From da3e33ec46ee4e0110e173fc76555c33ce028372 Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Thu, 24 Oct 2024 17:59:04 +0100 Subject: [PATCH] fix: rename var sshd -> sshd_config and debug output (#299) --- .ansible-lint | 2 +- README.md | 15 +-- defaults/main.yml | 3 - examples/example-accept-env.yml | 2 +- examples/example-root-login.yml | 2 +- examples/example-use-certificates.yml | 2 +- meta/10_top.j2 | 4 +- meta/30_bottom.j2 | 4 +- tasks/certificates.yml | 4 +- tasks/find_ports.yml | 4 +- tasks/firewall.yml | 6 +- tasks/install.yml | 8 +- tasks/main.yml | 7 ++ templates/sshd_config.j2 | 8 +- templates/sshd_config_snippet.j2 | 8 +- tests/tasks/setup.yml | 7 ++ tests/tests_all_options.yml | 2 +- tests/tests_alternative_file.yml | 6 +- tests/tests_alternative_file_role.yml | 6 +- tests/tests_certificates.yml | 2 +- tests/tests_config_namespace.yml | 4 +- tests/tests_deprecated_sshd_variable.yml | 122 +++++++++++++++++++++++ tests/tests_firewall_selinux.yml | 10 +- tests/tests_hostkeys.yml | 2 +- tests/tests_hostkeys_missing.yml | 2 +- tests/tests_hostkeys_role.yml | 2 +- tests/tests_include_present.yml | 4 +- tests/tests_indent.yml | 2 +- tests/tests_match.yml | 2 +- tests/tests_match_iterate.yml | 2 +- tests/tests_precedence.yml | 2 +- tests/tests_second_service.yml | 2 +- tests/tests_second_service_drop_in.yml | 2 +- tests/tests_set_common.yml | 2 +- tests/tests_set_uncommon.yml | 2 +- tests/tests_sshd_enable.yml | 2 +- vars/main.yml | 3 +- 37 files changed, 203 insertions(+), 66 deletions(-) create mode 100644 tests/tests_deprecated_sshd_variable.yml diff --git a/.ansible-lint b/.ansible-lint index d5975b8..e62bdba 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,8 +4,8 @@ exclude_paths: - .tox/ - .markdownlint.yaml skip_list: - - var-naming[no-role-prefix] - meta-runtime[unsupported-version] + - experimental mock_roles: - willshersystems.sshd.ansible-sshd mock_modules: diff --git a/README.md b/README.md index c996180..f4eb377 100644 --- a/README.md +++ b/README.md @@ -130,17 +130,20 @@ NOTE: `sshd_manage_selinux` is limited to *adding* policy. It cannot be used for *removing* policy. If you want to remove ports, you will need to use the selinux system role directly. -#### sshd +#### sshd_config A dict containing configuration. e.g. ```yaml -sshd: +sshd_config: Compression: delayed ListenAddress: - 0.0.0.0 ``` +*Note*: This variable was previous called `sshd`. `sshd` is can still be used +but is deprecated and will be removed in a future release. + #### sshd_`` Simple variables can be used rather than a dict. Simple values override dict @@ -344,7 +347,7 @@ Use these variables to set the ownership and permissions for the Authorized Prin The SSH server needs this information stored in files so in addition to the above variables, respective configuration options `TrustedUserCAKeys` (mandatory) and `AuthorizedPrincipalsFile` (optional) need to be present the `sshd` dictionary when invoking the role. For example: ```yaml -sshd: +sshd_config: TrustedUserCAKeys: /etc/ssh/path-to-trusted-user-ca-keys/trusted-user-ca-keys.pub AuthorizedPrincipalsFile: "/etc/ssh/path-to-auth-principals/auth_principals/%u" ``` @@ -370,7 +373,7 @@ provides. Running it will likely break your SSH access to the server! - hosts: all vars: sshd_skip_defaults: true - sshd: + sshd_config: Compression: true ListenAddress: - "0.0.0.0" @@ -413,7 +416,7 @@ for example: name: willshersystems.sshd vars: sshd_skip_defaults: true - sshd: + sshd_config: Compression: true ListenAddress: - "0.0.0.0" @@ -440,7 +443,7 @@ option: name: willshersystems.sshd vars: sshd_config_namespace: accept-env - sshd: + sshd_config: # there are some handy environment variables to accept AcceptEnv: LANG diff --git a/defaults/main.yml b/defaults/main.yml index aba9554..94e63c9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,9 +37,6 @@ sshd_sysconfig_override_crypto_policy: false # generator sshd_sysconfig_use_strong_rng: 0 -# Empty dicts to avoid errors -sshd: {} - # The path to sshd_config file. This is useful when creating an included # configuration file snippet or configuring second sshd service sshd_config_file: "{{ __sshd_config_file }}" diff --git a/examples/example-accept-env.yml b/examples/example-accept-env.yml index b5a800a..f2bac8e 100644 --- a/examples/example-accept-env.yml +++ b/examples/example-accept-env.yml @@ -7,7 +7,7 @@ name: ansible-sshd vars: sshd_config_namespace: accept-env - sshd: + sshd_config: # there are some handy environment variables to accept AcceptEnv: LANG diff --git a/examples/example-root-login.yml b/examples/example-root-login.yml index e47e6c2..1f6b818 100644 --- a/examples/example-root-login.yml +++ b/examples/example-root-login.yml @@ -6,7 +6,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: # root login and password login is enabled only from a particular subnet PermitRootLogin: false PasswordAuthentication: false diff --git a/examples/example-use-certificates.yml b/examples/example-use-certificates.yml index 59dd00e..dadae29 100644 --- a/examples/example-use-certificates.yml +++ b/examples/example-use-certificates.yml @@ -6,7 +6,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: # Disable password authentication, use SSH Certificates and configure authorized principals PasswordAuthentication: false TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pub diff --git a/meta/10_top.j2 b/meta/10_top.j2 index 9fd8ba5..474e760 100644 --- a/meta/10_top.j2 +++ b/meta/10_top.j2 @@ -21,8 +21,8 @@ {% set value = undefined %} {% if override is defined %} {% set value = override %} -{% elif sshd[key] is defined %} -{% set value = sshd[key] %} +{% elif __sshd_config[key] is defined %} +{% set value = __sshd_config[key] %} {% elif sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %} {# Do not use the defaults from main file to avoid recursion #} diff --git a/meta/30_bottom.j2 b/meta/30_bottom.j2 index 5408f0b..3c2a43b 100644 --- a/meta/30_bottom.j2 +++ b/meta/30_bottom.j2 @@ -1,5 +1,5 @@ -{% if sshd['Match'] is defined %} -{{ match_iterate_block(sshd['Match']) -}} +{% if __sshd_config['Match'] is defined %} +{{ match_iterate_block(__sshd_config['Match']) -}} {% endif %} {% if sshd_match is defined %} {{ match_iterate_block(sshd_match) -}} diff --git a/tasks/certificates.yml b/tasks/certificates.yml index fe1cb46..c949350 100644 --- a/tasks/certificates.yml +++ b/tasks/certificates.yml @@ -6,7 +6,7 @@ {% if sshd_TrustedUserCAKeys is defined %} {{ sshd_TrustedUserCAKeys | to_json }} {% else %} - {{ sshd['TrustedUserCAKeys'] | to_json }} + {{ __sshd_config['TrustedUserCAKeys'] | to_json }} {% endif %} block: - name: Create Trusted user CA Keys directory @@ -32,7 +32,7 @@ {% if sshd_AuthorizedPrincipalsFile is defined %} {{ sshd_AuthorizedPrincipalsFile | to_json }} {% else %} - {{ sshd['AuthorizedPrincipalsFile'] | to_json }} + {{ __sshd_config['AuthorizedPrincipalsFile'] | to_json }} {% endif %} when: sshd_principals != {} block: diff --git a/tasks/find_ports.yml b/tasks/find_ports.yml index 2d05cec..ec4a874 100644 --- a/tasks/find_ports.yml +++ b/tasks/find_ports.yml @@ -6,8 +6,8 @@ __sshd_ports_from_config_tmp: >- {% if sshd_Port is defined %} {{ sshd_Port | to_json }} - {% elif sshd['Port'] is defined %} - {{ sshd['Port'] | to_json }} + {% elif __sshd_config['Port'] is defined %} + {{ __sshd_config['Port'] | to_json }} {% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %} {{ __sshd_defaults['Port'] | to_json }} {% else %} diff --git a/tasks/firewall.yml b/tasks/firewall.yml index 1780614..71017ae 100644 --- a/tasks/firewall.yml +++ b/tasks/firewall.yml @@ -5,7 +5,7 @@ ansible.builtin.include_role: name: fedora.linux_system_roles.firewall vars: - firewall: + firewall: # noqa: var-naming[no-role-prefix] - service: ssh state: enabled when: @@ -15,11 +15,11 @@ ansible.builtin.include_role: name: fedora.linux_system_roles.firewall vars: - firewall: + firewall: # noqa: var-naming[no-role-prefix] - port: "{{ sshd_item }}/tcp" state: enabled loop: "{{ __sshd_ports_from_config | from_json | d([]) }}" loop_control: - loop_var: sshd_item # avoid conflicts with the firewall loops + loop_var: sshd_item # avoid conflicts with the firewall loops when: - __sshd_ports_from_config | from_json != [22] diff --git a/tasks/install.yml b/tasks/install.yml index cbc4b7d..9e868fe 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -33,8 +33,8 @@ - __sshd_hostkeys_nofips | d([]) - name: Make sure hostkeys are available and have expected permissions - vars: &share_vars - # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default + vars: + &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default __sshd_fips_mode: >- {{ __sshd_hostkeys_nofips | d([]) and (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or @@ -44,8 +44,8 @@ __sshd_hostkeys_from_config: >- {% if sshd_HostKey is defined %} {{ sshd_HostKey | to_json }} - {% elif sshd['HostKey'] is defined %} - {{ sshd['HostKey'] | to_json }} + {% elif __sshd_config['HostKey'] is defined %} + {{ __sshd_config['HostKey'] | to_json }} {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %} {% if __sshd_fips_mode %} {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }} diff --git a/tasks/main.yml b/tasks/main.yml index 127dfcd..74b6598 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,11 @@ --- +- name: Print that the sshd variable is deprecated + when: sshd is defined + ansible.builtin.debug: + msg: >- + The sshd variable is deprecated and will be removed + in a future version. Edit your playbook to use + the sshd_config variable instead. - name: Invoke the role, if enabled ansible.builtin.include_tasks: sshd.yml diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 0fc0097..adcfeb7 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -23,8 +23,8 @@ {% set value = undefined %} {% if override is defined %} {% set value = override %} -{% elif sshd[key] is defined %} -{% set value = sshd[key] %} +{% elif __sshd_config[key] is defined %} +{% set value = __sshd_config[key] %} {% elif sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %} {# Do not use the defaults from main file to avoid recursion #} @@ -250,8 +250,8 @@ Match {{ match["Condition"] }} {{ body_option("X11Forwarding",sshd_X11Forwarding) -}} {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}} {{ body_option("XAuthLocation",sshd_XAuthLocation) -}} -{% if sshd['Match'] is defined %} -{{ match_iterate_block(sshd['Match']) -}} +{% if __sshd_config['Match'] is defined %} +{{ match_iterate_block(__sshd_config['Match']) -}} {% endif %} {% if sshd_match is defined %} {{ match_iterate_block(sshd_match) -}} diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2 index 88d6275..07d4c9c 100644 --- a/templates/sshd_config_snippet.j2 +++ b/templates/sshd_config_snippet.j2 @@ -21,8 +21,8 @@ {% set value = undefined %} {% if override is defined %} {% set value = override %} -{% elif sshd[key] is defined %} -{% set value = sshd[key] %} +{% elif __sshd_config[key] is defined %} +{% set value = __sshd_config[key] %} {% elif sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %} {# Do not use the defaults from main file to avoid recursion #} @@ -248,8 +248,8 @@ Match {{ match["Condition"] }} {{ body_option("X11Forwarding",sshd_X11Forwarding) -}} {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}} {{ body_option("XAuthLocation",sshd_XAuthLocation) -}} -{% if sshd['Match'] is defined %} -{{ match_iterate_block(sshd['Match']) -}} +{% if __sshd_config['Match'] is defined %} +{{ match_iterate_block(__sshd_config['Match']) -}} {% endif %} {% if sshd_match is defined %} {{ match_iterate_block(sshd_match) -}} diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index a88234c..6d963fd 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -5,6 +5,13 @@ when: - ansible_facts['distribution'] == 'Debian' +- name: Ensure unminimize package is installed + ansible.builtin.apt: + pkg: + - unminimize + when: + - ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 24 + - name: Determine if system is ostree and set flag when: not __sshd_is_ostree is defined block: diff --git a/tests/tests_all_options.yml b/tests/tests_all_options.yml index bb59d4d..4659ea1 100644 --- a/tests/tests_all_options.yml +++ b/tests/tests_all_options.yml @@ -120,7 +120,7 @@ # The hostkeys are not valid either so do not validate them sshd_verify_hostkeys: [] sshd_config_file: /tmp/sshd_config - sshd: + sshd_config: "{{ sshd_c }}" when: not sshd_skip_test diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index ef59400..b54a8f6 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -33,7 +33,7 @@ sshd_config_owner: "nobody" sshd_config_group: "nobody" sshd_config_mode: "660" - sshd: + sshd_config: AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr @@ -46,7 +46,7 @@ # just anything -- will not get processed by sshd sshd_config_file: /etc/ssh/sshd_config_custom_second sshd_skip_defaults: true - sshd: + sshd_config: Banner: /etc/issue2 Ciphers: aes128-ctr sshd_MaxStartups: 100 # noqa var-naming @@ -56,7 +56,7 @@ name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config - sshd: + sshd_config: Banner: /etc/issue Ciphers: aes192-ctr HostKey: diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index 30c0567..63a76f7 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -35,7 +35,7 @@ sshd_config_owner: "nobody" sshd_config_group: "nobody" sshd_config_mode: "660" - sshd: + sshd_config: AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr @@ -50,7 +50,7 @@ # just anything -- will not get processed by sshd sshd_config_file: /etc/ssh/sshd_config_custom_second sshd_skip_defaults: true - sshd: + sshd_config: Banner: /etc/issue2 Ciphers: aes128-ctr sshd_MaxStartups: 100 # noqa var-naming @@ -62,7 +62,7 @@ - ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config - sshd: + sshd_config: Banner: /etc/issue Ciphers: aes192-ctr HostKey: diff --git a/tests/tests_certificates.yml b/tests/tests_certificates.yml index 3556943..341667a 100644 --- a/tests/tests_certificates.yml +++ b/tests/tests_certificates.yml @@ -25,7 +25,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: PasswordAuthentication: