From d0a91bc3b586a41d389e395e2c4a92c8719954d5 Mon Sep 17 00:00:00 2001 From: Doug Thompson Date: Wed, 3 Aug 2016 15:53:32 +0100 Subject: [PATCH 01/14] show xenial support on galaxy --- meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/main.yml b/meta/main.yml index 8b53392..b3d0dad 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: versions: - precise - trusty + - xenial - name: FreeBSD version: - 10.1 From ef4bc25d5476d90e6500430dbdffda968b1c0087 Mon Sep 17 00:00:00 2001 From: Jasper Lievisse Adriaanse Date: Wed, 19 Oct 2016 21:33:15 +0200 Subject: [PATCH 02/14] Support for OpenBSD --- README.md | 1 + meta/main.yml | 6 +++++- vars/OpenBSD.yml | 9 +++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 vars/OpenBSD.yml diff --git a/README.md b/README.md index f7bb9a7..bf1a928 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ Tested on: * FreeBSD 10.1 * EL 6,7 derived distributions * Fedora 22, 23 +* OpenBSD 6.0 It will likely work on other flavours and more direct support via suitable [vars/](vars/) files is welcome. diff --git a/meta/main.yml b/meta/main.yml index b3d0dad..069b5cb 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -26,10 +26,13 @@ galaxy_info: versions: - 22 - 23 + - name: OpenBSD + versions: + - 6.0 galaxy_tags: - networking - system - - SSH + - SSH - OpenSSH - sshd - server @@ -38,4 +41,5 @@ galaxy_info: - centos - redhat - freebsd + - openbsd dependencies: [] diff --git a/vars/OpenBSD.yml b/vars/OpenBSD.yml new file mode 100644 index 0000000..6da53b7 --- /dev/null +++ b/vars/OpenBSD.yml @@ -0,0 +1,9 @@ +--- +sshd_config_group: wheel +sshd_config_mode: "0600" +sshd_sftp_server: /usr/libexec/sftp-server +sshd_defaults: + AuthorizedKeysFile: .ssh/authorized_keys + Subsystem: "sftp {{ sshd_sftp_server }}" +sshd_os_supported: yes +sshd_manage_var_run: no From 6d0d043babb1af20aac6be3784b529b886101845 Mon Sep 17 00:00:00 2001 From: Sergey Korolev Date: Thu, 22 Dec 2016 16:48:27 +0300 Subject: [PATCH 03/14] Don't fail without package manager Atomic Host uses unsupported package manager `rpm-ostree`. So, `ansible_pkg_mgr` is `unknown` and this task will fail. `sshd` is already in base system images. Apart from this, sshd configuration is standard for Fedora/CentOS. I'm not sure it's the right solution. May be it's better to create new boolean variable like `sshd_manage_install` and use it here in `when`. --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 65f6a9e..a9ed28a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,6 +22,7 @@ name="{{ item }}" state=installed with_items: "{{ sshd_packages }}" + when: ansible_pkg_mgr != 'unknown' tags: - sshd From 97e7660ac59a7f4b3d6a217ffe92e20b1503ce66 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Wed, 11 Jan 2017 16:07:59 +0000 Subject: [PATCH 04/14] vars: SUSE: Add default variables for SUSE based distributions --- vars/Suse.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 vars/Suse.yml diff --git a/vars/Suse.yml b/vars/Suse.yml new file mode 100644 index 0000000..328ee6a --- /dev/null +++ b/vars/Suse.yml @@ -0,0 +1,25 @@ +--- +sshd_packages: + - openssh +sshd_sftp_server: /usr/lib/ssh/sftp-server +sshd_defaults: + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key + SyslogFacility: AUTH + AuthorizedKeysFile: .ssh/authorized_keys + PasswordAuthentication: yes + ChallengeResponseAuthentication: no + GSSAPIAuthentication: yes + GSSAPICleanupCredentials: no + UsePAM: yes + X11Forwarding: yes + UsePrivilegeSeparation: sandbox + AcceptEnv: + - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + - LC_IDENTIFICATION LC_ALL LANGUAGE + - XMODIFIERS + Subsystem: "sftp {{ sshd_sftp_server }}" +sshd_os_supported: yes From f36d32e83376f088a93fc65d4795a95773b6d17c Mon Sep 17 00:00:00 2001 From: Harald Koch Date: Sat, 11 Feb 2017 11:11:18 -0500 Subject: [PATCH 05/14] cleanup Archlinux support to match defaults in current package (openssh-7.4p1-2) --- defaults/main.yml | 2 +- vars/Archlinux.yml | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 