mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-27 21:30:18 +01:00
fix: rename var sshd -> sshd_config and debug output (#299)
This commit is contained in:
parent
3331fa7b35
commit
da3e33ec46
37 changed files with 203 additions and 66 deletions
|
@ -4,8 +4,8 @@ exclude_paths:
|
||||||
- .tox/
|
- .tox/
|
||||||
- .markdownlint.yaml
|
- .markdownlint.yaml
|
||||||
skip_list:
|
skip_list:
|
||||||
- var-naming[no-role-prefix]
|
|
||||||
- meta-runtime[unsupported-version]
|
- meta-runtime[unsupported-version]
|
||||||
|
- experimental
|
||||||
mock_roles:
|
mock_roles:
|
||||||
- willshersystems.sshd.ansible-sshd
|
- willshersystems.sshd.ansible-sshd
|
||||||
mock_modules:
|
mock_modules:
|
||||||
|
|
15
README.md
15
README.md
|
@ -130,17 +130,20 @@ NOTE: `sshd_manage_selinux` is limited to *adding* policy. It cannot be used
|
||||||
for *removing* policy. If you want to remove ports, you will need to use the
|
for *removing* policy. If you want to remove ports, you will need to use the
|
||||||
selinux system role directly.
|
selinux system role directly.
|
||||||
|
|
||||||
#### sshd
|
#### sshd_config
|
||||||
|
|
||||||
A dict containing configuration. e.g.
|
A dict containing configuration. e.g.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
sshd:
|
sshd_config:
|
||||||
Compression: delayed
|
Compression: delayed
|
||||||
ListenAddress:
|
ListenAddress:
|
||||||
- 0.0.0.0
|
- 0.0.0.0
|
||||||
```
|
```
|
||||||
|
|
||||||
|
*Note*: This variable was previous called `sshd`. `sshd` is can still be used
|
||||||
|
but is deprecated and will be removed in a future release.
|
||||||
|
|
||||||
#### sshd_`<OptionName>`
|
#### sshd_`<OptionName>`
|
||||||
|
|
||||||
Simple variables can be used rather than a dict. Simple values override dict
|
Simple variables can be used rather than a dict. Simple values override dict
|
||||||
|
@ -344,7 +347,7 @@ Use these variables to set the ownership and permissions for the Authorized Prin
|
||||||
The SSH server needs this information stored in files so in addition to the above variables, respective configuration options `TrustedUserCAKeys` (mandatory) and `AuthorizedPrincipalsFile` (optional) need to be present the `sshd` dictionary when invoking the role. For example:
|
The SSH server needs this information stored in files so in addition to the above variables, respective configuration options `TrustedUserCAKeys` (mandatory) and `AuthorizedPrincipalsFile` (optional) need to be present the `sshd` dictionary when invoking the role. For example:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
sshd:
|
sshd_config:
|
||||||
TrustedUserCAKeys: /etc/ssh/path-to-trusted-user-ca-keys/trusted-user-ca-keys.pub
|
TrustedUserCAKeys: /etc/ssh/path-to-trusted-user-ca-keys/trusted-user-ca-keys.pub
|
||||||
AuthorizedPrincipalsFile: "/etc/ssh/path-to-auth-principals/auth_principals/%u"
|
AuthorizedPrincipalsFile: "/etc/ssh/path-to-auth-principals/auth_principals/%u"
|
||||||
```
|
```
|
||||||
|
@ -370,7 +373,7 @@ provides. Running it will likely break your SSH access to the server!
