diff --git a/CHANGELOG b/CHANGELOG index 9b06a85..f73241c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,2 +1,10 @@ +0.2.0 04 January 2014 Matt Willsher +- Change var file search order +- Add Arch Linux defaults (thanks GitHub user @brenix). +- A number of typo fixes (again, thanks @brenix), including UsePrivilegeSeparation. +- A Ubuntu precise defaults. +- A Debian jessie defaults. +- Unknown Ubuntu and Debian versions default to wheezy defaults. +- License to LGPL 0.1.0 25 December 2014 Matt Willsher - Initial release diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..65c5ca8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,165 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. diff --git a/README.md b/README.md index c3d5853..43b344e 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ sshd_ListenAddress: sshd_skip_defaults: true sshd: Compression: true - ListenAddres: + ListenAddress: - "0.0.0.0" - "::" GSSAPIAuthentication: no @@ -63,3 +63,8 @@ Match Group user Match Group xusers X11Forwarding yes ``` +### Author + +Copyright 2014 Matt Willsher + +Code in this repository is licensed under the LGPLv3 license. See LICENSE for full details. diff --git a/meta/main.yml b/meta/main.yml index 564232e..8c7e101 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,14 +3,16 @@ galaxy_info: author: Matt Willsher description: OpenSSH SSH deamon configuration company: Willsher Systems - license: GPLv3 + license: LGPLv3 min_ansible_version: 1.8 platforms: - name: Debian versions: - wheezy + - jessie - name: Ubuntu versions: + - precise - trusty - name: FreeBSD version: diff --git a/meta/options_body b/meta/options_body index bf37eb2..ee54695 100644 --- a/meta/options_body +++ b/meta/options_body @@ -1,9 +1,9 @@ Port +AddressFamily ListenAddress Protocol HostKey AcceptEnv -AddressFamily AllowAgentForwarding AllowGroups AllowTcpForwarding diff --git a/tasks/main.yml b/tasks/main.yml index 3ef1ce2..f9ad303 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,10 +2,13 @@ - name: Role set up include_vars: "{{ item }}" with_first_found: - - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml" - "{{ ansible_os_family }}.yml" - default.yml + tags: + - sshd - name: Installed action: > @@ -13,6 +16,8 @@ name="{{ item }}" state=installed with_items: sshd_packages + tags: + - sshd - name: Configured template: @@ -22,10 +27,13 @@ group: "{{ sshd_config_group }}" mode: "{{ sshd_config_mode }}" notify: check and reload sshd + tags: + - sshd - name: Service enabled and running service: name: "{{ sshd_service }}" enabled: true state: running - + tags: + - sshd diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 54bbff9..71b87ff 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -69,11 +69,11 @@ Match {{ match["Condition"] }} {% endif %} {% endmacro %} {{ body_option("Port",sshd_Port) -}} +{{ body_option("AddressFamily",sshd_AddressFamily) -}} {{ body_option("ListenAddress",sshd_ListenAddress) -}} {{ body_option("Protocol",sshd_Protocol) -}} {{ body_option("HostKey",sshd_HostKey) -}} {{ body_option("AcceptEnv",sshd_AcceptEnv) -}} -{{ body_option("AddressFamily",sshd_AddressFamily) -}} {{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}} {{ body_option("AllowGroups",sshd_AllowGroups) -}} {{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}} diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml new file mode 100644 index 0000000..c529f91 --- /dev/null +++ b/vars/Archlinux.yml @@ -0,0 +1,14 @@ +--- +sshd_service: sshd +sshd_packages: + - openssh +sshd_sftp_server: /usr/lib/ssh/sftp-server +sshd_defaults: + Port: 22 + Protocol: 2 + AuthorizedKeysFile: .ssh/authorized_keys + ChallengeResponseAuthentication: no + PrintMotd: no + Subsystem: "sftp {{ sshd_sftp_server }}" + UsePAM: yes + UsePrivilegeSeparation: sandbox diff --git a/vars/Debian.yml b/vars/Debian.yml index b0676b4..ea81b4c 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -13,7 +13,7 @@ sshd_defaults: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - UsePrivilegeSeperation: yes + UsePrivilegeSeparation: yes KeyRegenerationInterval: 3600 ServerKeyBits: 768 SyslogFacility: AUTH @@ -36,6 +36,3 @@ sshd_defaults: AcceptEnv: LANG LC_* Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes - Match: - - Condition: User vagrant - MaxSessions: 10 diff --git a/vars/Debian_8.yml b/vars/Debian_8.yml new file mode 100644 index 0000000..1478b25 --- /dev/null +++ b/vars/Debian_8.yml @@ -0,0 +1,39 @@ +--- +sshd_service: ssh +sshd_packages: + - openssh-server + - openssh-blacklist + - openssh-blacklist-extra + - openssh-sftp-server +sshd_config_mode: "0644" +sshd_defaults: + Port: 22 + Protocol: 2 + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_dsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key + UsePrivilegeSeparation: yes + KeyRegenerationInterval: 3600 + ServerKeyBits: 1024 + SyslogFacility: AUTH + LogLevel: INFO + LoginGraceTime: 120 + PermitRootLogin: without-password + StrictModes: yes + RSAAuthentication: yes + PubkeyAuthentication: yes + IgnoreRhosts: yes + RhostsRSAAuthentication: no + HostbasedAuthentication: no + PermitEmptyPasswords: no + ChallengeResponseAuthentication: no + X11Forwarding: yes + X11DisplayOffset: 10 + PrintMotd: no + PrintLastLog: yes + TCPKeepAlive: yes + AcceptEnv: LANG LC_* + Subsystem: "sftp {{ sshd_sftp_server }}" + UsePAM: yes diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 92cbd08..80907ca 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -15,7 +15,7 @@ sshd_defaults: GSSAPICleanupCredentials: yes UsePAM: yes X11Forwarding: yes - UsePrivilegeSeperation: sandbox + UsePrivilegeSeparation: sandbox AcceptEnv: - LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT diff --git a/vars/Ubuntu_12.yml b/vars/Ubuntu_12.yml new file mode 100644 index 0000000..2e120ce --- /dev/null +++ b/vars/Ubuntu_12.yml @@ -0,0 +1,35 @@ +--- +sshd_service: ssh +sshd_packages: + - openssh-server +sshd_config_mode: "0644" +sshd_defaults: + Port: 22 + Protocol: 2 + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_dsa_key + - /etc/ssh/ssh_host_ecdsa_key + UsePrivilegeSeparation: yes + KeyRegenerationInterval: 3600 + ServerKeyBits: 768 + SyslogFacility: AUTH + LogLevel: INFO + LoginGraceTime: 120 + PermitRootLogin: yes + StrictModes: yes + RSAAuthentication: yes + PubkeyAuthentication: yes + IgnoreRhosts: yes + RhostsRSAAuthentication: no + HostbaseAuthentication: no + PermitEmptyPasswords: no + ChallengeResponseAuthentication: no + X11Forwarding: yes + X11DisplayOffset: 10 + PrintMotd: no + PrintLastLog: yes + TCPKeepAlive: yes + AcceptEnv: LANG LC_* + Subsystem: "sftp {{ sshd_sftp_server }}" + UsePAM: yes diff --git a/vars/Ubuntu.yml b/vars/Ubuntu_14.yml similarity index 94% rename from vars/Ubuntu.yml rename to vars/Ubuntu_14.yml index 9f3bb7b..9e46d78 100644 --- a/vars/Ubuntu.yml +++ b/vars/Ubuntu_14.yml @@ -5,6 +5,7 @@ sshd_packages: - openssh-blacklist - openssh-blacklist-extra - openssh-sftp-server +sshd_config_mode: "0644" sshd_defaults: Port: 22 Protocol: 2 @@ -13,7 +14,7 @@ sshd_defaults: - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key - UsePrivilegeSeperation: yes + UsePrivilegeSeparation: yes KeyRegenerationInterval: 3600 ServerKeyBits: 1024 SyslogFacility: AUTH