62ca56d..b27764b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,7 +8,7 @@ sshd_manage_service: "{{ false if ansible_virtualization_type == 'docker' else t # If the below is false, don't reload the ssh deamon on change sshd_allow_reload: "{{ sshd_manage_service }}" # If the below is false, don't manage /var/run/sshd directory -sshd_manage_var_run: "{{ false if ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' else true }}" +sshd_manage_var_run: "{{ false if ansible_os_family == 'Archlinux' or (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else true }}" # Empty dicts to avoid errors sshd: {} diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index ccdc2e5..121be90 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -1,15 +1,11 @@ --- -sshd_service: sshd sshd_packages: - openssh sshd_sftp_server: /usr/lib/ssh/sftp-server sshd_defaults: - Port: 22 - Protocol: 2 AuthorizedKeysFile: .ssh/authorized_keys ChallengeResponseAuthentication: no PrintMotd: no Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes - UsePrivilegeSeparation: sandbox sshd_os_supported: yes From f225804f64aeb1f70cd14845575d377f8d7031ff Mon Sep 17 00:00:00 2001 From: Hoai Le Date: Thu, 16 Mar 2017 15:06:16 +0200 Subject: [PATCH 06/14] Fix sshd service state --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index a9ed28a..0e19275 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,7 +51,7 @@ service: name: "{{ sshd_service }}" enabled: true - state: running + state: started when: sshd_manage_service tags: - sshd From 426e11c4dffeca09fcc4d16103a91e5e65180040 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Mon, 20 Mar 2017 11:03:19 +0000 Subject: [PATCH 07/14] Update role name in readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf1a928..59455ce 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ OpenSSH Server ============== -[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-mattwillsher.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/mattwillsher/sshd/) +[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-willshersystems.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/willshersystems/sshd/) This role configures the OpenSSH daemon. It: @@ -137,7 +137,7 @@ provides. Running it will likely break your SSH access to the server! - Condition: "Group xusers" X11Forwarding: yes roles: - - role: mattwillsher.sshd + - role: willshersystems.sshd ``` Results in: From c6926634afcbbd97e2175a6a0a012b9d36f95d81 Mon Sep 17 00:00:00 2001 From: Troy Fontaine Date: Thu, 6 Apr 2017 20:37:21 -0500 Subject: [PATCH 08/14] Fixed sshd_match blocks --- templates/sshd_config.j2 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 633b86d..4f12890 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -162,29 +162,29 @@ Match {{ match["Condition"] }} {{ match_block(sshd_match) -}} {% endif %} {% if sshd_match_1 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_1) -}} {% endif %} {% if sshd_match_2 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_2) -}} {% endif %} {% if sshd_match_3 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_3) -}} {% endif %} {% if sshd_match_4 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_4) -}} {% endif %} {% if sshd_match_5 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_5) -}} {% endif %} {% if sshd_match_6 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_6) -}} {% endif %} {% if sshd_match_7 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_7) -}} {% endif %} {% if sshd_match_8 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_8) -}} {% endif %} {% if sshd_match_9 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_9) -}} {% endif %} From 349d0e682819c1f006f83e72dd18354d6cf26352 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 4 May 2017 13:58:46 +0100 Subject: [PATCH 09/14] Remove circular symlink in tests dir --- .gitignore | 1 + Vagrantfile | 29 +++++++++++++++++------------ tests/ansible.cfg | 2 ++ tests/roles/.gitkeep | 0 tests/roles/ansible-sshd | 1 - tests/test.yml | 2 +- 6 files changed, 21 insertions(+), 14 deletions(-) create mode 100644 tests/ansible.cfg create mode 100644 tests/roles/.gitkeep delete mode 120000 tests/roles/ansible-sshd diff --git a/.gitignore b/.gitignore index 8000dd9..fa9f20a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .vagrant +tests/roles/ansible-sshd diff --git a/Vagrantfile b/Vagrantfile index 149727e..d9df733 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -4,24 +4,29 @@ VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - # config.vm.define "ubuntu" do |ubuntu| - # ubuntu.vm.box = "ubuntu/trusty64" - # ubuntu.vm.provision "shell", inline: <<-SHELL - # sudo add-apt-repository -y ppa:ansible/ansible - # sudo apt-get update -qq - # sudo apt-get -qq install ansible - # SHELL - # end - - config.vm.define "centos6" do |centos| - centos.vm.box = "bento/centos-6.7" + config.vm.define "ubuntu" do |ubuntu| + ubuntu.vm.box = "boxcutter/ubuntu1604" +# ubuntu.vm.provision "shell", inline: <<-SHELL +# sudo add-apt-repository -y ppa:ansible/ansible +# sudo apt-get update -qq +# sudo apt-get -qq install ansible +# SHELL end +# config.vm.define "centos7" do |centos| +# centos.vm.box = "boxcutter/centos72" + +# centos.vm.provision "shell", inline: <<-SHELL +# sudo yum install -y libselinux-python +# SHELL +# end + config.vm.provision "shell", inline: <<-SHELL - sudo yum install -y libselinux-python + ln -s /vagrant /vagrant/tests/roles/ansible-sshd || true SHELL config.vm.provision "ansible_local" do |ansible| +# ansible.config_file = "tests/ansible.cfg" ansible.playbook = "tests/test.yml" ansible.install = true end diff --git a/tests/ansible.cfg b/tests/ansible.cfg new file mode 100644 index 0000000..613d83b --- /dev/null +++ b/tests/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +roles_path = ../ diff --git a/tests/roles/.gitkeep b/tests/roles/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/tests/roles/ansible-sshd b/tests/roles/ansible-sshd deleted file mode 120000 index a24d5e8..0000000 --- a/tests/roles/ansible-sshd +++ /dev/null @@ -1 +0,0 @@ -../../. \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index f143641..3455971 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,5 @@ --- -- hosts: localhost +- hosts: all become: true roles: - ansible-sshd From 62c69684e3de087901cac0c80647332962917e8d Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 4 May 2017 14:10:23 +0100 Subject: [PATCH 10/14] Config not needed here --- tests/ansible.cfg | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tests/ansible.cfg diff --git a/tests/ansible.cfg b/tests/ansible.cfg deleted file mode 100644 index 613d83b..0000000 --- a/tests/ansible.cfg +++ /dev/null @@ -1,2 +0,0 @@ -[defaults] -roles_path = ../ From 8b261657a5b2dd7157fb5351629fedab68cb9279 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 4 May 2017 14:14:51 +0100 Subject: [PATCH 11/14] Check role link exists before attempting to create it --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index d9df733..4c07330 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -22,7 +22,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # end config.vm.provision "shell", inline: <<-SHELL - ln -s /vagrant /vagrant/tests/roles/ansible-sshd || true + test -e /vagrant/tests/roles/ansible-sshd || ln -s /vagrant /vagrant/tests/roles/ansible-sshd SHELL config.vm.provision "ansible_local" do |ansible| From b2ce7324502c0950a19e581727bdff4fe2f5e765 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 4 May 2017 14:26:55 +0100 Subject: [PATCH 12/14] Don't manage /var/run --- tasks/main.