|
||||||
- hosts: all
|
- hosts: all
|
||||||
vars:
|
vars:
|
||||||
sshd_skip_defaults: true
|
sshd_skip_defaults: true
|
||||||
sshd:
|
sshd_config:
|
||||||
Compression: true
|
Compression: true
|
||||||
ListenAddress:
|
ListenAddress:
|
||||||
- "0.0.0.0"
|
- "0.0.0.0"
|
||||||
|
@ -413,7 +416,7 @@ for example:
|
||||||
name: willshersystems.sshd
|
name: willshersystems.sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_skip_defaults: true
|
sshd_skip_defaults: true
|
||||||
sshd:
|
sshd_config:
|
||||||
Compression: true
|
Compression: true
|
||||||
ListenAddress:
|
ListenAddress:
|
||||||
- "0.0.0.0"
|
- "0.0.0.0"
|
||||||
|
@ -440,7 +443,7 @@ option:
|
||||||
name: willshersystems.sshd
|
name: willshersystems.sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_config_namespace: accept-env
|
sshd_config_namespace: accept-env
|
||||||
sshd:
|
sshd_config:
|
||||||
# there are some handy environment variables to accept
|
# there are some handy environment variables to accept
|
||||||
AcceptEnv:
|
AcceptEnv:
|
||||||
LANG
|
LANG
|
||||||
|
|
|
@ -37,9 +37,6 @@ sshd_sysconfig_override_crypto_policy: false
|
||||||
# generator
|
# generator
|
||||||
sshd_sysconfig_use_strong_rng: 0
|
sshd_sysconfig_use_strong_rng: 0
|
||||||
|
|
||||||
# Empty dicts to avoid errors
|
|
||||||
sshd: {}
|
|
||||||
|
|
||||||
# The path to sshd_config file. This is useful when creating an included
|
# The path to sshd_config file. This is useful when creating an included
|
||||||
# configuration file snippet or configuring second sshd service
|
# configuration file snippet or configuring second sshd service
|
||||||
sshd_config_file: "{{ __sshd_config_file }}"
|
sshd_config_file: "{{ __sshd_config_file }}"
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_config_namespace: accept-env
|
sshd_config_namespace: accept-env
|
||||||
sshd:
|
sshd_config:
|
||||||
# there are some handy environment variables to accept
|
# there are some handy environment variables to accept
|
||||||
AcceptEnv:
|
AcceptEnv:
|
||||||
LANG
|
LANG
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
# root login and password login is enabled only from a particular subnet
|
# root login and password login is enabled only from a particular subnet
|
||||||
PermitRootLogin: false
|
PermitRootLogin: false
|
||||||
PasswordAuthentication: false
|
PasswordAuthentication: false
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
# Disable password authentication, use SSH Certificates and configure authorized principals
|
# Disable password authentication, use SSH Certificates and configure authorized principals
|
||||||
PasswordAuthentication: false
|
PasswordAuthentication: false
|
||||||
TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pub
|
TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pub
|
||||||
|
|
|
@ -21,8 +21,8 @@
|
||||||
{% set value = undefined %}
|
{% set value = undefined %}
|
||||||
{% if override is defined %}
|
{% if override is defined %}
|
||||||
{% set value = override %}
|
{% set value = override %}
|
||||||
{% elif sshd[key] is defined %}
|
{% elif __sshd_config[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = __sshd_config[key] %}
|
||||||
{% elif sshd_main_config_file is not none
|
{% elif sshd_main_config_file is not none
|
||||||
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{# Do not use the defaults from main file to avoid recursion #}
|
{# Do not use the defaults from main file to avoid recursion #}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{% if sshd['Match'] is defined %}
|
{% if __sshd_config['Match'] is defined %}
|
||||||
{{ match_iterate_block(sshd['Match']) -}}
|
{{ match_iterate_block(__sshd_config['Match']) -}}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if sshd_match is defined %}
|
{% if sshd_match is defined %}
|
||||||
{{ match_iterate_block(sshd_match) -}}
|
{{ match_iterate_block(sshd_match) -}}
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
{% if sshd_TrustedUserCAKeys is defined %}
|
{% if sshd_TrustedUserCAKeys is defined %}
|
||||||
