Merge branch 'master' of github.com:willshersystems/ansible-sshd

This commit is contained in:
Colin Hoglund 2017-05-04 10:09:09 -04:00
commit 910c381dc2
14 changed files with 82 additions and 44 deletions

2
.gitignore vendored
View file

@ -1 +1,3 @@
.vagrant
tests/roles/ansible-sshd
tests/test.retry

View file

@ -1,7 +1,7 @@
OpenSSH Server
==============
[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-mattwillsher.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/mattwillsher/sshd/)
[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-willshersystems.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/willshersystems/sshd/)
This role configures the OpenSSH daemon. It:
@ -33,6 +33,7 @@ Tested on:
* FreeBSD 10.1
* EL 6,7 derived distributions
* Fedora 22, 23
* OpenBSD 6.0
It will likely work on other flavours and more direct support via suitable
[vars/](vars/) files is welcome.
@ -136,7 +137,7 @@ provides. Running it will likely break your SSH access to the server!
- Condition: "Group xusers"
X11Forwarding: yes
roles:
- role: mattwillsher.sshd
- role: willshersystems.sshd
```
Results in:

30
Vagrantfile vendored
View file

@ -4,24 +4,32 @@
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
# config.vm.define "ubuntu" do |ubuntu|
# ubuntu.vm.box = "ubuntu/trusty64"
# ubuntu.vm.provision "shell", inline: <<-SHELL
# sudo add-apt-repository -y ppa:ansible/ansible
# sudo apt-get update -qq
# sudo apt-get -qq install ansible
# SHELL
# end
config.vm.define "centos6" do |centos|
centos.vm.box = "bento/centos-6.7"
config.vm.synced_folder ".", "/vagrant", type: "nfs"
config.vm.define "ubuntu" do |ubuntu|
ubuntu.vm.box = "boxcutter/ubuntu1604"
# ubuntu.vm.provision "shell", inline: <<-SHELL
# sudo add-apt-repository -y ppa:ansible/ansible
# sudo apt-get update -qq
# sudo apt-get -qq install ansible
# SHELL
end
config.vm.define "centos7" do |centos|
centos.vm.box = "centos/7"
centos.vm.provision "shell", inline: <<-SHELL
sudo yum install -y libselinux-python
SHELL
end
config.vm.provision "shell", inline: <<-SHELL
sudo yum install -y libselinux-python
test -e /vagrant/tests/roles/ansible-sshd || ln -s /vagrant /vagrant/tests/roles/ansible-sshd
SHELL
config.vm.provision "ansible_local" do |ansible|
# ansible.config_file = "tests/ansible.cfg"
ansible.playbook = "tests/test.yml"
ansible.install = true
end

View file

@ -4,11 +4,9 @@
sshd_skip_defaults: false
# If the below is false, don't manage the service or reload the SSH
# daemon at all
sshd_manage_service: "{{ false if ansible_virtualization_type == 'docker' else true }}"
sshd_manage_service: true
# If the below is false, don't reload the ssh deamon on change
sshd_allow_reload: "{{ sshd_manage_service }}"
# If the below is false, don't manage /var/run/sshd directory
sshd_manage_var_run: "{{ false if ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' else true }}"
sshd_allow_reload: true
# Empty dicts to avoid errors
sshd: {}

View file

@ -3,4 +3,4 @@
service:
name: "{{ sshd_service }}"
state: reloaded
when: sshd_allow_reload
when: sshd_allow_reload and ansible_virtualization_type != 'docker'

View file

@ -14,6 +14,7 @@ galaxy_info:
versions:
- precise
- trusty
- xenial
- name: FreeBSD
version:
- 10.1
@ -25,10 +26,13 @@ galaxy_info:
versions:
- 22
- 23
- name: OpenBSD
versions:
- 6.0
galaxy_tags:
- networking
- system
- SSH
- SSH
- OpenSSH
- sshd
- server
@ -37,4 +41,5 @@ galaxy_info:
- centos
- redhat
- freebsd
- openbsd
dependencies: []

View file

@ -22,15 +22,7 @@
name="{{ item }}"
state=installed
with_items: "{{ sshd_packages }}"
tags:
- sshd
- name: Run directory
file:
path: /var/run/sshd
state: directory
mode: 0755
when: sshd_manage_var_run
when: ansible_pkg_mgr != 'unknown'
tags:
- sshd
@ -50,8 +42,8 @@
service:
name: "{{ sshd_service }}"
enabled: true
state: running
when: sshd_manage_service
state: started
when: sshd_manage_service and ansible_virtualization_type != 'docker'
tags:
- sshd

View file

@ -162,29 +162,29 @@ Match {{ match["Condition"] }}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_1 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_1) -}}
{% endif %}
{% if sshd_match_2 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_2) -}}
{% endif %}
{% if sshd_match_3 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_3) -}}
{% endif %}
{% if sshd_match_4 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_4) -}}
{% endif %}
{% if sshd_match_5 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_5) -}}
{% endif %}
{% if sshd_match_6 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_6) -}}
{% endif %}
{% if sshd_match_7 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_7) -}}
{% endif %}
{% if sshd_match_8 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_8) -}}
{% endif %}
{% if sshd_match_9 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_9) -}}
{% endif %}

0
tests/roles/.gitkeep Normal file
View file

View file

@ -1,5 +1,5 @@
---
- hosts: localhost
- hosts: all
become: true
roles:
- ansible-sshd

View file

@ -1,15 +1,11 @@
---
sshd_service: sshd
sshd_packages:
- openssh
sshd_sftp_server: /usr/lib/ssh/sftp-server
sshd_defaults:
Port: 22
Protocol: 2
AuthorizedKeysFile: .ssh/authorized_keys
ChallengeResponseAuthentication: no
PrintMotd: no
Subsystem: "sftp {{ sshd_sftp_server }}"
UsePAM: yes
UsePrivilegeSeparation: sandbox
sshd_os_supported: yes

9
vars/OpenBSD.yml Normal file
View file

@ -0,0 +1,9 @@
---
sshd_config_group: wheel
sshd_config_mode: "0600"
sshd_sftp_server: /usr/libexec/sftp-server
sshd_defaults:
AuthorizedKeysFile: .ssh/authorized_keys
Subsystem: "sftp {{ sshd_sftp_server }}"
sshd_os_supported: yes
sshd_manage_var_run: no

View file

@ -14,6 +14,8 @@ sshd_defaults:
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes
X11Forwarding: yes
UsePrivilegeSeparation: sandbox

25
vars/Suse.yml Normal file
View file

@ -0,0 +1,25 @@
---
sshd_packages:
- openssh
sshd_sftp_server: /usr/lib/ssh/sftp-server
sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTH
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
UsePrivilegeSeparation: sandbox
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"
sshd_os_supported: yes