mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-13 23:10:19 +01:00
Verify the Include is in main configuration file
... if drop-in file is modified Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
fef8b17c6d
commit
9c202bd60e
7 changed files with 58 additions and 6 deletions
|
@ -81,3 +81,10 @@ __sshd_sysconfig_supports_use_strong_rng: false
|
||||||
|
|
||||||
__sshd_runtime_directory: false
|
__sshd_runtime_directory: false
|
||||||
__sshd_runtime_directory_mode: "0755"
|
__sshd_runtime_directory_mode: "0755"
|
||||||
|
|
||||||
|
# If the system supports drop-in directory, it is configured in this variable. It is used
|
||||||
|
# to distinguish if we are writing a configuration snippet or we should write defaults.
|
||||||
|
__sshd_drop_in_dir: false
|
||||||
|
# this is the path to the main sshd_config which is checked for Include directive when
|
||||||
|
# drop-in directory is used
|
||||||
|
__sshd_main_config_file: false
|
||||||
|
|
|
@ -20,6 +20,8 @@
|
||||||
{% set value = override %}
|
{% set value = override %}
|
||||||
{% elif sshd[key] is defined %}
|
{% elif sshd[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = sshd[key] %}
|
||||||
|
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
|
||||||
|
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
|
||||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||||
|
|
|
@ -148,6 +148,29 @@
|
||||||
notify: reload_sshd
|
notify: reload_sshd
|
||||||
when: sshd_config_namespace is none
|
when: sshd_config_namespace is none
|
||||||
|
|
||||||
|
- name: Make sure the include path is present in the main sshd_config
|
||||||
|
lineinfile:
|
||||||
|
insertbefore: BOF
|
||||||
|
line: "Include {{ __sshd_defaults['Include'] }}"
|
||||||
|
path: "{{ __sshd_main_config_file }}"
|
||||||
|
owner: "{{ sshd_config_owner }}"
|
||||||
|
group: "{{ sshd_config_group }}"
|
||||||
|
mode: "{{ sshd_config_mode }}"
|
||||||
|
validate: >-
|
||||||
|
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||||
|
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||||
|
{% else %}
|
||||||
|
{{ sshd_binary }} -t -f %s
|
||||||
|
{% endif %}
|
||||||
|
backup: "{{ sshd_backup }}"
|
||||||
|
notify: reload_sshd
|
||||||
|
when:
|
||||||
|
- sshd_config_namespace is none
|
||||||
|
- __sshd_defaults['Include'] | d(false)
|
||||||
|
- __sshd_main_config_file is not none
|
||||||
|
- __sshd_drop_in_dir is not none
|
||||||
|
- sshd_config_file.startswith(__sshd_drop_in_dir)
|
||||||
|
|
||||||
- name: Update configuration file snippet
|
- name: Update configuration file snippet
|
||||||
vars:
|
vars:
|
||||||
sshd_skip_defaults: true
|
sshd_skip_defaults: true
|
||||||
|
|
|
@ -21,6 +21,8 @@
|
||||||
{% set value = override %}
|
{% set value = override %}
|
||||||
{% elif sshd[key] is defined %}
|
{% elif sshd[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = sshd[key] %}
|
||||||
|
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
|
||||||
|
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
|
||||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||||
|
|
|
@ -20,6 +20,8 @@
|
||||||
{% set value = override %}
|
{% set value = override %}
|
||||||
{% elif sshd[key] is defined %}
|
{% elif sshd[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = sshd[key] %}
|
||||||
|
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
|
||||||
|
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
|
||||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||||
|
|
|
@ -1,14 +1,19 @@
|
||||||
---
|
---
|
||||||
|
__sshd_os_supported: yes
|
||||||
|
|
||||||
sshd_packages:
|
sshd_packages:
|
||||||
- openssh
|
- openssh
|
||||||
- openssh-server
|
- openssh-server
|
||||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||||
# Fedora 32 ships with drop-in directory support so we touch
|
# Fedora 32 ships with drop-in directory support so we touch
|
||||||
# just included file with highest priority by default and have
|
# just included file with highest priority by default
|
||||||
# empty defaults
|
|
||||||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
# the defaults here represent the defaults shipped in the main sshd_config
|
||||||
__sshd_defaults:
|
__sshd_defaults:
|
||||||
__sshd_os_supported: yes
|
Include: /etc/ssh/sshd_config.d/*.conf
|
||||||
|
AuthorizedKeysFile: .ssh/authorized_keys
|
||||||
|
Subsystem: sftp /usr/libexec/sftp-server
|
||||||
|
|
||||||
__sshd_verify_hostkeys_default:
|
__sshd_verify_hostkeys_default:
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
- /etc/ssh/ssh_host_rsa_key
|
||||||
- /etc/ssh/ssh_host_ecdsa_key
|
- /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
@ -17,3 +22,6 @@ __sshd_hostkeys_nofips:
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
__sshd_hostkey_group: ssh_keys
|
__sshd_hostkey_group: ssh_keys
|
||||||
__sshd_hostkey_mode: "0640"
|
__sshd_hostkey_mode: "0640"
|
||||||
|
|
||||||
|
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
|
||||||
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
|
@ -1,14 +1,19 @@
|
||||||
---
|
---
|
||||||
|
__sshd_os_supported: yes
|
||||||
|
|
||||||
sshd_packages:
|
sshd_packages:
|
||||||
- openssh
|
- openssh
|
||||||
- openssh-server
|
- openssh-server
|
||||||
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||||
# RHEL 9 ships with drop-in directory support so we touch
|
# RHEL 9 ships with drop-in directory support so we touch
|
||||||
# just included file with highest priority by default and have
|
# just included file with highest priority by default
|
||||||
# empty defaults
|
|
||||||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
# the defaults here represent the defaults shipped in the main sshd_config
|
||||||
__sshd_defaults:
|
__sshd_defaults:
|
||||||
__sshd_os_supported: yes
|
Include: /etc/ssh/sshd_config.d/*.conf
|
||||||
|
AuthorizedKeysFile: .ssh/authorized_keys
|
||||||
|
Subsystem: sftp /usr/libexec/sftp-server
|
||||||
|
|
||||||
__sshd_verify_hostkeys_default:
|
__sshd_verify_hostkeys_default:
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
- /etc/ssh/ssh_host_rsa_key
|
||||||
- /etc/ssh/ssh_host_ecdsa_key
|
- /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
@ -17,3 +22,6 @@ __sshd_hostkeys_nofips:
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
__sshd_hostkey_group: ssh_keys
|
__sshd_hostkey_group: ssh_keys
|
||||||
__sshd_hostkey_mode: "0640"
|
__sshd_hostkey_mode: "0640"
|
||||||
|
|
||||||
|
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
|
||||||
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
Loading…
Reference in a new issue