{{ sshd_TrustedUserCAKeys | to_json }}
|
{{ sshd_TrustedUserCAKeys | to_json }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{{ sshd['TrustedUserCAKeys'] | to_json }}
|
{{ __sshd_config['TrustedUserCAKeys'] | to_json }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
block:
|
block:
|
||||||
- name: Create Trusted user CA Keys directory
|
- name: Create Trusted user CA Keys directory
|
||||||
|
@ -32,7 +32,7 @@
|
||||||
{% if sshd_AuthorizedPrincipalsFile is defined %}
|
{% if sshd_AuthorizedPrincipalsFile is defined %}
|
||||||
{{ sshd_AuthorizedPrincipalsFile | to_json }}
|
{{ sshd_AuthorizedPrincipalsFile | to_json }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{{ sshd['AuthorizedPrincipalsFile'] | to_json }}
|
{{ __sshd_config['AuthorizedPrincipalsFile'] | to_json }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
when: sshd_principals != {}
|
when: sshd_principals != {}
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -6,8 +6,8 @@
|
||||||
__sshd_ports_from_config_tmp: >-
|
__sshd_ports_from_config_tmp: >-
|
||||||
{% if sshd_Port is defined %}
|
{% if sshd_Port is defined %}
|
||||||
{{ sshd_Port | to_json }}
|
{{ sshd_Port | to_json }}
|
||||||
{% elif sshd['Port'] is defined %}
|
{% elif __sshd_config['Port'] is defined %}
|
||||||
{{ sshd['Port'] | to_json }}
|
{{ __sshd_config['Port'] | to_json }}
|
||||||
{% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %}
|
||||||
{{ __sshd_defaults['Port'] | to_json }}
|
{{ __sshd_defaults['Port'] | to_json }}
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: fedora.linux_system_roles.firewall
|
name: fedora.linux_system_roles.firewall
|
||||||
vars:
|
vars:
|
||||||
firewall:
|
firewall: # noqa: var-naming[no-role-prefix]
|
||||||
- service: ssh
|
- service: ssh
|
||||||
state: enabled
|
state: enabled
|
||||||
when:
|
when:
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: fedora.linux_system_roles.firewall
|
name: fedora.linux_system_roles.firewall
|
||||||
vars:
|
vars:
|
||||||
firewall:
|
firewall: # noqa: var-naming[no-role-prefix]
|
||||||
- port: "{{ sshd_item }}/tcp"
|
- port: "{{ sshd_item }}/tcp"
|
||||||
state: enabled
|
state: enabled
|
||||||
loop: "{{ __sshd_ports_from_config | from_json | d([]) }}"
|
loop: "{{ __sshd_ports_from_config | from_json | d([]) }}"
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
- __sshd_hostkeys_nofips | d([])
|
- __sshd_hostkeys_nofips | d([])
|
||||||
|
|
||||||
- name: Make sure hostkeys are available and have expected permissions
|
- name: Make sure hostkeys are available and have expected permissions
|
||||||
vars: &share_vars
|
vars:
|
||||||
# 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
|
&share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
|
||||||
__sshd_fips_mode: >-
|
__sshd_fips_mode: >-
|
||||||
{{ __sshd_hostkeys_nofips | d([]) and
|
{{ __sshd_hostkeys_nofips | d([]) and
|
||||||
(__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
|
(__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
|
||||||
|
@ -44,8 +44,8 @@
|
||||||
__sshd_hostkeys_from_config: >-
|
__sshd_hostkeys_from_config: >-
|
||||||
{% if sshd_HostKey is defined %}
|
{% if sshd_HostKey is defined %}
|
||||||
{{ sshd_HostKey | to_json }}
|
{{ sshd_HostKey | to_json }}
|
||||||
{% elif sshd['HostKey'] is defined %}
|
{% elif __sshd_config['HostKey'] is defined %}
|
||||||
{{ sshd['HostKey'] | to_json }}
|
{{ __sshd_config['HostKey'] | to_json }}
|
||||||
{% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
|
||||||
{% if __sshd_fips_mode %}
|
{% if __sshd_fips_mode %}
|
||||||
{{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
|
{{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
|
||||||
|
|
|
@ -1,4 +1,11 @@
|
||||||
---
|
---
|
||||||
|
- name: Print that the sshd variable is deprecated
|
||||||
|
when: sshd is defined
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: >-
|
||||||
|
The sshd variable is deprecated and will be removed
|
||||||
|
in a future version. Edit your playbook to use
|
||||||
|
the sshd_config variable instead.
