mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-25 20:40:18 +01:00
Merge pull request #135 from Jakuje/cleanup
Cleanup lint issues, update documentation, fix typos
This commit is contained in:
commit
b598348356
12 changed files with 123 additions and 108 deletions
49
.github/workflows/ansible-lint.yml
vendored
49
.github/workflows/ansible-lint.yml
vendored
|
@ -6,33 +6,34 @@ jobs:
|
||||||
test-ansible28:
|
test-ansible28:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: Lint Ansible Playbook
|
- name: Lint Ansible Playbook
|
||||||
uses: ansible/ansible-lint-action@master
|
uses: ansible/ansible-lint-action@master
|
||||||
with:
|
with:
|
||||||
targets: "tests/test_*.yml"
|
targets: "tests/test_*.yml"
|
||||||
override-deps: |
|
override-deps: |
|
||||||
ansible==2.8
|
ansible==2.8
|
||||||
args: ""
|
args: ""
|
||||||
test-ansible29:
|
test-ansible29:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: Lint Ansible Playbook
|
- name: Lint Ansible Playbook
|
||||||
uses: ansible/ansible-lint-action@master
|
uses: ansible/ansible-lint-action@master
|
||||||
with:
|
with:
|
||||||
targets: "tests/test_*.yml"
|
targets: "tests/test_*.yml
|
||||||
override-deps: |
|
override-deps: |
|
||||||
ansible==2.9
|
ansible==2.9
|
||||||
args: ""
|
args: ""
|
||||||
test-ansible210:
|
test-ansible210:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: Lint Ansible Playbook
|
- name: Lint Ansible Playbook
|
||||||
uses: ansible/ansible-lint-action@master
|
uses: ansible/ansible-lint-action@master
|
||||||
with:
|
with:
|
||||||
targets: "tests/test_*.yml"
|
targets: "tests/test_*.yml"
|
||||||
override-deps: |
|
override-deps: |
|
||||||
ansible==2.10
|
ansible==2.10
|
||||||
args: ""
|
args: ""
|
||||||
|
|
||||||
|
|
18
README.md
18
README.md
|
@ -21,18 +21,18 @@ before using in production!
|
||||||
Ubuntu. This is not the default assigned by this module - it will set
|
Ubuntu. This is not the default assigned by this module - it will set
|
||||||
`PermitRootLogin without-password` which will allow access via SSH key but not
|
`PermitRootLogin without-password` which will allow access via SSH key but not
|
||||||
via simple password. If you need this functionality, be sure to set
|
via simple password. If you need this functionality, be sure to set
|
||||||
`ssh_PermitRootLogin yes` for those hosts.
|
`sshd_PermitRootLogin yes` for those hosts.
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Tested on:
|
Tested on:
|
||||||
|
|
||||||
* Ubuntu precise, trusty
|
* Ubuntu precise, trusty, xenial, bionic, focal
|
||||||
* Debian wheezy, jessie
|
* Debian wheezy, jessie, stretch, buster
|
||||||
* FreeBSD 10.1
|
* FreeBSD 10.1
|
||||||
* EL 6,7 derived distributions
|
* EL 6, 7, 8 derived distributions
|
||||||
* Fedora 22, 23
|
* Fedora 31, 32, 33
|
||||||
* OpenBSD 6.0
|
* OpenBSD 6.0
|
||||||
* AIX 7.1, 7.2
|
* AIX 7.1, 7.2
|
||||||
|
|
||||||
|
@ -60,15 +60,15 @@ variables. Defaults to *False*.
|
||||||
If set to False, the service/daemon won't be **managed** at all, i.e. will not
|
If set to False, the service/daemon won't be **managed** at all, i.e. will not
|
||||||
try to enable on boot or start or reload the service. Defaults to *True*
|
try to enable on boot or start or reload the service. Defaults to *True*
|
||||||
unless: Running inside a docker container (it is assumed ansible is used during
|
unless: Running inside a docker container (it is assumed ansible is used during
|
||||||
build phase) or AIX (Ansible `service` module does not currently support `enabled`
|
build phase) or AIX (Ansible `service` module does not currently support `enabled`
|
||||||
for AIX)
|
for AIX)
|
||||||
|
|
||||||
* `sshd_allow_reload`
|
* `sshd_allow_reload`
|
||||||
|
|
||||||
If set to False, a reload of sshd wont happen on change. This can help with
|
If set to False, a reload of sshd wont happen on change. This can help with
|
||||||
troubleshooting. You'll need to manually reload sshd if you want to apply the
|
troubleshooting. You'll need to manually reload sshd if you want to apply the
|
||||||
changed configuration. Defaults to the same value as ``sshd_manage_service``.
|
changed configuration. Defaults to the same value as ``sshd_manage_service``.
