mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-26 10:30:17 +01:00
Merge pull request #135 from Jakuje/cleanup
Cleanup lint issues, update documentation, fix typos
This commit is contained in:
commit
b598348356
12 changed files with 123 additions and 108 deletions
49
.github/workflows/ansible-lint.yml
vendored
49
.github/workflows/ansible-lint.yml
vendored
|
@ -6,33 +6,34 @@ jobs:
|
|||
test-ansible28:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.8
|
||||
args: ""
|
||||
- uses: actions/checkout@v2
|
||||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.8
|
||||
args: ""
|
||||
test-ansible29:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.9
|
||||
args: ""
|
||||
- uses: actions/checkout@v2
|
||||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test_*.yml
|
||||
override-deps: |
|
||||
ansible==2.9
|
||||
args: ""
|
||||
test-ansible210:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.10
|
||||
args: ""
|
||||
- uses: actions/checkout@v2
|
||||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.10
|
||||
args: ""
|
||||
|
||||
|
|
18
README.md
18
README.md
|
@ -21,18 +21,18 @@ before using in production!
|
|||
Ubuntu. This is not the default assigned by this module - it will set
|
||||
`PermitRootLogin without-password` which will allow access via SSH key but not
|
||||
via simple password. If you need this functionality, be sure to set
|
||||
`ssh_PermitRootLogin yes` for those hosts.
|
||||
`sshd_PermitRootLogin yes` for those hosts.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
Tested on:
|
||||
|
||||
* Ubuntu precise, trusty
|
||||
* Debian wheezy, jessie
|
||||
* Ubuntu precise, trusty, xenial, bionic, focal
|
||||
* Debian wheezy, jessie, stretch, buster
|
||||
* FreeBSD 10.1
|
||||
* EL 6,7 derived distributions
|
||||
* Fedora 22, 23
|
||||
* EL 6, 7, 8 derived distributions
|
||||
* Fedora 31, 32, 33
|
||||
* OpenBSD 6.0
|
||||
* AIX 7.1, 7.2
|
||||
|
||||
|
@ -60,15 +60,15 @@ variables. Defaults to *False*.
|
|||
If set to False, the service/daemon won't be **managed** at all, i.e. will not
|
||||
try to enable on boot or start or reload the service. Defaults to *True*
|
||||
unless: Running inside a docker container (it is assumed ansible is used during
|
||||
build phase) or AIX (Ansible `service` module does not currently support `enabled`
|
||||
build phase) or AIX (Ansible `service` module does not currently support `enabled`
|
||||
for AIX)
|
||||
|
||||
* `sshd_allow_reload`
|
||||
|
||||
If set to False, a reload of sshd wont happen on change. This can help with
|
||||
troubleshooting. You'll need to manually reload sshd if you want to apply the
|
||||
changed configuration. Defaults to the same value as ``sshd_manage_service``.
|
||||
(Except on AIX, where `sshd_manage_service` is default *False*, but
|
||||
changed configuration. Defaults to the same value as ``sshd_manage_service``.
