libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-25 12:30:19 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #135 from Jakuje/cleanup

Browse source 
Cleanup lint issues, update documentation, fix typos
This commit is contained in:
Matt Willsher 2020-09-23 21:28:53 +01:00 committed by GitHub
commit b598348356
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 123 additions and 108 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
.github/workflows/ansible-lint.yml vendored
View file

@ -6,33 +6,34 @@ jobs:
test-ansible28:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "tests/test_*.yml"
override-deps: |
ansible==2.8
args: ""
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "tests/test_*.yml"
override-deps: |
ansible==2.8
args: ""
test-ansible29:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "tests/test_*.yml"
override-deps: |
ansible==2.9
args: ""
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "tests/test_*.yml
override-deps: |
ansible==2.9
args: ""
test-ansible210:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "tests/test_*.yml"
override-deps: |
ansible==2.10
args: ""
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "tests/test_*.yml"
override-deps: |
ansible==2.10
args: ""

18
README.md
View file

@ -21,18 +21,18 @@ before using in production!
Ubuntu. This is not the default assigned by this module - it will set
`PermitRootLogin without-password` which will allow access via SSH key but not
via simple password. If you need this functionality, be sure to set
`ssh_PermitRootLogin yes` for those hosts.
`sshd_PermitRootLogin yes` for those hosts.
Requirements
------------
Tested on:
* Ubuntu precise, trusty
* Debian wheezy, jessie
* Ubuntu precise, trusty, xenial, bionic, focal
* Debian wheezy, jessie, stretch, buster
* FreeBSD 10.1
* EL 6,7 derived distributions
* Fedora 22, 23
* EL 6, 7, 8 derived distributions
* Fedora 31, 32, 33
* OpenBSD 6.0
* AIX 7.1, 7.2
@ -60,15 +60,15 @@ variables. Defaults to *False*.
If set to False, the service/daemon won't be **managed** at all, i.e. will not
try to enable on boot or start or reload the service. Defaults to *True*
unless: Running inside a docker container (it is assumed ansible is used during
build phase) or AIX (Ansible `service` module does not currently support `enabled`
build phase) or AIX (Ansible `service` module does not currently support `enabled`
for AIX)
* `sshd_allow_reload`
If set to False, a reload of sshd wont happen on change. This can help with
troubleshooting. You'll need to manually reload sshd if you want to apply the
changed configuration. Defaults to the same value as ``sshd_manage_service``.
(Except on AIX, where `sshd_manage_service` is default *False*, but
changed configuration. Defaults to the same value as ``sshd_manage_service``.
(Except on AIX, where `sshd_manage_service` is default *False*, but
`sshd_allow_reload` is default *True*)
* `sshd_install_service`
@ -97,7 +97,7 @@ sshd:
- 0.0.0.0
```
* `ssh_...`
* `sshd_...`
Simple variables can be used rather than a dict. Simple values override dict
values. e.g.:

6
defaults/main.yml
View file

@ -1,7 +1,7 @@
---
### USER OPTIONS
# Set to False to disable this role completely
sshd_enable: True
# Set to false to disable this role completely
sshd_enable: true
# Don't apply OS defaults when set to true
sshd_skip_defaults: false
@ -21,7 +21,7 @@ sshd_service_template_socket: sshd.socket.j2
sshd_allow_reload: true
# If the below is true, create a backup of the config file when the template is copied
sshd_backup: false
sshd_backup: true
# Empty dicts to avoid errors
sshd: {}

2
handlers/main.yml
View file

@ -11,7 +11,7 @@
- ansible_os_family != 'AIX'
listen: reload_sshd
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
# Instead, use a dirty shell script:
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6

91
meta/main.yml
View file

@ -6,50 +6,51 @@ galaxy_info:
license: LGPLv3
min_ansible_version: 2.8
platforms:
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
- focal
- name: FreeBSD
version:
- 10.1
- name: EL
versions:
- 6
- 7
- 8
- name: Fedora
versions:
- 22
- 23
- name: OpenBSD
versions:
- 6.0
- name: AIX
versions:
- 7.1
- 7.2
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
- focal
- name: FreeBSD
version:
- 10.1
- name: EL
versions:
- 6
- 7
- 8
- name: Fedora
versions:
- 31
- 32
- 33
- name: OpenBSD
versions:
- 6.0
- name: AIX
versions:
- 7.1
- 7.2
galaxy_tags:
- networking
- system
- ssh
- openssh
- sshd
- server
- ubuntu
- debian
- centos
- redhat
- freebsd
- openbsd
- aix
- networking
- system
- ssh
- openssh
- sshd
- server
- ubuntu
- debian
- centos
- redhat
- freebsd
- openbsd
- aix
dependencies: []

2
tasks/install.yml
View file

@ -1,7 +1,7 @@
---
- name: OS is supported
meta: end_host
when:
when:
- not __sshd_os_supported|bool
- name: Install ssh packages

4
vars/AIX.yml
View file

@ -1,6 +1,8 @@
---
__sshd_config_mode: '0644'
__sshd_packages: [ ] # sshd is not installed by yum / AIX toolbox for Linux. You'll need to manually install them using AIX Web Download Packs.
# sshd is not installed by yum / AIX toolbox for Linux.
# You'll need to manually install them using AIX Web Download Packs.
__sshd_packages: []
__sshd_sftp_server: /usr/sbin/sftp-server
__sshd_config_group: system
__sshd_defaults:

2
vars/Debian_10.yml
View file

@ -10,7 +10,7 @@ __sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
SyslogFacility: AUTH

22
vars/Fedora.yml
View file

@ -3,23 +3,9 @@ __sshd_packages:
- openssh
- openssh-server
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
# Fedora 32 ships with drop-in directory support so we touch
# just included file with highest priority by default and have
# empty defaults
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"
__sshd_os_supported: yes

25
vars/Fedora_31.yml Normal file
View file

@ -0,0 +1,25 @@
---
__sshd_packages:
- openssh
- openssh-server
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"
__sshd_os_supported: yes

6
vars/RedHat_7.yml
View file

@ -13,9 +13,9 @@ __sshd_defaults:
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
GSSAPICleanupCredentials: no
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes
X11Forwarding: yes
UsePrivilegeSeparation: sandbox

4
vars/RedHat_8.yml
View file

@ -14,8 +14,8 @@ __sshd_defaults:
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
# Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes
X11Forwarding: yes
PrintMotd: no