false TrustedUserCAKeys: /etc/ssh/ca-keys/trusted-user-ca-keys.pub AuthorizedPrincipalsFile: "/etc/ssh/auth_principals/%u" diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml index 21c4aea..2ab4417 100644 --- a/tests/tests_config_namespace.yml +++ b/tests/tests_config_namespace.yml @@ -16,7 +16,7 @@ vars: sshd_config_file: /etc/ssh/sshd_config sshd_config_namespace: nm1 - sshd: + sshd_config: PasswordAuthentication: true PermitRootLogin: true Match: @@ -29,7 +29,7 @@ vars: sshd_config_file: /etc/ssh/sshd_config sshd_config_namespace: nm2 - sshd: + sshd_config: PasswordAuthentication: false PermitRootLogin: false Match: diff --git a/tests/tests_deprecated_sshd_variable.yml b/tests/tests_deprecated_sshd_variable.yml new file mode 100644 index 0000000..a3bbdbd --- /dev/null +++ b/tests/tests_deprecated_sshd_variable.yml @@ -0,0 +1,122 @@ +--- +- name: Test deprecated sshd variable via include_role using some common options + hosts: all + vars: + __sshd_test_backup_files: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf + tasks: + - name: "Backup configuration files" + ansible.builtin.include_tasks: tasks/backup.yml + + - name: Configure sshd + ansible.builtin.include_role: + name: ansible-sshd + vars: + sshd: + AcceptEnv: LANG + Banner: /etc/issue + Ciphers: aes256-ctr + Subsystem: "sftp internal-sftp" + sshd_config_file: /etc/ssh/sshd_config + + - name: Verify the options are correctly set + tags: tests::verify + block: + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: List effective configuration using sshd -T + ansible.builtin.shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi + if test ! -f /etc/ssh/ssh_host_rsa_key; then + ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' + fi + sshd -T + register: runtime + changed_when: false + + - name: Print current configuration file + ansible.builtin.slurp: + src: /etc/ssh/sshd_config + register: config + + - name: Check the options are effective + # note, the options are in lower-case here + ansible.builtin.assert: + that: + - "'acceptenv LANG' in runtime.stdout" + - "'banner /etc/issue' in runtime.stdout" + - "'ciphers aes256-ctr' in runtime.stdout" + - "'subsystem sftp internal-sftp' in runtime.stdout" + + - name: Check the options are in configuration file + ansible.builtin.assert: + that: + - "'AcceptEnv LANG' in config.content | b64decode" + - "'Banner /etc/issue' in config.content | b64decode" + - "'Ciphers aes256-ctr' in config.content | b64decode" + - "'Subsystem sftp internal-sftp' in config.content | b64decode" + + - name: "Restore configuration files" + ansible.builtin.include_tasks: tasks/restore.yml + +- name: Test deprecated sshd variable via role using some common options + hosts: all + vars: + __sshd_test_backup_files: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf + pre_tasks: + - name: "Backup configuration files" + ansible.builtin.include_tasks: tasks/backup.yml + + roles: + - role: ansible-sshd + vars: + sshd: + AcceptEnv: LANG + Banner: /etc/issue + Ciphers: aes256-ctr + Subsystem: "sftp internal-sftp" + sshd_config_file: /etc/ssh/sshd_config + + tasks: + - name: Verify the options are correctly set + tags: tests::verify + block: + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: List effective configuration using sshd -T + ansible.builtin.command: sshd -T + register: runtime + changed_when: false + + - name: Print current configuration file + ansible.builtin.slurp: + src: /etc/ssh/sshd_config + register: config + + - name: Check the options are effective + # note, the options are in lower-case here + ansible.builtin.assert: + that: + - "'acceptenv LANG' in runtime.stdout" + - "'banner /etc/issue' in runtime.stdout" + - "'ciphers aes256-ctr' in runtime.stdout" + - "'subsystem sftp internal-sftp' in runtime.stdout" + + - name: Check the options are in configuration file + ansible.builtin.assert: + that: + - "'AcceptEnv LANG' in config.content | b64decode" + - "'Banner /etc/issue' in config.content | b64decode" + - "'Ciphers aes256-ctr' in config.content | b64decode" + - "'Subsystem sftp internal-sftp' in config.content | b64decode" + + - name: "Restore configuration files" + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_firewall_selinux.yml b/tests/tests_firewall_selinux.yml index 850a2de..6eef544 100644 --- a/tests/tests_firewall_selinux.yml +++ b/tests/tests_firewall_selinux.yml @@ -36,7 +36,7 @@ vars: sshd_manage_selinux: "{{ __sshd_test_selinux }}" sshd_manage_firewall: "{{ __sshd_test_firewall }}" - sshd: + sshd_config: Port: 22 - name: Verify the options are correctly set @@ -65,7 +65,7 @@ vars: sshd_manage_firewall: "{{ __sshd_test_firewall }}" sshd_manage_selinux: "{{ __sshd_test_selinux }}" - sshd: + sshd_config: Port: 222 - name: Verify the options are correctly set @@ -93,7 +93,7 @@ vars: sshd_manage_firewall: "{{ __sshd_test_firewall }}" sshd_manage_selinux: "{{ __sshd_test_selinux }}" - sshd: + sshd_config: Port: - 22 - 222 @@ -124,7 +124,7 @@ ansible.builtin.include_role: name: fedora.linux_system_roles.firewall vars: - firewall: + firewall: # noqa: var-naming[no-role-prefix] - port: "222/tcp" state: disabled when: __sshd_test_firewall @@ -133,7 +133,7 @@ ansible.builtin.include_role: name: fedora.linux_system_roles.selinux vars: - selinux: + selinux: # noqa: var-naming[no-role-prefix] port: 222 proto: tcp setype: ssh_port_t diff --git a/tests/tests_hostkeys.yml b/tests/tests_hostkeys.yml index 78d3512..86516c4 100644 --- a/tests/tests_hostkeys.yml +++ b/tests/tests_hostkeys.yml @@ -35,7 +35,7 @@ sshd_hostkey_owner: "nobody" sshd_hostkey_group: "nobody" sshd_hostkey_mode: "0664" - sshd: + sshd_config: HostKey: - /tmp/ssh_host_rsa_key2 diff --git a/tests/tests_hostkeys_missing.yml b/tests/tests_hostkeys_missing.yml index 02a7708..4596bd9 100644 --- a/tests/tests_hostkeys_missing.yml +++ b/tests/tests_hostkeys_missing.yml @@ -21,7 +21,7 @@ name: ansible-sshd vars: sshd_verify_hostkeys: [] - sshd: + sshd_config: HostKey: - /tmp/missing_ssh_host_rsa_key register: role_result diff --git a/tests/tests_hostkeys_role.yml b/tests/tests_hostkeys_role.yml index ad42b9a..61245fd 100644 --- a/tests/tests_hostkeys_role.yml +++ b/tests/tests_hostkeys_role.yml @@ -37,7 +37,7 @@ sshd_hostkey_owner: "nobody" sshd_hostkey_group: "nobody" sshd_hostkey_mode: "0664" - sshd: + sshd_config: HostKey: - /tmp/ssh_host_rsa_key2 diff --git a/tests/tests_include_present.yml b/tests/tests_include_present.yml index aeac6f6..4418560 100644 --- a/tests/tests_include_present.yml +++ b/tests/tests_include_present.yml @@ -24,7 +24,7 @@ name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf - sshd: + sshd_config: Banner: /etc/include-issue Ciphers: aes192-ctr when: @@ -114,7 +114,7 @@ sshd_config_file: /etc/ssh/custom_sshd_config.d/custom-drop-in sshd_main_config_file: /etc/ssh/custom_sshd_config sshd_drop_in_dir_mode: '0770' - sshd: + sshd_config: Banner: /etc/include-issue Ciphers: aes192-ctr diff --git a/tests/tests_indent.yml b/tests/tests_indent.yml index 3c54bca..801e0e3 100644 --- a/tests/tests_indent.yml +++ b/tests/tests_indent.yml @@ -13,7 +13,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: PasswordAuthentication: true PermitRootLogin: true AcceptEnv: diff --git a/tests/tests_match.yml b/tests/tests_match.yml index 9548fa3..984d913 100644 --- a/tests/tests_match.yml +++ b/tests/tests_match.yml @@ -16,7 +16,7 @@ # For Fedora containers, we need to make sure we have keys for sshd -T below sshd_verify_hostkeys: - /etc/ssh/ssh_host_rsa_key - sshd: + sshd_config: Match: Condition: "User xusers" X11Forwarding: true diff --git a/tests/tests_match_iterate.yml b/tests/tests_match_iterate.yml index 11516d6..5fd8903 100644 --- a/tests/tests_match_iterate.yml +++ b/tests/tests_match_iterate.yml @@ -16,7 +16,7 @@ # For Fedora containers, we need to make sure we have keys for sshd -T below sshd_verify_hostkeys: - /etc/ssh/ssh_host_rsa_key - sshd: + sshd_config: Match: - Condition: "User xusers" X11Forwarding: true diff --git a/tests/tests_precedence.yml b/tests/tests_precedence.yml index 7abe47e..6bea9f3 100644 --- a/tests/tests_precedence.yml +++ b/tests/tests_precedence.yml @@ -19,7 +19,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: Banner: /etc/issue Ciphers: aes256-ctr HostKey: /etc/ssh/ssh_host_rsa_key diff --git a/tests/tests_second_service.yml b/tests/tests_second_service.yml index eb3cb5e..7f6cc86 100644 --- a/tests/tests_second_service.yml +++ b/tests/tests_second_service.yml @@ -34,7 +34,7 @@ sshd_config_file: /etc/ssh2/sshd_config sshd_install_service: true sshd_manage_selinux: true - sshd: + sshd_config: Port: 2222 ForceCommand: echo "CONNECTED2" diff --git a/tests/tests_second_service_drop_in.yml b/tests/tests_second_service_drop_in.yml index b3956db..a58e076 100644 --- a/tests/tests_second_service_drop_in.yml +++ b/tests/tests_second_service_drop_in.yml @@ -40,7 +40,7 @@ sshd_config_file: /etc/ssh2/sshd_config.d/04-ansible.conf sshd_install_service: true sshd_manage_selinux: true - sshd: + sshd_config: Port: 2222 ForceCommand: echo "CONNECTED2" diff --git a/tests/tests_set_common.yml b/tests/tests_set_common.yml index 6d04f52..8768b50 100644 --- a/tests/tests_set_common.yml +++ b/tests/tests_set_common.yml @@ -13,7 +13,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr diff --git a/tests/tests_set_uncommon.yml b/tests/tests_set_uncommon.yml index dfa8b2d..a94ccdf 100644 --- a/tests/tests_set_uncommon.yml +++ b/tests/tests_set_uncommon.yml @@ -17,7 +17,7 @@ ansible.builtin.include_role: name: ansible-sshd vars: - sshd: + sshd_config: # Unsupported in new versions, but ignored ? Protocol: 1 UsePrivilegeSeparation: false diff --git a/tests/tests_sshd_enable.yml b/tests/tests_sshd_enable.yml index 36afea8..f6df79b 100644 --- a/tests/tests_sshd_enable.yml +++ b/tests/tests_sshd_enable.yml @@ -16,7 +16,7 @@ name: ansible-sshd vars: sshd_enable: false - sshd: + sshd_config: AcceptEnv: XDG_* Banner: /etc/issue Ciphers: aes256-ctr,aes128-ctr diff --git a/vars/main.yml b/vars/main.yml index d048546..bc38b5e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,5 @@ --- +__sshd_config: "{{ sshd_config | default({}) or sshd | default({}) }}" __sshd_config_file: "/etc/ssh/sshd_config" __sshd_config_owner: "root" __sshd_config_group: "root" @@ -54,7 +55,7 @@ __sshd_runtime_directory_mode: "0755" # drop-in directory is used __sshd_main_config_file: ~ -__sshd_drop_in_dir_mode: '0755' +__sshd_drop_in_dir_mode: "0755" # The list of hostkeys to check when there are none listed in configuration file. # This is usually the case when the selection is up to the OpenSSH defaults or