From 8a2dbf0f41d62b2f596f355424271f359c912caf Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Thu, 9 Aug 2018 17:59:40 -0400 Subject: [PATCH 1/6] Fix error in 30_bottom.j2 --- meta/30_bottom.j2 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/meta/30_bottom.j2 b/meta/30_bottom.j2 index d10b7d8..252ed85 100644 --- a/meta/30_bottom.j2 +++ b/meta/30_bottom.j2 @@ -5,29 +5,29 @@ {{ match_block(sshd_match) -}} {% endif %} {% if sshd_match_1 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_1) -}} {% endif %} {% if sshd_match_2 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_2) -}} {% endif %} {% if sshd_match_3 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_3) -}} {% endif %} {% if sshd_match_4 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_4) -}} {% endif %} {% if sshd_match_5 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_5) -}} {% endif %} {% if sshd_match_6 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_6) -}} {% endif %} {% if sshd_match_7 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_7) -}} {% endif %} {% if sshd_match_8 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_8) -}} {% endif %} {% if sshd_match_9 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_9) -}} {% endif %} From 275c9afcd41fefcb42864f0e5fe592171f774094 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Fri, 10 Aug 2018 13:56:24 -0400 Subject: [PATCH 2/6] Run tests in color. --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 0b895ee..0a492c1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,10 +16,10 @@ install: script: # Check the roles syntax - - "ansible-playbook -i tests/inventory tests/test.yml --syntax-check" + - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check" # Run the role - - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo" + - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v" # Run the role/playbook again, checking to make sure it's idempotent. - > From 2973943f720468c87da1e65c1accd95a00c188d3 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Fri, 10 Aug 2018 14:17:36 -0400 Subject: [PATCH 3/6] Ensure ansible version is 2.0 or greater. --- .travis.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 0a492c1..3a85aed 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,7 +15,13 @@ install: - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg" script: - # Check the roles syntax + # Check the ansible version. + - > + ansible --version + | grep -q '^ansible 2' + && (echo 'Ansible 2.0+ test: pass' && exit 0) + || (echo 'Ansible 2.0+ test: fail' && exit 1) + # Check the roles syntax. - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check" # Run the role From 9378cbd7cf9bbc66363d6a9a73cd6f2c553b0b9d Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Fri, 10 Aug 2018 10:56:38 -0400 Subject: [PATCH 4/6] Add missing options_body entries. --- meta/options_body | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/meta/options_body b/meta/options_body index 2111fb4..6ab1752 100644 --- a/meta/options_body +++ b/meta/options_body @@ -6,12 +6,15 @@ HostKey AcceptEnv AllowAgentForwarding AllowGroups +AllowStreamLocalForwarding AllowTcpForwarding AllowUsers AuthenticationMethods AuthorizedKeysCommand AuthorizedKeysCommandUser AuthorizedKeysFile +AuthorizedPrincipalsCommand +AuthorizedPrincipalsCommandUser AuthorizedPrincipalsFile Banner ChallengeResponseAuthentication @@ -23,7 +26,11 @@ Compression DebianBanner DenyGroups DenyUsers +DisableForwarding +ExposeAuthInfo +FingerprintHash ForceCommand +GatewayPorts GSSAPIAuthentication GSSAPICleanupCredentials GSSAPIKeyExchange @@ -34,6 +41,8 @@ HPNBufferSize HPNDisabled HostCertificate HostKeyAgent +HostKeyAlgorithms +HostbasedAcceptedKeyTypes HostbasedAuthentication HostbasedUsesNameFromPacketOnly IPQoS @@ -60,15 +69,19 @@ PermitRootLogin PermitTTY PermitTunnel PermitUserEnvironment +PermitUserRC PidFile PrintLastLog PrintMotd +PubkeyAcceptedKeyTypes PubkeyAuthentication RSAAuthentication RekeyLimit RevokedKeys +RDomain RhostsRSAAuthentication ServerKeyBits +StreamLocalBindMask StreamLocalBindUnlink StrictModes Subsystem From c52053b53e0a592e619e6c8a3ac35ff7899777a7 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Fri, 