|
||||||
(Except on AIX, where `sshd_manage_service` is default *False*, but
|
(Except on AIX, where `sshd_manage_service` is default *False*, but
|
||||||
`sshd_allow_reload` is default *True*)
|
`sshd_allow_reload` is default *True*)
|
||||||
|
|
||||||
* `sshd_install_service`
|
* `sshd_install_service`
|
||||||
|
@ -97,7 +97,7 @@ sshd:
|
||||||
- 0.0.0.0
|
- 0.0.0.0
|
||||||
```
|
```
|
||||||
|
|
||||||
* `ssh_...`
|
* `sshd_...`
|
||||||
|
|
||||||
Simple variables can be used rather than a dict. Simple values override dict
|
Simple variables can be used rather than a dict. Simple values override dict
|
||||||
values. e.g.:
|
values. e.g.:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
### USER OPTIONS
|
### USER OPTIONS
|
||||||
# Set to False to disable this role completely
|
# Set to false to disable this role completely
|
||||||
sshd_enable: True
|
sshd_enable: true
|
||||||
|
|
||||||
# Don't apply OS defaults when set to true
|
# Don't apply OS defaults when set to true
|
||||||
sshd_skip_defaults: false
|
sshd_skip_defaults: false
|
||||||
|
@ -21,7 +21,7 @@ sshd_service_template_socket: sshd.socket.j2
|
||||||
sshd_allow_reload: true
|
sshd_allow_reload: true
|
||||||
|
|
||||||
# If the below is true, create a backup of the config file when the template is copied
|
# If the below is true, create a backup of the config file when the template is copied
|
||||||
sshd_backup: false
|
sshd_backup: true
|
||||||
|
|
||||||
# Empty dicts to avoid errors
|
# Empty dicts to avoid errors
|
||||||
sshd: {}
|
sshd: {}
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
- ansible_os_family != 'AIX'
|
- ansible_os_family != 'AIX'
|
||||||
listen: reload_sshd
|
listen: reload_sshd
|
||||||
|
|
||||||
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
|
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
|
||||||
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
|
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
|
||||||
# Instead, use a dirty shell script:
|
# Instead, use a dirty shell script:
|
||||||
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
|
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
|
||||||
|
|
|
@ -6,50 +6,51 @@ galaxy_info:
|
||||||
license: LGPLv3
|
license: LGPLv3
|
||||||
min_ansible_version: 2.8
|
min_ansible_version: 2.8
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- wheezy
|
- wheezy
|
||||||
- jessie
|
- jessie
|
||||||
- stretch
|
- stretch
|
||||||
- buster
|
- buster
|
||||||
- name: Ubuntu
|
- name: Ubuntu
|
||||||
versions:
|
versions:
|
||||||
- precise
|
- precise
|
||||||
- trusty
|
- trusty
|
||||||
- xenial
|
- xenial
|
||||||
- bionic
|
- bionic
|
||||||
- focal
|
- focal
|
||||||
- name: FreeBSD
|
- name: FreeBSD
|
||||||
version:
|
version:
|
||||||
- 10.1
|
- 10.1
|
||||||
- name: EL
|
- name: EL
|
||||||
versions:
|
versions:
|
||||||
- 6
|
- 6
|
||||||
- 7
|
- 7
|
||||||
- 8
|
- 8
|
||||||
- name: Fedora
|
- name: Fedora
|
||||||
versions:
|
versions:
|
||||||
- 22
|
- 31
|
||||||
- 23
|
- 32
|
||||||
- name: OpenBSD
|
- 33
|
||||||
versions:
|
- name: OpenBSD
|
||||||
- 6.0
|
versions:
|
||||||
- name: AIX
|
- 6.0
|
||||||
versions:
|
- name: AIX
|
||||||
- 7.1
|
versions:
|
||||||
- 7.2
|
- 7.1
|
||||||
|
- 7.2
|
||||||
galaxy_tags:
|
galaxy_tags:
|
||||||
- networking
|
- networking
|
||||||
- system
|
- system
|
||||||
- ssh
|
- ssh
|
||||||
- openssh
|
- openssh
|
||||||
- sshd
|
- sshd
|
||||||
- server
|
- server
|
||||||
- ubuntu
|
- ubuntu
|
||||||
- debian
|
- debian
|
||||||
- centos
|
- centos
|
||||||
- redhat
|
- redhat
|
||||||
- freebsd
|
- freebsd
|
||||||
- openbsd
|
- openbsd
|
||||||
- aix
|
- aix
|
||||||
dependencies: []
|
dependencies: []
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: OS is supported
|
- name: OS is supported
|
||||||
meta: end_host
|
meta: end_host
|
||||||
when:
|
when:
|
||||||
- not __sshd_os_supported|bool
|
- not __sshd_os_supported|bool
|
||||||
|
|
||||||
- name: Install ssh packages
|
- name: Install ssh packages
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
__sshd_config_mode: '0644'
|
__sshd_config_mode: '0644'
|
||||||
__sshd_packages: [ ] # sshd is not installed by yum / AIX toolbox for Linux. You'll need to manually install them using AIX Web Download Packs.
