mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-09 21:23:29 +01:00
Verify the Include is in main configuration file
... if drop-in file is modified Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen
Jakub Jelen
parent
fef8b17c6d
commit
9c202bd60e
7 changed files with 58 additions and 6 deletions
|
|
@ -81,3 +81,10 @@ __sshd_sysconfig_supports_use_strong_rng: false
|
|||
|
||||
__sshd_runtime_directory: false
|
||||
__sshd_runtime_directory_mode: "0755"
|
||||
|
||||
# If the system supports drop-in directory, it is configured in this variable. It is used
|
||||
# to distinguish if we are writing a configuration snippet or we should write defaults.
|
||||
__sshd_drop_in_dir: false
|
||||
# this is the path to the main sshd_config which is checked for Include directive when
|
||||
# drop-in directory is used
|
||||
__sshd_main_config_file: false
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@
|
|||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
|
||||
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
|
||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||
|
|
|
|||
|
|
@ -148,6 +148,29 @@
|
|||
notify: reload_sshd
|
||||
when: sshd_config_namespace is none
|
||||
|
||||
- name: Make sure the include path is present in the main sshd_config
|
||||
lineinfile:
|
||||
insertbefore: BOF
|
||||
line: "Include {{ __sshd_defaults['Include'] }}"
|
||||
path: "{{ __sshd_main_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
when:
|
||||
- sshd_config_namespace is none
|
||||
- __sshd_defaults['Include'] | d(false)
|
||||
- __sshd_main_config_file is not none
|
||||
- __sshd_drop_in_dir is not none
|
||||
- sshd_config_file.startswith(__sshd_drop_in_dir)
|
||||
|
||||
- name: Update configuration file snippet
|
||||
vars:
|
||||
sshd_skip_defaults: true
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@
|
|||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
|
||||
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
|
||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@
|
|||
{% set value = override %}
|
||||
{% elif sshd[key] is defined %}
|
||||
{% set value = sshd[key] %}
|
||||
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
|
||||
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
|
||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||
|
|
|
|||
|
|
@ -1,14 +1,19 @@
|
|||
---
|
||||
__sshd_os_supported: yes
|
||||
|
||||
sshd_packages:
|
||||
- openssh
|
||||
- openssh-server
|
||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
# Fedora 32 ships with drop-in directory support so we touch
|
||||
# just included file with highest priority by default and have
|
||||
# empty defaults
|
||||
# just included file with highest priority by default
|
||||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
# the defaults here represent the defaults shipped in the main sshd_config
|
||||
__sshd_defaults:
|
||||
__sshd_os_supported: yes
|
||||
Include: /etc/ssh/sshd_config.d/*.conf
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
Subsystem: sftp /usr/libexec/sftp-server
|
||||
|
||||
__sshd_verify_hostkeys_default:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
|
|
@ -17,3 +22,6 @@ __sshd_hostkeys_nofips:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
||||
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
|
|
|||
|
|
@ -1,14 +1,19 @@
|
|||
---
|
||||
__sshd_os_supported: yes
|
||||
|
||||
sshd_packages:
|
||||
- openssh
|
||||
- openssh-server
|
||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
# RHEL 9 ships with drop-in directory support so we touch
|
||||
# just included file with highest priority by default and have
|
||||
# empty defaults
|
||||
# just included file with highest priority by default
|
||||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
# the defaults here represent the defaults shipped in the main sshd_config
|
||||
__sshd_defaults:
|
||||
__sshd_os_supported: yes
|
||||
Include: /etc/ssh/sshd_config.d/*.conf
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
Subsystem: sftp /usr/libexec/sftp-server
|
||||
|
||||
__sshd_verify_hostkeys_default:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
|
|
@ -17,3 +22,6 @@ __sshd_hostkeys_nofips:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
||||
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
|
|
|||
Loading…
Reference in a new issue