libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-09-19 23:11:32 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #135 from Jakuje/cleanup

Browse source 
Cleanup lint issues, update documentation, fix typos
This commit is contained in:
Matt Willsher 2020-09-23 21:28:53 +01:00 committed by GitHub
commit b598348356
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 123 additions and 108 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
.github/workflows/ansible-lint.yml vendored
View file

@ -6,33 +6,34 @@ jobs:
test-ansible28: test-ansible28:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Lint Ansible Playbook - name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master uses: ansible/ansible-lint-action@master
with: with:
targets: "tests/test_*.yml" targets: "tests/test_*.yml"
override-deps: | override-deps: |
ansible==2.8 ansible==2.8
args: "" args: ""
test-ansible29: test-ansible29:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Lint Ansible Playbook - name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master uses: ansible/ansible-lint-action@master
with: with:
targets: "tests/test_*.yml" targets: "tests/test_*.yml
override-deps: | override-deps: |
ansible==2.9 ansible==2.9
args: "" args: ""
test-ansible210: test-ansible210:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Lint Ansible Playbook - name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master uses: ansible/ansible-lint-action@master
with: with:
targets: "tests/test_*.yml" targets: "tests/test_*.yml"
override-deps: | override-deps: |
ansible==2.10 ansible==2.10
args: "" args: ""

