Workaround namespace feature also for RHEL6

The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we
need some creative workaround for this old stuff.
This commit is contained in:
Jakub Jelen 2021-08-06 20:52:42 +02:00
parent ee2096d680
commit 91784d1874
4 changed files with 20 additions and 3 deletions

View file

@ -126,7 +126,7 @@
group: "{{ sshd_config_group }}"
mode: "{{ sshd_config_mode }}"
block: |
Match all
{{ __sshd_compat_match_all }}
{{ lookup('template', 'sshd_config_snippet.j2') }}
create: yes
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"

View file

@ -60,17 +60,31 @@
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
register: nonmatching
- name: Check content of configuration file (blocks)
assert:
that:
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')"
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')"
when:
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
- name: Check content of configuration file (blocks for RHEL 6)
assert:
that:
- "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv EDITOR')"
- "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv LS_COLORS')"
when:
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6'
- name: Check content of configuration file
assert:
that:
- "'AcceptEnv EDITOR' in config.content | b64decode"
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')"
- "'PasswordAuthentication yes' in config.content | b64decode"
- "'Match user root' in config.content | b64decode"
- "'AllowAgentForwarding no' in config.content | b64decode"
- "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')"
- "'AcceptEnv LS_COLORS' in config.content | b64decode"
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')"
- "'PasswordAuthentication no' in config.content | b64decode"
- "'Match Address 127.0.0.1' in config.content | b64decode"
- "'AllowTcpForwarding no' in config.content | b64decode"

View file

@ -22,3 +22,4 @@ __sshd_defaults:
Subsystem: "sftp {{ sshd_sftp_server }}"
__sshd_os_supported: yes
__sshd_sysconfig_supports_use_strong_rng: true
__sshd_compat_match_all: Match address *

View file

@ -5,3 +5,5 @@ __sshd_config_mode: "0600"
__sshd_hostkey_owner: "root"
__sshd_hostkey_group: "root"
__sshd_hostkey_mode: "0600"
# The OpenSSH 5.3 in RHEL6 does not support "Match all" so we need a workaround
__sshd_compat_match_all: Match all