mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-23 00:50:18 +01:00
Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present in the generated configuration file. When the drop-in directory is used, usually, there are no hostkeys in that file and no sanity check for hostkeys was executed. This amends the "auto" value for the hostkeys check to allow checking for default hostkeys that are read by OpenSSH by default. Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
9502c325ea
commit
860e533713
4 changed files with 20 additions and 1 deletions
|
@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
|
|||
# configuration or restarting), we make sure the keys exist and have correct
|
||||
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
||||
sshd_verify_hostkeys: "auto"
|
||||
__sshd_verify_hostkeys_default: []
|
||||
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
|
||||
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
|
||||
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
|
||||
|
|
|
@ -64,7 +64,13 @@
|
|||
{% if not sshd_verify_hostkeys %}
|
||||
{{ [] | to_json }}
|
||||
{% elif sshd_verify_hostkeys == 'auto' %}
|
||||
{% if __sshd_hostkeys_from_config | from_json is string %}
|
||||
{% if not __sshd_hostkeys_from_config | from_json %}
|
||||
{% if __sshd_fips_mode %}
|
||||
{{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
|
||||
{% else %}
|
||||
{{ __sshd_verify_hostkeys_default | to_json }}
|
||||
{% endif %}
|
||||
{% elif __sshd_hostkeys_from_config | from_json is string %}
|
||||
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
||||
{% else %}
|
||||
{{ __sshd_hostkeys_from_config }}
|
||||
|
|
|
@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
|||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
__sshd_defaults:
|
||||
__sshd_os_supported: yes
|
||||
__sshd_verify_hostkeys_default:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
|
|
@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
|||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
__sshd_defaults:
|
||||
__sshd_os_supported: yes
|
||||
__sshd_verify_hostkeys_default:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
|
Loading…
Reference in a new issue