|
||||||
|
|
||||||
- name: Invoke the role, if enabled
|
- name: Invoke the role, if enabled
|
||||||
ansible.builtin.include_tasks: sshd.yml
|
ansible.builtin.include_tasks: sshd.yml
|
||||||
|
|
|
@ -23,8 +23,8 @@
|
||||||
{% set value = undefined %}
|
{% set value = undefined %}
|
||||||
{% if override is defined %}
|
{% if override is defined %}
|
||||||
{% set value = override %}
|
{% set value = override %}
|
||||||
{% elif sshd[key] is defined %}
|
{% elif __sshd_config[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = __sshd_config[key] %}
|
||||||
{% elif sshd_main_config_file is not none
|
{% elif sshd_main_config_file is not none
|
||||||
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{# Do not use the defaults from main file to avoid recursion #}
|
{# Do not use the defaults from main file to avoid recursion #}
|
||||||
|
@ -250,8 +250,8 @@ Match {{ match["Condition"] }}
|
||||||
{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
|
{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
|
||||||
{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
|
{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
|
||||||
{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
|
{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
|
||||||
{% if sshd['Match'] is defined %}
|
{% if __sshd_config['Match'] is defined %}
|
||||||
{{ match_iterate_block(sshd['Match']) -}}
|
{{ match_iterate_block(__sshd_config['Match']) -}}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if sshd_match is defined %}
|
{% if sshd_match is defined %}
|
||||||
{{ match_iterate_block(sshd_match) -}}
|
{{ match_iterate_block(sshd_match) -}}
|
||||||
|
|
|
@ -21,8 +21,8 @@
|
||||||
{% set value = undefined %}
|
{% set value = undefined %}
|
||||||
{% if override is defined %}
|
{% if override is defined %}
|
||||||
{% set value = override %}
|
{% set value = override %}
|
||||||
{% elif sshd[key] is defined %}
|
{% elif __sshd_config[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = __sshd_config[key] %}
|
||||||
{% elif sshd_main_config_file is not none
|
{% elif sshd_main_config_file is not none
|
||||||
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{# Do not use the defaults from main file to avoid recursion #}
|
{# Do not use the defaults from main file to avoid recursion #}
|
||||||
|
@ -248,8 +248,8 @@ Match {{ match["Condition"] }}
|
||||||
{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
|
{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
|
||||||
{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
|
{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
|
||||||
{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
|
{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
|
||||||
{% if sshd['Match'] is defined %}
|
{% if __sshd_config['Match'] is defined %}
|
||||||
{{ match_iterate_block(sshd['Match']) -}}
|
{{ match_iterate_block(__sshd_config['Match']) -}}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if sshd_match is defined %}
|
{% if sshd_match is defined %}
|
||||||
{{ match_iterate_block(sshd_match) -}}
|
{{ match_iterate_block(sshd_match) -}}
|
||||||
|
|
|
@ -5,6 +5,13 @@
|
||||||
when:
|
when:
|
||||||
- ansible_facts['distribution'] == 'Debian'
|
- ansible_facts['distribution'] == 'Debian'
|
||||||
|
|
||||||
|
- name: Ensure unminimize package is installed
|
||||||
|
ansible.builtin.apt:
|
||||||
|
pkg:
|
||||||
|
- unminimize
|
||||||
|
when:
|
||||||
|
- ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 24
|
||||||
|
|
||||||
- name: Determine if system is ostree and set flag
|
- name: Determine if system is ostree and set flag
|
||||||
when: not __sshd_is_ostree is defined
|
when: not __sshd_is_ostree is defined
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -120,7 +120,7 @@
|
||||||
# The hostkeys are not valid either so do not validate them
|
# The hostkeys are not valid either so do not validate them
|
||||||
sshd_verify_hostkeys: []
|
