libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-22 02:50:18 +01:00
Code Issues Projects Releases Packages Wiki Activity

Introduce default hostkeys to check when using drop-in directory

Browse source 
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2022-04-11 13:07:44 +02:00 committed by Jakub Jelen
parent 9502c325ea
commit 860e533713
4 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
defaults/main.yml
View file

@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
# configuration or restarting), we make sure the keys exist and have correct
# permissions. To disable this check, set sshd_verify_hostkeys to false
sshd_verify_hostkeys: "auto"
__sshd_verify_hostkeys_default: []
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"

8
tasks/install.yml
View file

@ -64,7 +64,13 @@
{% if not sshd_verify_hostkeys %}
{{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
{% if __sshd_hostkeys_from_config | from_json is string %}
{% if not __sshd_hostkeys_from_config | from_json %}
{% if __sshd_fips_mode %}
{{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
{% else %}
{{ __sshd_verify_hostkeys_default | to_json }}
{% endif %}
{% elif __sshd_hostkeys_from_config | from_json is string %}
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}

6
vars/Fedora.yml
View file

@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
__sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"

6
vars/RedHat_9.yml
View file

@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
__sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"