10 Aug 2018 10:56:49 -0400 Subject: [PATCH 5/6] Add missing options_match entries. --- meta/options_match | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/meta/options_match b/meta/options_match index e5099ce..2ff6d67 100644 --- a/meta/options_match +++ b/meta/options_match @@ -1,33 +1,51 @@ +AcceptEnv AllowAgentForwarding AllowGroups +AllowStreamLocalForwarding AllowTcpForwarding AllowUsers AuthenticationMethods AuthorizedKeysCommand AuthorizedKeysCommandUser AuthorizedKeysFile +AuthorizedPrincipalsCommand +AuthorizedPrincipalsCommandUser AuthorizedPrincipalsFile Banner ChrootDirectory +ClientAliveCountMax +ClientAliveInterval DenyGroups DenyUsers ForceCommand GatewayPorts GSSAPIAuthentication +HostbasedAcceptedKeyTypes HostbasedAuthentication HostbasedUsesNameFromPacketOnly +IPQoS KbdInteractiveAuthentication KerberosAuthentication +LogLevel MaxAuthTries MaxSessions PasswordAuthentication PermitEmptyPasswords PermitOpen PermitRootLogin +PermitTTY PermitTunnel +PermitUserRC +PubkeyAcceptedKeyTypes PubkeyAuthentication +RDomain +RekeyLimit +RevokedKeys RhostsRSAAuthentication RSAAuthentication +StreamLocalBindMask +StreamLocalBindUnlink +TrustedUserCAKeys X11DisplayOffset X11Forwarding X11UseLocalHost From 3aa2d17876e190986dea18c2376c0e419c286de9 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Mon, 13 Aug 2018 21:31:05 -0400 Subject: [PATCH 6/6] Regenerate templates/sshd_config.j2 from meta files. --- templates/sshd_config.j2 | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index a9915e7..bc92316 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -33,36 +33,54 @@ {% if match_list is iterable %} {% for match in match_list %} Match {{ match["Condition"] }} +{{ render_option("AcceptEnv",match["AcceptEnv"],true) -}} {{ render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}} {{ render_option("AllowGroups",match["AllowGroups"],true) -}} +{{ render_option("AllowStreamLocalForwarding",match["AllowStreamLocalForwarding"],true) -}} {{ render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}} {{ render_option("AllowUsers",match["AllowUsers"],true) -}} {{ render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}} {{ render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}} {{ render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}} {{ render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}} +{{ render_option("AuthorizedPrincipalsCommand",match["AuthorizedPrincipalsCommand"],true) -}} +{{ render_option("AuthorizedPrincipalsCommandUser",match["AuthorizedPrincipalsCommandUser"],true) -}} {{ render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}} {{ render_option("Banner",match["Banner"],true) -}} {{ render_option("ChrootDirectory",match["ChrootDirectory"],true) -}} +{{ render_option("ClientAliveCountMax",match["ClientAliveCountMax"],true) -}} +{{ render_option("ClientAliveInterval",match["ClientAliveInterval"],true) -}} {{ render_option("DenyGroups",match["DenyGroups"],true) -}} {{ render_option("DenyUsers",match["DenyUsers"],true) -}} {{ render_option("ForceCommand",match["ForceCommand"],true) -}} {{ render_option("GatewayPorts",match["GatewayPorts"],true) -}} {{ render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}} +{{ render_option("HostbasedAcceptedKeyTypes",match["HostbasedAcceptedKeyTypes"],true) -}} {{ render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}} {{ render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}} +{{ render_option("IPQoS",match["IPQoS"],true) -}} {{ render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}} {{ render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}} +{{ render_option("LogLevel",match["LogLevel"],true) -}} {{ render_option("MaxAuthTries",match["MaxAuthTries"],true) -}} {{ render_option("MaxSessions",match["MaxSessions"],true) -}} {{ render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}} {{ render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}} {{ render_option("PermitOpen",match["PermitOpen"],true) -}} {{ render_option("PermitRootLogin",match["PermitRootLogin"],true) -}} +{{ render_option("PermitTTY",match["PermitTTY"],true) -}} {{ render_option("PermitTunnel",match["PermitTunnel"],true) -}} +{{ render_option("PermitUserRC",match["PermitUserRC"],true) -}} +{{ render_option("PubkeyAcceptedKeyTypes",match["PubkeyAcceptedKeyTypes"],true) -}} {{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}} +{{ render_option("RDomain",match["RDomain"],true) -}} +{{ render_option("RekeyLimit",match["RekeyLimit"],true) -}} +{{ render_option("RevokedKeys",match["RevokedKeys"],true) -}} {{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}} {{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}} +{{ render_option("StreamLocalBindMask",match["StreamLocalBindMask"],true) -}} +{{ render_option("StreamLocalBindUnlink",match["StreamLocalBindUnlink"],true) -}} +{{ render_option("TrustedUserCAKeys",match["TrustedUserCAKeys"],true) -}} {{ render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}} {{ render_option("X11Forwarding",match["X11Forwarding"],true) -}} {{ render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}} @@ -77,12 +95,15 @@ Match {{ match["Condition"] }} {{ body_option("AcceptEnv",sshd_AcceptEnv) -}} {{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}} {{ body_option("AllowGroups",sshd_AllowGroups) -}} +{{ body_option("AllowStreamLocalForwarding",sshd_AllowStreamLocalForwarding) -}} {{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}} {{ body_option("AllowUsers",sshd_AllowUsers) -}} {{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}} {{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}} {{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}} {{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}} +{{ body_option("AuthorizedPrincipalsCommand",sshd_AuthorizedPrincipalsCommand) -}} +{{ body_option("AuthorizedPrincipalsCommandUser",sshd_AuthorizedPrincipalsCommandUser) -}} {{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}} {{ body_option("Banner",sshd_Banner) -}} {{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}} @@ -94,7 +115,11 @@ Match {{ match["Condition"] }} {{ body_option("DebianBanner",sshd_DebianBanner) -}} {{ body_option("DenyGroups",sshd_DenyGroups) -}} {{ body_option("DenyUsers",sshd_DenyUsers) -}} +{{ body_option("DisableForwarding",sshd_DisableForwarding) -}} +{{ body_option("ExposeAuthInfo",sshd_ExposeAuthInfo) -}} +{{ body_option("FingerprintHash",sshd_FingerprintHash) -}} {{ body_option("ForceCommand",sshd_ForceCommand) -}} +{{ body_option("GatewayPorts",sshd_GatewayPorts) -}} {{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}} {{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}} {{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}} @@ -105,6 +130,8 @@ Match {{ match["Condition"] }} {{ body_option("HPNDisabled",sshd_HPNDisabled) -}} {{ body_option("HostCertificate",sshd_HostCertificate) -}} {{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}} +{{ body_option("HostKeyAlgorithms",sshd_HostKeyAlgorithms) -}} +{{ body_option("HostbasedAcceptedKeyTypes",sshd_HostbasedAcceptedKeyTypes) -}} {{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}} {{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}} {{ body_option("IPQoS",sshd_IPQoS) -}} @@ -131,15 +158,19 @@ Match {{ match["Condition"] }} {{ body_option("PermitTTY",sshd_PermitTTY) -}} {{ body_option("PermitTunnel",sshd_PermitTunnel) -}} {{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}} +{{ body_option("PermitUserRC",sshd_PermitUserRC) -}} {{ body_option("PidFile",sshd_PidFile) -}} {{ body_option("PrintLastLog",sshd_PrintLastLog) -}} {{ body_option("PrintMotd",sshd_PrintMotd) -}} +{{ body_option("PubkeyAcceptedKeyTypes",sshd_PubkeyAcceptedKeyTypes) -}} {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}} {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}} {{ body_option("RekeyLimit",sshd_RekeyLimit) -}} {{ body_option("RevokedKeys",sshd_RevokedKeys) -}} +{{ body_option("RDomain",sshd_RDomain) -}} {{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}} {{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}} +{{ body_option("StreamLocalBindMask",sshd_StreamLocalBindMask) -}} {{ body_option("StreamLocalBindUnlink",sshd_StreamLocalBindUnlink) -}} {{ body_option("StrictModes",sshd_StrictModes) -}} {{ body_option("Subsystem",sshd_Subsystem) -}}