|
||||
(Except on AIX, where `sshd_manage_service` is default *False*, but
|
||||
`sshd_allow_reload` is default *True*)
|
||||
|
||||
* `sshd_install_service`
|
||||
|
@ -97,7 +97,7 @@ sshd:
|
|||
- 0.0.0.0
|
||||
```
|
||||
|
||||
* `ssh_...`
|
||||
* `sshd_...`
|
||||
|
||||
Simple variables can be used rather than a dict. Simple values override dict
|
||||
values. e.g.:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
### USER OPTIONS
|
||||
# Set to False to disable this role completely
|
||||
sshd_enable: True
|
||||
# Set to false to disable this role completely
|
||||
sshd_enable: true
|
||||
|
||||
# Don't apply OS defaults when set to true
|
||||
sshd_skip_defaults: false
|
||||
|
@ -21,7 +21,7 @@ sshd_service_template_socket: sshd.socket.j2
|
|||
sshd_allow_reload: true
|
||||
|
||||
# If the below is true, create a backup of the config file when the template is copied
|
||||
sshd_backup: false
|
||||
sshd_backup: true
|
||||
|
||||
# Empty dicts to avoid errors
|
||||
sshd: {}
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
- ansible_os_family != 'AIX'
|
||||
listen: reload_sshd
|
||||
|
||||
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
|
||||
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
|
||||
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
|
||||
# Instead, use a dirty shell script:
|
||||
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
|
||||
|
|
|
@ -6,50 +6,51 @@ galaxy_info:
|
|||
license: LGPLv3
|
||||
min_ansible_version: 2.8
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- wheezy
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- precise
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- focal
|
||||
- name: FreeBSD
|
||||
version:
|
||||
- 10.1
|
||||
- name: EL
|
||||
versions:
|
||||
- 6
|
||||
- 7
|
||||
- 8
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 22
|
||||
- 23
|
||||
- name: OpenBSD
|
||||
versions:
|
||||
- 6.0
|
||||
- name: AIX
|
||||
versions:
|
||||
- 7.1
|
||||
- 7.2
|
||||
- name: Debian
|
||||
versions:
|
||||
- wheezy
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- precise
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- focal
|
||||
- name: FreeBSD
|
||||
version:
|
||||
- 10.1
|
||||
- name: EL
|
||||
versions:
|
||||
- 6
|
||||
- 7
|
||||
- 8
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 31
|
||||
- 32
|
||||
- 33
|
||||
- name: OpenBSD
|
||||
versions:
|
||||
- 6.0
|
||||
- name: AIX
|
||||
versions:
|
||||
- 7.1
|
||||
- 7.2
|
||||
galaxy_tags:
|
||||
- networking
|
||||
- system
|
||||
- ssh
|
||||
- openssh
|
||||
- sshd
|
||||
- server
|
||||
- ubuntu
|
||||
- debian
|
||||
- centos
|
||||
- redhat
|
||||
- freebsd
|
||||
- openbsd
|
||||
- aix
|
||||
- networking
|
||||
- system
|
||||
- ssh
|
||||
- openssh
|
||||
- sshd
|
||||
- server
|
||||
- ubuntu
|
||||
- debian
|
||||
- centos
|
||||
- redhat
|
||||
- freebsd
|
||||
- openbsd
|
||||
- aix
|
||||
dependencies: []
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: OS is supported
|
||||
meta: end_host
|
||||
when:
|
||||
when:
|
||||
- not __sshd_os_supported|bool
|
||||
|
||||
- name: Install ssh packages
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
---
|
||||
__sshd_config_mode: '0644'
|
||||
__sshd_packages: [ ] # sshd is not installed by yum / AIX toolbox for Linux. You'll need to manually install them using AIX Web Download Packs.
|
||||
# sshd is not installed by yum / AIX toolbox for Linux.
|
||||
# You'll need to manually install them using AIX Web Download Packs.
|
||||
__sshd_packages: []
|
||||
__sshd_sftp_server: /usr/sbin/sftp-server
|
||||
__sshd_config_group: system
|
||||
__sshd_defaults:
|
||||
|
|
|
@ -10,7 +10,7 @@ __sshd_defaults:
|
|||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
|
||||
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
|
||||
KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
|
||||
MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
|
||||
SyslogFacility: AUTH
|
||||
|
|
|
@ -3,23 +3,9 @@ __sshd_packages:
|
|||
- openssh
|
||||
- openssh-server
|
||||
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
# Fedora 32 ships with drop-in directory support so we touch
|
||||
# just included file with highest priority by default and have
|
||||
# empty defaults
|
||||
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
__sshd_defaults:
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
SyslogFacility: AUTHPRIV
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
||||
|
|
25
vars/Fedora_31.yml
Normal file
25
vars/Fedora_31.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
__sshd_packages:
|
||||
- openssh
|
||||
- openssh-server
|
||||
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||
__sshd_defaults:
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
SyslogFacility: AUTHPRIV
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
__sshd_os_supported: yes
|
|
@ -13,9 +13,9 @@ __sshd_defaults:
|
|||
PasswordAuthentication: yes
|
||||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: yes
|
||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||
GSSAPICleanupCredentials: no
|
||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
UsePrivilegeSeparation: sandbox
|
||||
|
|
|
@ -14,8 +14,8 @@ __sshd_defaults:
|
|||
ChallengeResponseAuthentication: no
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: no
|
||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
PrintMotd: no
|
||||
|
|
Loading…
Reference in a new issue