diff --git a/tasks/install.yml b/tasks/install.yml index 978b8fb..1fc13f7 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -126,7 +126,7 @@ group: "{{ sshd_config_group }}" mode: "{{ sshd_config_mode }}" block: | - Match all + {{ __sshd_compat_match_all }} {{ lookup('template', 'sshd_config_snippet.j2') }} create: yes marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}" diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml index eab0aa7..80c5afa 100644 --- a/tests/tests_config_namespace.yml +++ b/tests/tests_config_namespace.yml @@ -60,17 +60,31 @@ command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 register: nonmatching + - name: Check content of configuration file (blocks) + assert: + that: + - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')" + - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')" + when: + - ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6' + + - name: Check content of configuration file (blocks for RHEL 6) + assert: + that: + - "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv EDITOR')" + - "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv LS_COLORS')" + when: + - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6' + - name: Check content of configuration file assert: that: - "'AcceptEnv EDITOR' in config.content | b64decode" - - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')" - "'PasswordAuthentication yes' in config.content | b64decode" - "'Match user root' in config.content | b64decode" - "'AllowAgentForwarding no' in config.content | b64decode" - "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')" - "'AcceptEnv LS_COLORS' in config.content | b64decode" - - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')" - "'PasswordAuthentication no' in config.content | b64decode" - "'Match Address 127.0.0.1' in config.content | b64decode" - "'AllowTcpForwarding no' in config.content | b64decode" diff --git a/vars/RedHat_6.yml b/vars/RedHat_6.yml index 03ae474..182e4e4 100644 --- a/vars/RedHat_6.yml +++ b/vars/RedHat_6.yml @@ -22,3 +22,4 @@ __sshd_defaults: Subsystem: "sftp {{ sshd_sftp_server }}" __sshd_os_supported: yes __sshd_sysconfig_supports_use_strong_rng: true +__sshd_compat_match_all: Match address * diff --git a/vars/main.yml b/vars/main.yml index 01d7aee..37a46ed 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,3 +5,5 @@ __sshd_config_mode: "0600" __sshd_hostkey_owner: "root" __sshd_hostkey_group: "root" __sshd_hostkey_mode: "0600" +# The OpenSSH 5.3 in RHEL6 does not support "Match all" so we need a workaround +__sshd_compat_match_all: Match all