sshd_verify_hostkeys: []
|
||||||
sshd_config_file: /tmp/sshd_config
|
sshd_config_file: /tmp/sshd_config
|
||||||
sshd:
|
sshd_config:
|
||||||
"{{ sshd_c }}"
|
"{{ sshd_c }}"
|
||||||
when: not sshd_skip_test
|
when: not sshd_skip_test
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
sshd_config_owner: "nobody"
|
sshd_config_owner: "nobody"
|
||||||
sshd_config_group: "nobody"
|
sshd_config_group: "nobody"
|
||||||
sshd_config_mode: "660"
|
sshd_config_mode: "660"
|
||||||
sshd:
|
sshd_config:
|
||||||
AcceptEnv: LANG
|
AcceptEnv: LANG
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes256-ctr
|
Ciphers: aes256-ctr
|
||||||
|
@ -46,7 +46,7 @@
|
||||||
# just anything -- will not get processed by sshd
|
# just anything -- will not get processed by sshd
|
||||||
sshd_config_file: /etc/ssh/sshd_config_custom_second
|
sshd_config_file: /etc/ssh/sshd_config_custom_second
|
||||||
sshd_skip_defaults: true
|
sshd_skip_defaults: true
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/issue2
|
Banner: /etc/issue2
|
||||||
Ciphers: aes128-ctr
|
Ciphers: aes128-ctr
|
||||||
sshd_MaxStartups: 100 # noqa var-naming
|
sshd_MaxStartups: 100 # noqa var-naming
|
||||||
|
@ -56,7 +56,7 @@
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_config_file: /etc/ssh/sshd_config
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes192-ctr
|
Ciphers: aes192-ctr
|
||||||
HostKey:
|
HostKey:
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
sshd_config_owner: "nobody"
|
sshd_config_owner: "nobody"
|
||||||
sshd_config_group: "nobody"
|
sshd_config_group: "nobody"
|
||||||
sshd_config_mode: "660"
|
sshd_config_mode: "660"
|
||||||
sshd:
|
sshd_config:
|
||||||
AcceptEnv: LANG
|
AcceptEnv: LANG
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes256-ctr
|
Ciphers: aes256-ctr
|
||||||
|
@ -50,7 +50,7 @@
|
||||||
# just anything -- will not get processed by sshd
|
# just anything -- will not get processed by sshd
|
||||||
sshd_config_file: /etc/ssh/sshd_config_custom_second
|
sshd_config_file: /etc/ssh/sshd_config_custom_second
|
||||||
sshd_skip_defaults: true
|
sshd_skip_defaults: true
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/issue2
|
Banner: /etc/issue2
|
||||||
Ciphers: aes128-ctr
|
Ciphers: aes128-ctr
|
||||||
sshd_MaxStartups: 100 # noqa var-naming
|
sshd_MaxStartups: 100 # noqa var-naming
|
||||||
|
@ -62,7 +62,7 @@
|
||||||
- ansible-sshd
|
- ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_config_file: /etc/ssh/sshd_config
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes192-ctr
|
Ciphers: aes192-ctr
|
||||||
HostKey:
|
HostKey:
|
||||||
|
|
|
@ -25,7 +25,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
PasswordAuthentication: false
|
PasswordAuthentication: false
|
||||||
TrustedUserCAKeys: /etc/ssh/ca-keys/trusted-user-ca-keys.pub
|
TrustedUserCAKeys: /etc/ssh/ca-keys/trusted-user-ca-keys.pub
|
||||||
AuthorizedPrincipalsFile: "/etc/ssh/auth_principals/%u"
|
AuthorizedPrincipalsFile: "/etc/ssh/auth_principals/%u"
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
vars:
|
vars:
|
||||||
sshd_config_file: /etc/ssh/sshd_config
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
sshd_config_namespace: nm1
|
sshd_config_namespace: nm1
|
||||||
sshd:
|
sshd_config:
|
||||||
PasswordAuthentication: true
|
PasswordAuthentication: true
|
||||||
PermitRootLogin: true
|
PermitRootLogin: true
|
||||||
Match:
|
Match:
|
||||||
|
@ -29,7 +29,7 @@
|
||||||
vars:
|
vars:
|
||||||
sshd_config_file: /etc/ssh/sshd_config
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
sshd_config_namespace: nm2
|
sshd_config_namespace: nm2
|
||||||
sshd:
|
sshd_config:
|
||||||
PasswordAuthentication: false
|
PasswordAuthentication: false
|
||||||
PermitRootLogin: false
|
PermitRootLogin: false
|
||||||
Match:
|
Match:
|
||||||
|
|
122
tests/tests_deprecated_sshd_variable.yml
Normal file
122
tests/tests_deprecated_sshd_variable.yml
Normal file
|
@ -0,0 +1,122 @@
|
||||||
|
---
|
||||||
|
