Merge branch 'release/0.1.0'

This commit is contained in:
Matt Willsher 2014-12-25 12:16:54 +00:00
commit db123d0884
18 changed files with 443 additions and 130 deletions

2
CHANGELOG Normal file
View file

@ -0,0 +1,2 @@
0.1.0 25 December 2014 Matt Willsher <matt@willsher.systems>
- Initial release

View file

@ -1,20 +1,65 @@
# Ansible OpenSSH Daemon Role # Ansible OpenSSH Daemon Role
This role configures OpenSSH. It: This role configures the OpenSSH daemon. It:
- By default, with no set options, creates an empty configuration file. - By default configures the SSH daemon with the normal OS defaults. Defaults can be disabled by setting `sshd_skip_defaults: true`
- Can use a dict of the form: - Supports use of a dict to configure items:
```
```yaml
sshd: sshd:
Compression: delayed Compression: delayed
ListenAddress: ListenAddress:
- 0.0.0.0 - 0.0.0.0
```
- Can use scalars rather than a dict. Scalar values override dict values:
```yaml
sshd_Compression: off
```
- Correctly interprets booleans as yes and no in sshd configuration
- Supports lists for multi line configuration items:
```yaml
sshd_ListenAddress:
- 0.0.0.0
- :: - ::
``` ```
- Can also use scalar variables of the form `sshd_ListenAddress`
- Scalar override dict values.
- Allows the use of booleans for keys with yes/no values, including those with additional non-boolean values such as `Compression`, which has the additional `delayed` option
- Tests the sshd_config before reloading sshd
- Template is programmatically generated. See the files in the meta folder.
It should cover all valid SSH options. - Tests the sshd_config before reloading sshd
- Template is programmatically generated. See the files in the meta folder. It should cover all valid SSH options. To regenerate the template, in the meta directory run `./make_option_list >../templates/sshd_config.j2`
- Supports match section either via Match in the sshd dict, sshd_match and any of sshd_match_1 through sshd_match_9. Match items can either be a dict or an array.
## Complete example
```yaml
---
sshd_skip_defaults: true
sshd:
Compression: true
ListenAddres:
- "0.0.0.0"
- "::"
GSSAPIAuthentication: no
Match:
- Condition: "Group user"
GSSAPIAuthentication: yes
sshd_UsePrivilegeSeparation: sandbox
sshd_match:
- Condition: "Group xusers"
X11Forwarding: yes
```
Results in:
```
# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
Match Group user
GSSAPIAuthentication yes
Match Group xusers
X11Forwarding yes
```

View file

@ -12,6 +12,7 @@ sshd: {}
sshd_packages: [] sshd_packages: []
sshd_config_owner: root sshd_config_owner: root
sshd_config_group: root sshd_config_group: root
sshd_config_mode: "0600"
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
sshd_binary: /usr/sbin/sshd sshd_binary: /usr/sbin/sshd
sshd_service: sshd sshd_service: sshd

View file

@ -1,13 +1,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% macro render_option(key,override) %} {% macro render_option(key,value,indent=false) %}
{% if override is defined %}
{% set value = override %}
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
{% set value = sshd_defaults[key] %}
{% endif %}
{% if value is defined %} {% if value is defined %}
{% if indent == true %} {% endif %}
{% if value is sameas true %} {% if value is sameas true %}
{{ key }} yes {{ key }} yes
{% elif value is sameas false %} {% elif value is sameas false %}
@ -21,3 +15,20 @@
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endmacro %} {% endmacro %}
{% macro body_option(key,override) %}
{% if override is defined %}
{% set value = override %}
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
{% set value = sshd_defaults[key] %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
{% macro match_block(match_list) %}
{% if match_list["Condition"] is defined %}
{% set match_list = [ match_list ]%}
{% endif %}
{% if match_list is iterable %}
{% for match in match_list %}
Match {{ match["Condition"] }}

3
meta/20_middle.j2 Normal file
View file

@ -0,0 +1,3 @@
{% endfor %}
{% endif %}
{% endmacro %}

33
meta/30_bottom.j2 Normal file
View file

@ -0,0 +1,33 @@
{% if sshd['Match'] is defined %}
{{ match_block(sshd['Match']) -}}
{% endif %}
{% if sshd_match is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_1 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_2 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_3 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_4 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_5 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_6 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_7 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_8 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_9 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}

View file

@ -1,20 +1,24 @@
--- ---