18
README.md
View file

@ -21,18 +21,18 @@ before using in production!
Ubuntu. This is not the default assigned by this module - it will set Ubuntu. This is not the default assigned by this module - it will set
`PermitRootLogin without-password` which will allow access via SSH key but not `PermitRootLogin without-password` which will allow access via SSH key but not
via simple password. If you need this functionality, be sure to set via simple password. If you need this functionality, be sure to set
`ssh_PermitRootLogin yes` for those hosts. `sshd_PermitRootLogin yes` for those hosts.
Requirements Requirements
------------ ------------
Tested on: Tested on:
* Ubuntu precise, trusty * Ubuntu precise, trusty, xenial, bionic, focal
* Debian wheezy, jessie * Debian wheezy, jessie, stretch, buster
* FreeBSD 10.1 * FreeBSD 10.1
* EL 6,7 derived distributions * EL 6, 7, 8 derived distributions
* Fedora 22, 23 * Fedora 31, 32, 33
* OpenBSD 6.0 * OpenBSD 6.0
* AIX 7.1, 7.2 * AIX 7.1, 7.2
@ -60,15 +60,15 @@ variables. Defaults to *False*.
If set to False, the service/daemon won't be **managed** at all, i.e. will not If set to False, the service/daemon won't be **managed** at all, i.e. will not
try to enable on boot or start or reload the service. Defaults to *True* try to enable on boot or start or reload the service. Defaults to *True*
unless: Running inside a docker container (it is assumed ansible is used during unless: Running inside a docker container (it is assumed ansible is used during
build phase) or AIX (Ansible `service` module does not currently support `enabled` build phase) or AIX (Ansible `service` module does not currently support `enabled`
for AIX) for AIX)
* `sshd_allow_reload` * `sshd_allow_reload`
If set to False, a reload of sshd wont happen on change. This can help with If set to False, a reload of sshd wont happen on change. This can help with
troubleshooting. You'll need to manually reload sshd if you want to apply the troubleshooting. You'll need to manually reload sshd if you want to apply the
changed configuration. Defaults to the same value as ``sshd_manage_service``. changed configuration. Defaults to the same value as ``sshd_manage_service``.
(Except on AIX, where `sshd_manage_service` is default *False*, but (Except on AIX, where `sshd_manage_service` is default *False*, but
`sshd_allow_reload` is default *True*) `sshd_allow_reload` is default *True*)
* `sshd_install_service` * `sshd_install_service`
@ -97,7 +97,7 @@ sshd:
- 0.0.0.0 - 0.0.0.0
``` ```
* `ssh_...` * `sshd_...`
Simple variables can be used rather than a dict. Simple values override dict Simple variables can be used rather than a dict. Simple values override dict
values. e.g.: values. e.g.:

6
defaults/main.yml
View file

@ -1,7 +1,7 @@
--- ---
### USER OPTIONS ### USER OPTIONS
# Set to False to disable this role completely # Set to false to disable this role completely
sshd_enable: True sshd_enable: true
# Don't apply OS defaults when set to true # Don't apply OS defaults when set to true
sshd_skip_defaults: false sshd_skip_defaults: false
@ -21,7 +21,7 @@ sshd_service_template_socket: sshd.socket.j2
sshd_allow_reload: true sshd_allow_reload: true
# If the below is true, create a backup of the config file when the template is copied # If the below is true, create a backup of the config file when the template is copied
sshd_backup: false sshd_backup: true
# Empty dicts to avoid errors # Empty dicts to avoid errors
sshd: {} sshd: {}

2
handlers/main.yml
View file

@ -11,7 +11,7 @@
- ansible_os_family != 'AIX' - ansible_os_family != 'AIX'
listen: reload_sshd listen: reload_sshd
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started. # sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it. # It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
# Instead, use a dirty shell script: # Instead, use a dirty shell script:
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6 # https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6

91
meta/main.yml
View file

@ -6,50 +6,51 @@ galaxy_info:
license: LGPLv3 license: LGPLv3
min_ansible_version: 2.8 min_ansible_version: 2.8
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- wheezy - wheezy
- jessie - jessie
- stretch - stretch
- buster - buster
- name: Ubuntu - name: Ubuntu
versions: versions:
- precise - precise
- trusty - trusty
- xenial - xenial
- bionic - bionic
- focal - focal
- name: FreeBSD - name: FreeBSD
version: version:
- 10.1 - 10.1
- name: EL - name: EL
versions: versions:
- 6 - 6
- 7 - 7
- 8 - 8
- name: Fedora - name: Fedora
versions: versions:
- 22 - 31
- 23 - 32
- name: OpenBSD - 33
versions: - name: OpenBSD
- 6.0 versions:
- name: AIX - 6.0
versions: - name: AIX
- 7.1 versions:
- 7.2 - 7.1
- 7.2
galaxy_tags: galaxy_tags:
- networking - networking
- system - system
- ssh - ssh
- openssh - openssh
- sshd - sshd
- server - server
- ubuntu - ubuntu
- debian - debian
- centos - centos
- redhat - redhat
- freebsd - freebsd
- openbsd - openbsd
- aix - aix
dependencies: [] dependencies: []

2
tasks/install.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: OS is supported - name: OS is supported
meta: end_host meta: end_host
when: when:
- not __sshd_os_supported|bool - not __sshd_os_supported|bool
- name: Install ssh packages - name: Install ssh packages

4
vars/AIX.yml
View file

@ -1,6 +1,8 @@
--- ---
__sshd_config_mode: '0644' __sshd_config_mode: '0644'
__sshd_packages: [ ] # sshd is not installed by yum / AIX toolbox for Linux. You'll need to manually install them using AIX Web Download Packs. # sshd is not installed by yum / AIX toolbox for Linux.
# You'll need to manually install them using AIX Web Download Packs.
__sshd_packages: []
__sshd_sftp_server: /usr/sbin/sftp-server __sshd_sftp_server: /usr/sbin/sftp-server
__sshd_config_group: system __sshd_config_group: system
__sshd_defaults: __sshd_defaults:

2
vars/Debian_10.yml
View file

@ -10,7 +10,7 @@ __sshd_defaults:
HostKey: HostKey:
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256 KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
SyslogFacility: AUTH SyslogFacility: AUTH

22
vars/Fedora.yml
View file

@ -3,23 +3,9 @@ __sshd_packages:
- openssh - openssh
- openssh-server - openssh-server
__sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_sftp_server: /usr/libexec/openssh/sftp-server
# Fedora 32 ships with drop-in directory support so we touch
# just included file with highest priority by default and have
# empty defaults
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults: __sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"
__sshd_os_supported: yes __sshd_os_supported: yes

25
vars/Fedora_31.yml Normal file
View file

@ -0,0 +1,25 @@
---
__sshd_packages:
- openssh
- openssh-server
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"
__sshd_os_supported: yes

6
vars/RedHat_7.yml
View file

@ -13,9 +13,9 @@ __sshd_defaults:
PasswordAuthentication: yes PasswordAuthentication: yes
ChallengeResponseAuthentication: no ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes GSSAPICleanupCredentials: no
# Note that UsePAM: no is not supported under RHEL/CentOS. See # Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218 # https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes UsePAM: yes
X11Forwarding: yes X11Forwarding: yes
UsePrivilegeSeparation: sandbox UsePrivilegeSeparation: sandbox

4
vars/RedHat_8.yml
View file

@ -14,8 +14,8 @@ __sshd_defaults:
ChallengeResponseAuthentication: no ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes GSSAPIAuthentication: yes
GSSAPICleanupCredentials: no GSSAPICleanupCredentials: no
# Note that UsePAM: no is not supported under RHEL/CentOS. See # Note that UsePAM: no is not supported under RHEL/CentOS. See
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218 # https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
UsePAM: yes UsePAM: yes
X11Forwarding: yes X11Forwarding: yes
PrintMotd: no PrintMotd: no