Merge branch 'master' of github.com:willshersystems/ansible-sshd

.gitignore

@@ -1 +1,3 @@
 .vagrant
+tests/roles/ansible-sshd
+tests/test.retry

README.md

@@ -1,7 +1,7 @@
 OpenSSH Server
 ==============
 
-[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-mattwillsher.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/mattwillsher/sshd/)
+[![Build Status](https://travis-ci.org/willshersystems/ansible-sshd.svg?branch=master)](https://travis-ci.org/willshersystems/ansible-sshd) [![Ansible Galaxy](http://img.shields.io/badge/galaxy-willshersystems.sshd-660198.svg?style=flat)](https://galaxy.ansible.com/willshersystems/sshd/)
 
 This role configures the OpenSSH daemon. It:
 
@@ -33,6 +33,7 @@ Tested on:
 * FreeBSD 10.1
 * EL 6,7 derived distributions
 * Fedora 22, 23
+* OpenBSD 6.0
 
 It will likely work on other flavours and more direct support via suitable
 [vars/](vars/) files is welcome.
@@ -136,7 +137,7 @@ provides. Running it will likely break your SSH access to the server!
         - Condition: "Group xusers"
           X11Forwarding: yes
   roles:
-    - role: mattwillsher.sshd
+    - role: willshersystems.sshd
 ```
 
 Results in:

Vagrantfile

@@ -4,24 +4,32 @@
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  # config.vm.define "ubuntu" do |ubuntu|
-  #   ubuntu.vm.box = "ubuntu/trusty64"
-  #   ubuntu.vm.provision "shell", inline: <<-SHELL
-  #     sudo add-apt-repository -y ppa:ansible/ansible
-  #     sudo apt-get update -qq
-  #     sudo apt-get -qq install ansible
-  #   SHELL
-  # end
 
-  config.vm.define "centos6" do |centos|
+  config.vm.synced_folder ".", "/vagrant", type: "nfs"
-    centos.vm.box = "bento/centos-6.7"
+
+  config.vm.define "ubuntu" do |ubuntu|
+    ubuntu.vm.box = "boxcutter/ubuntu1604"
+  #  ubuntu.vm.provision "shell", inline: <<-SHELL
+  #    sudo add-apt-repository -y ppa:ansible/ansible
+  #    sudo apt-get update -qq
+  #    sudo apt-get -qq install ansible
+  #  SHELL
   end
 
+ config.vm.define "centos7" do |centos|
+   centos.vm.box = "centos/7"
+
+   centos.vm.provision "shell", inline: <<-SHELL
+     sudo yum install -y libselinux-python
+   SHELL
+ end
+
   config.vm.provision "shell", inline: <<-SHELL
-    sudo yum install -y libselinux-python
+    test -e /vagrant/tests/roles/ansible-sshd || ln -s /vagrant /vagrant/tests/roles/ansible-sshd
   SHELL
 
   config.vm.provision "ansible_local" do |ansible|
+#    ansible.config_file  = "tests/ansible.cfg"
     ansible.playbook = "tests/test.yml"
     ansible.install  = true
   end

defaults/main.yml

@@ -4,11 +4,9 @@
 sshd_skip_defaults: false
 # If the below is false, don't manage the service or reload the SSH
 # daemon at all
-sshd_manage_service: "{{ false if ansible_virtualization_type == 'docker' else true }}"
+sshd_manage_service: true
 # If the below is false, don't reload the ssh deamon on change
-sshd_allow_reload: "{{ sshd_manage_service }}"
+sshd_allow_reload: true
-# If the below is false, don't manage /var/run/sshd directory
-sshd_manage_var_run: "{{ false if ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' else true }}"
 # Empty dicts to avoid errors
 sshd: {}
 

handlers/main.yml

@@ -3,4 +3,4 @@
   service:
     name: "{{ sshd_service }}"
     state: reloaded
-  when: sshd_allow_reload
+  when: sshd_allow_reload and ansible_virtualization_type != 'docker'

meta/main.yml

@@ -14,6 +14,7 @@ galaxy_info:
     versions:
     - precise
     - trusty
+    - xenial
   - name: FreeBSD
     version:
     - 10.1
@@ -25,10 +26,13 @@ galaxy_info:
