diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index 02f56ac..a88234c 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -58,4 +58,4 @@ main_sshd_config_path: /etc/ssh/sshd_config.d/ when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20) diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index 2d9c22c..ef59400 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -135,12 +135,19 @@ - ansible_facts['os_family'] == 'Debian' - ansible_facts['distribution_major_version'] | int < 22 - - name: Check Ubuntu 22 defaults are present in the first configuration file + - name: Check Ubuntu 20+ defaults are present in the first configuration file ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - - "'KbdInteractiveAuthentication no' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" + when: + - ansible_facts['distribution'] == 'Ubuntu' + - ansible_facts['distribution_major_version'] | int >= 20 + + - name: Check Ubuntu 22+ defaults are present in the first configuration file + ansible.builtin.assert: + that: + - "'KbdInteractiveAuthentication no' in config.content | b64decode" when: - ansible_facts['distribution'] == 'Ubuntu' - ansible_facts['distribution_major_version'] | int >= 22 diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index 08a8109..30c0567 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -153,12 +153,19 @@ - ansible_facts['os_family'] == 'Debian' - ansible_facts['distribution_major_version'] | int < 22 - - name: Check Ubuntu 22 defaults are present in the first configuration file + - name: Check Ubuntu 20+ defaults are present in the first configuration file ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - - "'KbdInteractiveAuthentication no' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" + when: + - ansible_facts['distribution'] == 'Ubuntu' + - ansible_facts['distribution_major_version'] | int >= 20 + + - name: Check Ubuntu 22+ defaults are present in the first configuration file + ansible.builtin.assert: + that: + - "'KbdInteractiveAuthentication no' in config.content | b64decode" when: - ansible_facts['distribution'] == 'Ubuntu' - ansible_facts['distribution_major_version'] | int >= 22 diff --git a/tests/tests_include_present.yml b/tests/tests_include_present.yml index c82c3fd..aeac6f6 100644 --- a/tests/tests_include_present.yml +++ b/tests/tests_include_present.yml @@ -17,7 +17,7 @@ state: absent when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20) - name: Create a new configuration in drop-in directory ansible.builtin.include_role: @@ -29,12 +29,12 @@ Ciphers: aes192-ctr when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20) - name: Verify the options are correctly set when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) + (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20) tags: tests::verify block: - name: Flush handlers diff --git a/vars/Ubuntu_20.yml b/vars/Ubuntu_20.yml index c8f8088..5dd4512 100644 --- a/vars/Ubuntu_20.yml +++ b/vars/Ubuntu_20.yml @@ -1,15 +1,25 @@ --- +__sshd_os_supported: true + __sshd_service: ssh __sshd_packages: - openssh-server - openssh-sftp-server +# Ubuntu 20.04 backported support for drop-in directory so we touch +# just the included file with highest priority by default +__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_config_mode: "0644" +# the defaults here represent the defaults shipped in the main sshd_config __sshd_defaults: + Include: /etc/ssh/sshd_config.d/*.conf ChallengeResponseAuthentication: false UsePAM: true X11Forwarding: true PrintMotd: false AcceptEnv: LANG LC_* Subsystem: "sftp /usr/lib/openssh/sftp-server" -__sshd_os_supported: true + __sshd_runtime_directory: sshd + +__sshd_drop_in_dir_mode: '0755' +__sshd_main_config_file: /etc/ssh/sshd_config