- name: Test deprecated sshd variable via include_role using some common options
|
||||||
|
hosts: all
|
||||||
|
vars:
|
||||||
|
__sshd_test_backup_files:
|
||||||
|
- /etc/ssh/sshd_config
|
||||||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
tasks:
|
||||||
|
- name: "Backup configuration files"
|
||||||
|
ansible.builtin.include_tasks: tasks/backup.yml
|
||||||
|
|
||||||
|
- name: Configure sshd
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ansible-sshd
|
||||||
|
vars:
|
||||||
|
sshd:
|
||||||
|
AcceptEnv: LANG
|
||||||
|
Banner: /etc/issue
|
||||||
|
Ciphers: aes256-ctr
|
||||||
|
Subsystem: "sftp internal-sftp"
|
||||||
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
- name: Verify the options are correctly set
|
||||||
|
tags: tests::verify
|
||||||
|
block:
|
||||||
|
- name: Flush handlers
|
||||||
|
ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
|
- name: List effective configuration using sshd -T
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
set -eu
|
||||||
|
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||||
|
set -o pipefail
|
||||||
|
fi
|
||||||
|
if test ! -f /etc/ssh/ssh_host_rsa_key; then
|
||||||
|
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
|
||||||
|
fi
|
||||||
|
sshd -T
|
||||||
|
register: runtime
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Print current configuration file
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: /etc/ssh/sshd_config
|
||||||
|
register: config
|
||||||
|
|
||||||
|
- name: Check the options are effective
|
||||||
|
# note, the options are in lower-case here
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- "'acceptenv LANG' in runtime.stdout"
|
||||||
|
- "'banner /etc/issue' in runtime.stdout"
|
||||||
|
- "'ciphers aes256-ctr' in runtime.stdout"
|
||||||
|
- "'subsystem sftp internal-sftp' in runtime.stdout"
|
||||||
|
|
||||||
|
- name: Check the options are in configuration file
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- "'AcceptEnv LANG' in config.content | b64decode"
|
||||||
|
- "'Banner /etc/issue' in config.content | b64decode"
|
||||||
|
- "'Ciphers aes256-ctr' in config.content | b64decode"
|
||||||
|
- "'Subsystem sftp internal-sftp' in config.content | b64decode"
|
||||||
|
|
||||||
|
- name: "Restore configuration files"
|
||||||
|
ansible.builtin.include_tasks: tasks/restore.yml
|
||||||
|
|
||||||
|
- name: Test deprecated sshd variable via role using some common options
|
||||||
|
hosts: all
|
||||||
|
vars:
|
||||||
|
__sshd_test_backup_files:
|
||||||
|
- /etc/ssh/sshd_config
|
||||||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
pre_tasks:
|
||||||
|
- name: "Backup configuration files"
|
||||||
|
ansible.builtin.include_tasks: tasks/backup.yml
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- role: ansible-sshd
|
||||||
|
vars:
|
||||||
|
sshd:
|
||||||
|
AcceptEnv: LANG
|
||||||
|
Banner: /etc/issue
|
||||||
|
Ciphers: aes256-ctr
|
||||||
|
Subsystem: "sftp internal-sftp"
|
||||||
|
sshd_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Verify the options are correctly set
|
||||||
|
tags: tests::verify
|
||||||
|
block:
|
||||||
|
- name: Flush handlers
|
||||||
|
ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
|
- name: List effective configuration using sshd -T
|
||||||
|
ansible.builtin.command: sshd -T
|
||||||
|
register: runtime
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Print current configuration file
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: /etc/ssh/sshd_config
|
||||||
|
register: config
|
||||||
|
|
||||||
|
- name: Check the options are effective
|
||||||
|
# note, the options are in lower-case here
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- "'acceptenv LANG' in runtime.stdout"
|
||||||
|
- "'banner /etc/issue' in runtime.stdout"
|
||||||
|
- "'ciphers aes256-ctr' in runtime.stdout"
|
||||||
|
- "'subsystem sftp internal-sftp' in runtime.stdout"
|
||||||
|
|
||||||
|