|
# sshd is not installed by yum / AIX toolbox for Linux.
|
||||||
|
# You'll need to manually install them using AIX Web Download Packs.
|
||||||
|
__sshd_packages: []
|
||||||
__sshd_sftp_server: /usr/sbin/sftp-server
|
__sshd_sftp_server: /usr/sbin/sftp-server
|
||||||
__sshd_config_group: system
|
__sshd_config_group: system
|
||||||
__sshd_defaults:
|
__sshd_defaults:
|
||||||
|
|
|
@ -10,7 +10,7 @@ __sshd_defaults:
|
||||||
HostKey:
|
HostKey:
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
- /etc/ssh/ssh_host_rsa_key
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
|
HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com
|
||||||
KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
|
KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
|
||||||
MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
|
MACs: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
|
||||||
SyslogFacility: AUTH
|
SyslogFacility: AUTH
|
||||||
|
|
|
@ -3,23 +3,9 @@ __sshd_packages:
|
||||||
- openssh
|
- openssh
|
||||||
- openssh-server
|
- openssh-server
|
||||||
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||||
|
# Fedora 32 ships with drop-in directory support so we touch
|
||||||
|
# just included file with highest priority by default and have
|
||||||
|
# empty defaults
|
||||||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
__sshd_defaults:
|
__sshd_defaults:
|
||||||
HostKey:
|
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
|
||||||
- /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
|
||||||
SyslogFacility: AUTHPRIV
|
|
||||||
AuthorizedKeysFile: .ssh/authorized_keys
|
|
||||||
PasswordAuthentication: yes
|
|
||||||
ChallengeResponseAuthentication: no
|
|
||||||
GSSAPIAuthentication: yes
|
|
||||||
GSSAPICleanupCredentials: no
|
|
||||||
UsePAM: yes
|
|
||||||
X11Forwarding: yes
|
|
||||||
AcceptEnv:
|
|
||||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
- XMODIFIERS
|
|
||||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
|
||||||
__sshd_os_supported: yes
|
__sshd_os_supported: yes
|
||||||
|
|
25
vars/Fedora_31.yml
Normal file
25
vars/Fedora_31.yml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
__sshd_packages:
|
||||||
|
- openssh
|
||||||
|
- openssh-server
|
||||||
|
__sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||||
|
__sshd_defaults:
|
||||||
|
HostKey:
|
||||||
|
- /etc/ssh/ssh_host_rsa_key
|
||||||
|
- /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
|
SyslogFacility: AUTHPRIV
|
||||||
|
AuthorizedKeysFile: .ssh/authorized_keys
|
||||||
|
PasswordAuthentication: yes
|
||||||
|
ChallengeResponseAuthentication: no
|
||||||
|
GSSAPIAuthentication: yes
|
||||||
|
GSSAPICleanupCredentials: no
|
||||||
|
UsePAM: yes
|
||||||
|
X11Forwarding: yes
|
||||||
|
AcceptEnv:
|
||||||
|
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
- XMODIFIERS
|
||||||
|
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||||
|
__sshd_os_supported: yes
|
|
@ -13,9 +13,9 @@ __sshd_defaults:
|
||||||
PasswordAuthentication: yes
|
PasswordAuthentication: yes
|
||||||
ChallengeResponseAuthentication: no
|
ChallengeResponseAuthentication: no
|
||||||
GSSAPIAuthentication: yes
|
GSSAPIAuthentication: yes
|
||||||
GSSAPICleanupCredentials: yes
|
GSSAPICleanupCredentials: no
|
||||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||||
UsePAM: yes
|
UsePAM: yes
|
||||||
X11Forwarding: yes
|
X11Forwarding: yes
|
||||||
UsePrivilegeSeparation: sandbox
|
UsePrivilegeSeparation: sandbox
|
||||||
|
|
|
@ -14,8 +14,8 @@ __sshd_defaults:
|
||||||
ChallengeResponseAuthentication: no
|
ChallengeResponseAuthentication: no
|
||||||
GSSAPIAuthentication: yes
|
GSSAPIAuthentication: yes
|
||||||
GSSAPICleanupCredentials: no
|
GSSAPICleanupCredentials: no
|
||||||
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
# Note that UsePAM: no is not supported under RHEL/CentOS. See
|
||||||
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
|
||||||
UsePAM: yes
|
UsePAM: yes
|
||||||
X11Forwarding: yes
|
X11Forwarding: yes
|
||||||
PrintMotd: no
|
PrintMotd: no
|
||||||
|
|
Loading…
Reference in a new issue