galaxy_info: galaxy_info:
author: Matt Willsher author: Matt Willsher
description: OpenSSH Deamon configuration description: OpenSSH SSH deamon configuration
company: Willsher Systems company: Willsher Systems
license: MIT license: GPLv3
min_ansible_version: 1.8 min_ansible_version: 1.8
platforms: platforms:
- name: Ubuntu
versions:
- all
- name: Debian - name: Debian
versions: versions:
- all - wheezy
- name: Ubuntu
versions:
- trusty
- name: FreeBSD - name: FreeBSD
version: version:
- all - 10.1
- name: EL
versions:
- 6
- 7
categories: categories:
- system - system
dependencies: [] dependencies: []

View file

@ -1,7 +1,16 @@
#!/bin/sh #!/bin/sh
cat macros.j2 cat 10_top.j2
cat ssh_options | cat options_match |
awk '{ awk '{
print "{{ render_option(\""$1"\",sshd_"$1") -}}" print "{{ render_option(\""$1"\",match[\""$1"\"],true) -}}"
}' }'
cat 20_middle.j2
cat options_body |
awk '{
print "{{ body_option(\""$1"\",sshd_"$1") -}}"
}'
cat 30_bottom.j2

33
meta/options_match Normal file
View file

@ -0,0 +1,33 @@
AllowAgentForwarding
AllowGroups
AllowTcpForwarding
AllowUsers
AuthenticationMethods
AuthorizedKeysCommand
AuthorizedKeysCommandUser
AuthorizedKeysFile
AuthorizedPrincipalsFile
Banner
ChrootDirectory
DenyGroups
DenyUsers
ForceCommand
GatewayPorts
GSSAPIAuthentication
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
KbdInteractiveAuthentication
KerberosAuthentication
MaxAuthTries
MaxSessions
PasswordAuthentication
PermitEmptyPasswords
PermitOpen
PermitRootLogin
PermitTunnel
PubkeyAuthentication
RhostsRSAAuthentication
RSAAuthentication
X11DisplayOffset
X11Forwarding
X11UseLocalHost

View file

@ -2,6 +2,7 @@
- name: Role set up - name: Role set up
include_vars: "{{ item }}" include_vars: "{{ item }}"
with_first_found: with_first_found:
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml" - "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml" - "{{ ansible_os_family }}.yml"
- default.yml - default.yml
@ -13,17 +14,13 @@
state=installed state=installed
with_items: sshd_packages with_items: sshd_packages
- name: Debug config
debug: var=sshd
when: sshd_debug is defined
- name: Configured - name: Configured
template: template:
src: sshd_config.j2 src: sshd_config.j2
dest: "{{ sshd_config_file }}" dest: "{{ sshd_config_file }}"
owner: "{{ sshd_config_owner }}" owner: "{{ sshd_config_owner }}"
group: "{{ sshd_config_group }}" group: "{{ sshd_config_group }}"
mode: 644 mode: "{{ sshd_config_mode }}"
notify: check and reload sshd notify: check and reload sshd
- name: Service enabled and running - name: Service enabled and running
@ -31,3 +28,4 @@
name: "{{ sshd_service }}" name: "{{ sshd_service }}"
enabled: true enabled: true
state: running state: running

View file

@ -1,13 +1,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% macro render_option(key,override) %} {% macro render_option(key,value,indent=false) %}
{% if override is defined %}
{% set value = override %}
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
{% set value = sshd_defaults[key] %}
{% endif %}
{% if value is defined %} {% if value is defined %}
{% if indent == true %} {% endif %}
{% if value is sameas true %} {% if value is sameas true %}
{{ key }} yes {{ key }} yes
{% elif value is sameas false %} {% elif value is sameas false %}
@ -21,88 +15,174 @@
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endmacro %} {% endmacro %}
{{ render_option("Port",sshd_Port) -}} {% macro body_option(key,override) %}
{{ render_option("ListenAddress",sshd_ListenAddress) -}} {% if override is defined %}
{{ render_option("Protocol",sshd_Protocol) -}} {% set value = override %}
{{ render_option("HostKey",sshd_HostKey) -}} {% elif sshd[key] is defined %}
{{ render_option("AcceptEnv",sshd_AcceptEnv) -}} {% set value = sshd[key] %}
{{ render_option("AddressFamily",sshd_AddressFamily) -}} {% elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
{{ render_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}} {% set value = sshd_defaults[key] %}
{{ render_option("AllowGroups",sshd_AllowGroups) -}} {% endif %}
{{ render_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}} {{ render_option(key,value) -}}
{{ render_option("AllowUsers",sshd_AllowUsers) -}} {% endmacro %}
{{ render_option("AuthenticationMethods",sshd_AuthenticationMethods) -}} {% macro match_block(match_list) %}
{{ render_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}} {% if match_list["Condition"] is defined %}
{{ render_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}} {% set match_list = [ match_list ]%}
{{ render_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}} {% endif %}
{{ render_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}} {% if match_list is iterable %}
{{ render_option("Banner",sshd_Banner) -}} {% for match in match_list %}
