Introduce default hostkeys to check when using drop-in directory

Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2022-04-11 13:07:44 +02:00 committed by Jakub Jelen
parent 9502c325ea
commit 860e533713
4 changed files with 20 additions and 1 deletions

View file

@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
# configuration or restarting), we make sure the keys exist and have correct # configuration or restarting), we make sure the keys exist and have correct
# permissions. To disable this check, set sshd_verify_hostkeys to false # permissions. To disable this check, set sshd_verify_hostkeys to false
sshd_verify_hostkeys: "auto" sshd_verify_hostkeys: "auto"
__sshd_verify_hostkeys_default: []
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
sshd_hostkey_group: "{{ __sshd_hostkey_group }}" sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}" sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"

View file

@ -64,7 +64,13 @@
{% if not sshd_verify_hostkeys %} {% if not sshd_verify_hostkeys %}
{{ [] | to_json }} {{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %} {% elif sshd_verify_hostkeys == 'auto' %}
{% if __sshd_hostkeys_from_config | from_json is string %} {% if not __sshd_hostkeys_from_config | from_json %}
{% if __sshd_fips_mode %}
{{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
{% else %}
{{ __sshd_verify_hostkeys_default | to_json }}
{% endif %}
{% elif __sshd_hostkeys_from_config | from_json is string %}
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %} {% else %}
{{ __sshd_hostkeys_from_config }} {{ __sshd_hostkeys_from_config }}

View file

@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults: __sshd_defaults:
__sshd_os_supported: yes __sshd_os_supported: yes
__sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"

View file

@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults: __sshd_defaults:
__sshd_os_supported: yes __sshd_os_supported: yes
__sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"