     versions:
     - 22
     - 23
+  - name: OpenBSD
+    versions:
+    - 6.0
   galaxy_tags:
   - networking
   - system
-  - SSH 
+  - SSH
   - OpenSSH
   - sshd
   - server
@@ -37,4 +41,5 @@ galaxy_info:
   - centos
   - redhat
   - freebsd
+  - openbsd
 dependencies: []

tasks/main.yml

@@ -22,15 +22,7 @@
     name="{{ item }}"
     state=installed
   with_items: "{{ sshd_packages }}"
-  tags:
+  when: ansible_pkg_mgr != 'unknown'
-    - sshd
-
-- name: Run directory
-  file:
-    path: /var/run/sshd
-    state: directory
-    mode: 0755
-  when: sshd_manage_var_run
   tags:
     - sshd
 
@@ -50,8 +42,8 @@
   service:
     name: "{{ sshd_service }}"
     enabled: true
-    state: running
+    state: started
-  when: sshd_manage_service
+  when: sshd_manage_service and ansible_virtualization_type != 'docker'
   tags:
     - sshd
 

templates/sshd_config.j2

@@ -162,29 +162,29 @@ Match {{ match["Condition"] }}
 {{ match_block(sshd_match) -}}
 {% endif %}
 {% if sshd_match_1 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_1) -}}
 {% endif %}
 {% if sshd_match_2 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_2) -}}
 {% endif %}
 {% if sshd_match_3 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_3) -}}
 {% endif %}
 {% if sshd_match_4 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_4) -}}
 {% endif %}
 {% if sshd_match_5 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_5) -}}
 {% endif %}
 {% if sshd_match_6 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_6) -}}
 {% endif %}
 {% if sshd_match_7 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_7) -}}
 {% endif %}
 {% if sshd_match_8 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_8) -}}
 {% endif %}
 {% if sshd_match_9 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_9) -}}
 {% endif %}

tests/test.yml

@@ -1,5 +1,5 @@
 ---
-- hosts: localhost
+- hosts: all
   become: true
   roles:
   - ansible-sshd

vars/Archlinux.yml

@@ -1,15 +1,11 @@
 ---
-sshd_service: sshd
 sshd_packages:
   - openssh
 sshd_sftp_server: /usr/lib/ssh/sftp-server
 sshd_defaults:
-  Port: 22
-  Protocol: 2
   AuthorizedKeysFile: .ssh/authorized_keys
   ChallengeResponseAuthentication: no
   PrintMotd: no
   Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes
-  UsePrivilegeSeparation: sandbox
 sshd_os_supported: yes

vars/OpenBSD.yml

@@ -0,0 +1,9 @@
+---
+sshd_config_group: wheel
+sshd_config_mode: "0600"
+sshd_sftp_server: /usr/libexec/sftp-server
+sshd_defaults:
+  AuthorizedKeysFile: .ssh/authorized_keys
+  Subsystem: "sftp {{ sshd_sftp_server }}"
+sshd_os_supported: yes
+sshd_manage_var_run: no

vars/RedHat_7.yml

@@ -14,6 +14,8 @@ sshd_defaults:
   ChallengeResponseAuthentication: no
   GSSAPIAuthentication: yes
   GSSAPICleanupCredentials: yes
+# Note that UsePAM: no is not supported under RHEL/CentOS. See
+# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
   UsePAM: yes
   X11Forwarding: yes
   UsePrivilegeSeparation: sandbox

vars/Suse.yml

@@ -0,0 +1,25 @@
+---
+sshd_packages:
+  - openssh
+sshd_sftp_server: /usr/lib/ssh/sftp-server
+sshd_defaults:
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  SyslogFacility: AUTH
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PasswordAuthentication: yes
+  ChallengeResponseAuthentication: no
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: no
+  UsePAM: yes
+  X11Forwarding: yes
+  UsePrivilegeSeparation: sandbox
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: "sftp {{ sshd_sftp_server }}"
+sshd_os_supported: yes