig/sshd" + owner: "root" + group: "root" + mode: "600" + backup: "{{ sshd_backup }}" + when: + - sshd_sysconfig|bool + notify: reload_sshd + - name: Install systemd service files block: - name: Install service unit file diff --git a/tasks/variables.yml b/tasks/variables.yml index cd630e4..a1165ef 100644 --- a/tasks/variables.yml +++ b/tasks/variables.yml @@ -60,3 +60,7 @@ set_fact: sshd_sftp_server: "{{ __sshd_sftp_server }}" when: sshd_sftp_server is not defined + - name: Define sshd_sysconfig + set_fact: + sshd_sysconfig: "{{ __sshd_sysconfig }}" + when: sshd_sysconfig is not defined diff --git a/templates/sysconfig.j2 b/templates/sysconfig.j2 new file mode 100644 index 0000000..045d61c --- /dev/null +++ b/templates/sysconfig.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} +{% if __sshd_sysconfig_supports_crypto_policy %} +{% if sshd_sysconfig_override_crypto_policy == true %} +CRYPTO_POLICY= +{% endif %} +{% endif %} + +{% if __sshd_sysconfig_supports_use_strong_rng %} +SSH_USE_STRONG_RNG={{ sshd_sysconfig_use_strong_rng }} +{% endif %} diff --git a/tests/test_sysconfig.yml b/tests/test_sysconfig.yml new file mode 100644 index 0000000..04732e4 --- /dev/null +++ b/tests/test_sysconfig.yml @@ -0,0 +1,30 @@ +--- +- hosts: all + become: true + tasks: + - name: Configure sshd + include_role: + name: ansible-sshd + vars: + sshd_sysconfig: true + sshd_sysconfig_override_crypto_policy: true + sshd_sysconfig_use_strong_rng: 32 + + - name: Verify the options are correctly set + block: + - meta: flush_handlers + + - name: Print current configuration file + command: cat /etc/sysconfig/sshd + register: config + + - name: Check the options are in configuration file + assert: + that: + - "'CRYPTO_POLICY=' in config.stdout_lines" + - "'SSH_USE_STRONG_RNG=32' in config.stdout_lines" + # these are string variants in default configuration file + - "'# CRYPTO_POLICY=' not in config.stdout_lines" + - "'SSH_USE_STRONG_RNG=0' not in config.stdout_lines" + - "'# SSH_USE_STRONG_RNG=1' not in config.stdout_lines" + tags: tests::verify diff --git a/vars/Fedora_31.yml b/vars/Fedora_31.yml index c625ae3..6b1c362 100644 --- a/vars/Fedora_31.yml +++ b/vars/Fedora_31.yml @@ -23,3 +23,4 @@ __sshd_defaults: - XMODIFIERS Subsystem: "sftp {{ sshd_sftp_server }}" __sshd_os_supported: yes +__sshd_sysconfig_supports_crypto_policy: true diff --git a/vars/RedHat_6.yml b/vars/RedHat_6.yml index 6741cc9..2aa7200 100644 --- a/vars/RedHat_6.yml +++ b/vars/RedHat_6.yml @@ -19,3 +19,4 @@ __sshd_defaults: X11Forwarding: yes Subsystem: "sftp {{ sshd_sftp_server }}" __sshd_os_supported: yes +__sshd_sysconfig_supports_use_strong_rng: true diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 79141f5..c2e8f29 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -26,3 +26,4 @@ __sshd_defaults: - XMODIFIERS Subsystem: "sftp {{ sshd_sftp_server }}" __sshd_os_supported: yes +__sshd_sysconfig_supports_use_strong_rng: true diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index e89b11d..c36d851 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -26,3 +26,5 @@ __sshd_defaults: - XMODIFIERS Subsystem: "sftp {{ sshd_sftp_server }}" __sshd_os_supported: yes +__sshd_sysconfig_supports_use_strong_rng: true +__sshd_sysconfig_supports_crypto_policy: true