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0e19275..c66615d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,15 +26,6 @@ tags: - sshd -- name: Run directory - file: - path: /var/run/sshd - state: directory - mode: 0755 - when: sshd_manage_var_run - tags: - - sshd - - name: Configuration template: src: sshd_config.j2 From 43ed7c19a2be6f183b60dd8a068e809178a194b8 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 4 May 2017 14:31:26 +0100 Subject: [PATCH 13/14] Fix Ansible 2.3 warnings --- .gitignore | 1 + defaults/main.yml | 6 ++---- handlers/main.yml | 2 +- tasks/main.yml | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index fa9f20a..ac9a57d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .vagrant tests/roles/ansible-sshd +tests/test.retry diff --git a/defaults/main.yml b/defaults/main.yml index b27764b..8c175c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,11 +4,9 @@ sshd_skip_defaults: false # If the below is false, don't manage the service or reload the SSH # daemon at all -sshd_manage_service: "{{ false if ansible_virtualization_type == 'docker' else true }}" +sshd_manage_service: true # If the below is false, don't reload the ssh deamon on change -sshd_allow_reload: "{{ sshd_manage_service }}" -# If the below is false, don't manage /var/run/sshd directory -sshd_manage_var_run: "{{ false if ansible_os_family == 'Archlinux' or (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else true }}" +sshd_allow_reload: true # Empty dicts to avoid errors sshd: {} diff --git a/handlers/main.yml b/handlers/main.yml index cfa9281..b5d29b4 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,4 +3,4 @@ service: name: "{{ sshd_service }}" state: reloaded - when: sshd_allow_reload \ No newline at end of file + when: sshd_allow_reload and ansible_virtualization_type != 'docker' diff --git a/tasks/main.yml b/tasks/main.yml index c66615d..05e9343 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,7 +43,7 @@ name: "{{ sshd_service }}" enabled: true state: started - when: sshd_manage_service + when: sshd_manage_service and ansible_virtualization_type != 'docker' tags: - sshd From fffdf9df0852123371ec52455f371ef68b9f88b7 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 4 May 2017 15:03:19 +0100 Subject: [PATCH 14/14] Add note about UsePAM --- .gitignore | 1 + Vagrantfile | 27 +++++++++++++++------------ vars/RedHat_7.yml | 2 ++ 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index fa9f20a..ac9a57d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .vagrant tests/roles/ansible-sshd +tests/test.retry diff --git a/Vagrantfile b/Vagrantfile index 4c07330..f6eade3 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -4,25 +4,28 @@ VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + + config.vm.synced_folder ".", "/vagrant", type: "nfs" + config.vm.define "ubuntu" do |ubuntu| ubuntu.vm.box = "boxcutter/ubuntu1604" -# ubuntu.vm.provision "shell", inline: <<-SHELL -# sudo add-apt-repository -y ppa:ansible/ansible -# sudo apt-get update -qq -# sudo apt-get -qq install ansible -# SHELL + # ubuntu.vm.provision "shell", inline: <<-SHELL + # sudo add-apt-repository -y ppa:ansible/ansible + # sudo apt-get update -qq + # sudo apt-get -qq install ansible + # SHELL end -# config.vm.define "centos7" do |centos| -# centos.vm.box = "boxcutter/centos72" + config.vm.define "centos7" do |centos| + centos.vm.box = "centos/7" -# centos.vm.provision "shell", inline: <<-SHELL -# sudo yum install -y libselinux-python -# SHELL -# end + centos.vm.provision "shell", inline: <<-SHELL + sudo yum install -y libselinux-python + SHELL + end config.vm.provision "shell", inline: <<-SHELL - test -e /vagrant/tests/roles/ansible-sshd || ln -s /vagrant /vagrant/tests/roles/ansible-sshd + test -e /vagrant/tests/roles/ansible-sshd || ln -s /vagrant /vagrant/tests/roles/ansible-sshd SHELL config.vm.provision "ansible_local" do |ansible| diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 9efc90d..7b32e80 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -14,6 +14,8 @@ sshd_defaults: ChallengeResponseAuthentication: no GSSAPIAuthentication: yes GSSAPICleanupCredentials: yes +# Note that UsePAM: no is not supported under RHEL/CentOS. See +# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218 UsePAM: yes X11Forwarding: yes UsePrivilegeSeparation: sandbox