- name: Check the options are in configuration file
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- "'AcceptEnv LANG' in config.content | b64decode"
|
||||||
|
- "'Banner /etc/issue' in config.content | b64decode"
|
||||||
|
- "'Ciphers aes256-ctr' in config.content | b64decode"
|
||||||
|
- "'Subsystem sftp internal-sftp' in config.content | b64decode"
|
||||||
|
|
||||||
|
- name: "Restore configuration files"
|
||||||
|
ansible.builtin.include_tasks: tasks/restore.yml
|
|
@ -36,7 +36,7 @@
|
||||||
vars:
|
vars:
|
||||||
sshd_manage_selinux: "{{ __sshd_test_selinux }}"
|
sshd_manage_selinux: "{{ __sshd_test_selinux }}"
|
||||||
sshd_manage_firewall: "{{ __sshd_test_firewall }}"
|
sshd_manage_firewall: "{{ __sshd_test_firewall }}"
|
||||||
sshd:
|
sshd_config:
|
||||||
Port: 22
|
Port: 22
|
||||||
|
|
||||||
- name: Verify the options are correctly set
|
- name: Verify the options are correctly set
|
||||||
|
@ -65,7 +65,7 @@
|
||||||
vars:
|
vars:
|
||||||
sshd_manage_firewall: "{{ __sshd_test_firewall }}"
|
sshd_manage_firewall: "{{ __sshd_test_firewall }}"
|
||||||
sshd_manage_selinux: "{{ __sshd_test_selinux }}"
|
sshd_manage_selinux: "{{ __sshd_test_selinux }}"
|
||||||
sshd:
|
sshd_config:
|
||||||
Port: 222
|
Port: 222
|
||||||
|
|
||||||
- name: Verify the options are correctly set
|
- name: Verify the options are correctly set
|
||||||
|
@ -93,7 +93,7 @@
|
||||||
vars:
|
vars:
|
||||||
sshd_manage_firewall: "{{ __sshd_test_firewall }}"
|
sshd_manage_firewall: "{{ __sshd_test_firewall }}"
|
||||||
sshd_manage_selinux: "{{ __sshd_test_selinux }}"
|
sshd_manage_selinux: "{{ __sshd_test_selinux }}"
|
||||||
sshd:
|
sshd_config:
|
||||||
Port:
|
Port:
|
||||||
- 22
|
- 22
|
||||||
- 222
|
- 222
|
||||||
|
@ -124,7 +124,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: fedora.linux_system_roles.firewall
|
name: fedora.linux_system_roles.firewall
|
||||||
vars:
|
vars:
|
||||||
firewall:
|
firewall: # noqa: var-naming[no-role-prefix]
|
||||||
- port: "222/tcp"
|
- port: "222/tcp"
|
||||||
state: disabled
|
state: disabled
|
||||||
when: __sshd_test_firewall
|
when: __sshd_test_firewall
|
||||||
|
@ -133,7 +133,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: fedora.linux_system_roles.selinux
|
name: fedora.linux_system_roles.selinux
|
||||||
vars:
|
vars:
|
||||||
selinux:
|
selinux: # noqa: var-naming[no-role-prefix]
|
||||||
port: 222
|
port: 222
|
||||||
proto: tcp
|
proto: tcp
|
||||||
setype: ssh_port_t
|
setype: ssh_port_t
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
sshd_hostkey_owner: "nobody"
|
sshd_hostkey_owner: "nobody"
|
||||||
sshd_hostkey_group: "nobody"
|
sshd_hostkey_group: "nobody"
|
||||||
sshd_hostkey_mode: "0664"
|
sshd_hostkey_mode: "0664"
|
||||||
sshd:
|
sshd_config:
|
||||||
HostKey:
|
HostKey:
|
||||||
- /tmp/ssh_host_rsa_key2
|
- /tmp/ssh_host_rsa_key2
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_verify_hostkeys: []
|
sshd_verify_hostkeys: []
|
||||||
sshd:
|
sshd_config:
|
||||||
HostKey:
|
HostKey:
|
||||||
- /tmp/missing_ssh_host_rsa_key
|
- /tmp/missing_ssh_host_rsa_key
|
||||||
register: role_result
|
register: role_result
|
||||||
|
|
|
@ -37,7 +37,7 @@
|
||||||
sshd_hostkey_owner: "nobody"
|
sshd_hostkey_owner: "nobody"
|
||||||
sshd_hostkey_group: "nobody"
|
sshd_hostkey_group: "nobody"
|
||||||
sshd_hostkey_mode: "0664"
|
sshd_hostkey_mode: "0664"
|
||||||
sshd:
|
sshd_config:
|
||||||
HostKey:
|
HostKey:
|
||||||
- /tmp/ssh_host_rsa_key2
|
- /tmp/ssh_host_rsa_key2
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/include-issue
|
Banner: /etc/include-issue
|
||||||
Ciphers: aes192-ctr
|
Ciphers: aes192-ctr
|
||||||
when:
|
when:
|
||||||
|
@ -114,7 +114,7 @@
|
||||||
sshd_config_file: /etc/ssh/custom_sshd_config.d/custom-drop-in
|
sshd_config_file: /etc/ssh/custom_sshd_config.d/custom-drop-in
|
||||||
sshd_main_config_file: /etc/ssh/custom_sshd_config
|
sshd_main_config_file: /etc/ssh/custom_sshd_config
|
||||||
sshd_drop_in_dir_mode: '0770'
