Ubuntu 20 already supports drop-in directory

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2023-10-31 15:11:43 +01:00
parent cea077a704
commit 84e6a71509
5 changed files with 33 additions and 9 deletions

View file

@ -58,4 +58,4 @@
main_sshd_config_path: /etc/ssh/sshd_config.d/ main_sshd_config_path: /etc/ssh/sshd_config.d/
when: when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20)

View file

@ -135,12 +135,19 @@
- ansible_facts['os_family'] == 'Debian' - ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version'] | int < 22 - ansible_facts['distribution_major_version'] | int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file - name: Check Ubuntu 20+ defaults are present in the first configuration file
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
when:
- ansible_facts['distribution'] == 'Ubuntu'
- ansible_facts['distribution_major_version'] | int >= 20
- name: Check Ubuntu 22+ defaults are present in the first configuration file
ansible.builtin.assert:
that:
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
when: when:
- ansible_facts['distribution'] == 'Ubuntu' - ansible_facts['distribution'] == 'Ubuntu'
- ansible_facts['distribution_major_version'] | int >= 22 - ansible_facts['distribution_major_version'] | int >= 22

View file

@ -153,12 +153,19 @@
- ansible_facts['os_family'] == 'Debian' - ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version'] | int < 22 - ansible_facts['distribution_major_version'] | int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file - name: Check Ubuntu 20+ defaults are present in the first configuration file
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
when:
- ansible_facts['distribution'] == 'Ubuntu'
- ansible_facts['distribution_major_version'] | int >= 20
- name: Check Ubuntu 22+ defaults are present in the first configuration file
ansible.builtin.assert:
that:
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
when: when:
- ansible_facts['distribution'] == 'Ubuntu' - ansible_facts['distribution'] == 'Ubuntu'
- ansible_facts['distribution_major_version'] | int >= 22 - ansible_facts['distribution_major_version'] | int >= 22

View file

@ -17,7 +17,7 @@
state: absent state: absent
when: when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20)
- name: Create a new configuration in drop-in directory - name: Create a new configuration in drop-in directory
ansible.builtin.include_role: ansible.builtin.include_role:
@ -29,12 +29,12 @@
Ciphers: aes192-ctr Ciphers: aes192-ctr
when: when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20)
- name: Verify the options are correctly set - name: Verify the options are correctly set
when: when:
- (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] | int > 8) or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 22) (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20)
tags: tests::verify tags: tests::verify
block: block:
- name: Flush handlers - name: Flush handlers

View file

@ -1,15 +1,25 @@
--- ---
__sshd_os_supported: true
__sshd_service: ssh __sshd_service: ssh
__sshd_packages: __sshd_packages:
- openssh-server - openssh-server
- openssh-sftp-server - openssh-sftp-server
# Ubuntu 20.04 backported support for drop-in directory so we touch
# just the included file with highest priority by default
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_config_mode: "0644" __sshd_config_mode: "0644"
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults: __sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication: false ChallengeResponseAuthentication: false
UsePAM: true UsePAM: true
X11Forwarding: true X11Forwarding: true
PrintMotd: false PrintMotd: false
AcceptEnv: LANG LC_* AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server" Subsystem: "sftp /usr/lib/openssh/sftp-server"
__sshd_os_supported: true
__sshd_runtime_directory: sshd __sshd_runtime_directory: sshd
__sshd_drop_in_dir_mode: '0755'
__sshd_main_config_file: /etc/ssh/sshd_config