Verify the Include is in main configuration file

... if drop-in file is modified

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2022-04-06 14:01:13 +02:00 committed by Jakub Jelen
parent fef8b17c6d
commit 9c202bd60e
7 changed files with 58 additions and 6 deletions

View file

@ -81,3 +81,10 @@ __sshd_sysconfig_supports_use_strong_rng: false
__sshd_runtime_directory: false __sshd_runtime_directory: false
__sshd_runtime_directory_mode: "0755" __sshd_runtime_directory_mode: "0755"
# If the system supports drop-in directory, it is configured in this variable. It is used
# to distinguish if we are writing a configuration snippet or we should write defaults.
__sshd_drop_in_dir: false
# this is the path to the main sshd_config which is checked for Include directive when
# drop-in directory is used
__sshd_main_config_file: false

View file

@ -20,6 +20,8 @@
{% set value = override %} {% set value = override %}
{% elif sshd[key] is defined %} {% elif sshd[key] is defined %}
{% set value = sshd[key] %} {% set value = sshd[key] %}
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
{% if key == 'HostKey' and __sshd_fips_mode %} {% if key == 'HostKey' and __sshd_fips_mode %}
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} {% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}

View file

@ -148,6 +148,29 @@
notify: reload_sshd notify: reload_sshd
when: sshd_config_namespace is none when: sshd_config_namespace is none
- name: Make sure the include path is present in the main sshd_config
lineinfile:
insertbefore: BOF
line: "Include {{ __sshd_defaults['Include'] }}"
path: "{{ __sshd_main_config_file }}"
owner: "{{ sshd_config_owner }}"
group: "{{ sshd_config_group }}"
mode: "{{ sshd_config_mode }}"
validate: >-
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
{% else %}
{{ sshd_binary }} -t -f %s
{% endif %}
backup: "{{ sshd_backup }}"
notify: reload_sshd
when:
- sshd_config_namespace is none
- __sshd_defaults['Include'] | d(false)
- __sshd_main_config_file is not none
- __sshd_drop_in_dir is not none
- sshd_config_file.startswith(__sshd_drop_in_dir)
- name: Update configuration file snippet - name: Update configuration file snippet
vars: vars:
sshd_skip_defaults: true sshd_skip_defaults: true

View file

@ -21,6 +21,8 @@
{% set value = override %} {% set value = override %}
{% elif sshd[key] is defined %} {% elif sshd[key] is defined %}
{% set value = sshd[key] %} {% set value = sshd[key] %}
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
{% if key == 'HostKey' and __sshd_fips_mode %} {% if key == 'HostKey' and __sshd_fips_mode %}
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} {% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}

View file

@ -20,6 +20,8 @@
{% set value = override %} {% set value = override %}
{% elif sshd[key] is defined %} {% elif sshd[key] is defined %}
{% set value = sshd[key] %} {% set value = sshd[key] %}
{% elif __sshd_drop_in_dir and sshd_config_file.startswith(__sshd_drop_in_dir) %}
{# The drop-in directory does not use the defaults from main file to avoid recursion #}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
{% if key == 'HostKey' and __sshd_fips_mode %} {% if key == 'HostKey' and __sshd_fips_mode %}
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} {% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}

View file

@ -1,14 +1,19 @@
--- ---
__sshd_os_supported: yes
sshd_packages: sshd_packages:
- openssh - openssh
- openssh-server - openssh-server
sshd_sftp_server: /usr/libexec/openssh/sftp-server sshd_sftp_server: /usr/libexec/openssh/sftp-server
# Fedora 32 ships with drop-in directory support so we touch # Fedora 32 ships with drop-in directory support so we touch
# just included file with highest priority by default and have # just included file with highest priority by default
# empty defaults
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults: __sshd_defaults:
__sshd_os_supported: yes Include: /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile: .ssh/authorized_keys
Subsystem: sftp /usr/libexec/sftp-server
__sshd_verify_hostkeys_default: __sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ecdsa_key
@ -17,3 +22,6 @@ __sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
__sshd_main_config_file: /etc/ssh/sshd_config

View file

@ -1,14 +1,19 @@
--- ---
__sshd_os_supported: yes
sshd_packages: sshd_packages:
- openssh - openssh
- openssh-server - openssh-server
sshd_sftp_server: /usr/libexec/openssh/sftp-server sshd_sftp_server: /usr/libexec/openssh/sftp-server
# RHEL 9 ships with drop-in directory support so we touch # RHEL 9 ships with drop-in directory support so we touch
# just included file with highest priority by default and have # just included file with highest priority by default
# empty defaults
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults: __sshd_defaults:
__sshd_os_supported: yes Include: /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile: .ssh/authorized_keys
Subsystem: sftp /usr/libexec/sftp-server
__sshd_verify_hostkeys_default: __sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ecdsa_key
@ -17,3 +22,6 @@ __sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"
__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
__sshd_main_config_file: /etc/ssh/sshd_config