|
sshd_drop_in_dir_mode: '0770'
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/include-issue
|
Banner: /etc/include-issue
|
||||||
Ciphers: aes192-ctr
|
Ciphers: aes192-ctr
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
PasswordAuthentication: true
|
PasswordAuthentication: true
|
||||||
PermitRootLogin: true
|
PermitRootLogin: true
|
||||||
AcceptEnv:
|
AcceptEnv:
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
||||||
sshd_verify_hostkeys:
|
sshd_verify_hostkeys:
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
- /etc/ssh/ssh_host_rsa_key
|
||||||
sshd:
|
sshd_config:
|
||||||
Match:
|
Match:
|
||||||
Condition: "User xusers"
|
Condition: "User xusers"
|
||||||
X11Forwarding: true
|
X11Forwarding: true
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
||||||
sshd_verify_hostkeys:
|
sshd_verify_hostkeys:
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
- /etc/ssh/ssh_host_rsa_key
|
||||||
sshd:
|
sshd_config:
|
||||||
Match:
|
Match:
|
||||||
- Condition: "User xusers"
|
- Condition: "User xusers"
|
||||||
X11Forwarding: true
|
X11Forwarding: true
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes256-ctr
|
Ciphers: aes256-ctr
|
||||||
HostKey: /etc/ssh/ssh_host_rsa_key
|
HostKey: /etc/ssh/ssh_host_rsa_key
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
sshd_config_file: /etc/ssh2/sshd_config
|
sshd_config_file: /etc/ssh2/sshd_config
|
||||||
sshd_install_service: true
|
sshd_install_service: true
|
||||||
sshd_manage_selinux: true
|
sshd_manage_selinux: true
|
||||||
sshd:
|
sshd_config:
|
||||||
Port: 2222
|
Port: 2222
|
||||||
ForceCommand: echo "CONNECTED2"
|
ForceCommand: echo "CONNECTED2"
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@
|
||||||
sshd_config_file: /etc/ssh2/sshd_config.d/04-ansible.conf
|
sshd_config_file: /etc/ssh2/sshd_config.d/04-ansible.conf
|
||||||
sshd_install_service: true
|
sshd_install_service: true
|
||||||
sshd_manage_selinux: true
|
sshd_manage_selinux: true
|
||||||
sshd:
|
sshd_config:
|
||||||
Port: 2222
|
Port: 2222
|
||||||
ForceCommand: echo "CONNECTED2"
|
ForceCommand: echo "CONNECTED2"
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
AcceptEnv: LANG
|
AcceptEnv: LANG
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes256-ctr
|
Ciphers: aes256-ctr
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd:
|
sshd_config:
|
||||||
# Unsupported in new versions, but ignored ?
|
# Unsupported in new versions, but ignored ?
|
||||||
Protocol: 1
|
Protocol: 1
|
||||||
UsePrivilegeSeparation: false
|
UsePrivilegeSeparation: false
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
name: ansible-sshd
|
name: ansible-sshd
|
||||||
vars:
|
vars:
|
||||||
sshd_enable: false
|
sshd_enable: false
|
||||||
sshd:
|
sshd_config:
|
||||||
AcceptEnv: XDG_*
|
AcceptEnv: XDG_*
|
||||||
Banner: /etc/issue
|
Banner: /etc/issue
|
||||||
Ciphers: aes256-ctr,aes128-ctr
|
Ciphers: aes256-ctr,aes128-ctr
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
|
__sshd_config: "{{ sshd_config | default({}) or sshd | default({}) }}"
|
||||||
__sshd_config_file: "/etc/ssh/sshd_config"
|
__sshd_config_file: "/etc/ssh/sshd_config"
|
||||||
__sshd_config_owner: "root"
|
__sshd_config_owner: "root"
|
||||||
__sshd_config_group: "root"
|
__sshd_config_group: "root"
|
||||||
|
@ -54,7 +55,7 @@ __sshd_runtime_directory_mode: "0755"
|
||||||
# drop-in directory is used
|
# drop-in directory is used
|
||||||
__sshd_main_config_file: ~
|
__sshd_main_config_file: ~
|
||||||
|
|
||||||
__sshd_drop_in_dir_mode: '0755'
|
__sshd_drop_in_dir_mode: "0755"
|
||||||
|
|
||||||
# The list of hostkeys to check when there are none listed in configuration file.
|
# The list of hostkeys to check when there are none listed in configuration file.
|
||||||
# This is usually the case when the selection is up to the OpenSSH defaults or
|
# This is usually the case when the selection is up to the OpenSSH defaults or
|
||||||
|
|
Loading…
Reference in a new issue