{{ render_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}} Match {{ match["Condition"] }}
{{ render_option("ChrootDirectory",sshd_ChrootDirectory) -}} {{ render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
{{ render_option("Ciphers",sshd_Ciphers) -}} {{ render_option("AllowGroups",match["AllowGroups"],true) -}}
{{ render_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}} {{ render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}}
{{ render_option("ClientAliveInterval",sshd_ClientAliveInterval) -}} {{ render_option("AllowUsers",match["AllowUsers"],true) -}}
{{ render_option("Compression",sshd_Compression) -}} {{ render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}}
{{ render_option("DenyGroups",sshd_DenyGroups) -}} {{ render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}}
{{ render_option("DenyUsers",sshd_DenyUsers) -}} {{ render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}}
{{ render_option("ForceCommand",sshd_ForceCommand) -}} {{ render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}}
{{ render_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}} {{ render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}}
{{ render_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}} {{ render_option("Banner",match["Banner"],true) -}}
{{ render_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}} {{ render_option("ChrootDirectory",match["ChrootDirectory"],true) -}}
{{ render_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}} {{ render_option("DenyGroups",match["DenyGroups"],true) -}}
{{ render_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}} {{ render_option("DenyUsers",match["DenyUsers"],true) -}}
{{ render_option("GatewayPorts",sshd_GatewayPorts) -}} {{ render_option("ForceCommand",match["ForceCommand"],true) -}}
{{ render_option("HPNBufferSize",sshd_HPNBufferSize) -}} {{ render_option("GatewayPorts",match["GatewayPorts"],true) -}}
{{ render_option("HPNDisabled",sshd_HPNDisabled) -}} {{ render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}}
{{ render_option("HostCertificate",sshd_HostCertificate) -}} {{ render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
{{ render_option("HostKeyAgent",sshd_HostKeyAgent) -}} {{ render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
{{ render_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}} {{ render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
{{ render_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}} {{ render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
{{ render_option("IPQoS",sshd_IPQoS) -}} {{ render_option("MaxAuthTries",match["MaxAuthTries"],true) -}}
{{ render_option("IgnoreRhosts",sshd_IgnoreRhosts) -}} {{ render_option("MaxSessions",match["MaxSessions"],true) -}}
{{ render_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}} {{ render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
{{ render_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}} {{ render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
{{ render_option("KerberosAuthentication",sshd_KerberosAuthentication) -}} {{ render_option("PermitOpen",match["PermitOpen"],true) -}}
{{ render_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}} {{ render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
{{ render_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}} {{ render_option("PermitTunnel",match["PermitTunnel"],true) -}}
{{ render_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}} {{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
{{ render_option("KexAlgorithms",sshd_KexAlgorithms) -}} {{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
{{ render_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}} {{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
{{ render_option("LogLevel",sshd_LogLevel) -}} {{ render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
{{ render_option("LoginGraceTime",sshd_LoginGraceTime) -}} {{ render_option("X11Forwarding",match["X11Forwarding"],true) -}}
{{ render_option("MACs",sshd_MACs) -}} {{ render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
{{ render_option("MaxAuthTries",sshd_MaxAuthTries) -}} {% endfor %}
{{ render_option("MaxSessions",sshd_MaxSessions) -}} {% endif %}
{{ render_option("MaxStartups",sshd_MaxStartups) -}} {% endmacro %}
{{ render_option("NoneEnabled",sshd_NoneEnabled) -}} {{ body_option("Port",sshd_Port) -}}
{{ render_option("PasswordAuthentication",sshd_PasswordAuthentication) -}} {{ body_option("ListenAddress",sshd_ListenAddress) -}}
{{ render_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}} {{ body_option("Protocol",sshd_Protocol) -}}
{{ render_option("PermitOpen",sshd_PermitOpen) -}} {{ body_option("HostKey",sshd_HostKey) -}}
{{ render_option("PermitRootLogin",sshd_PermitRootLogin) -}} {{ body_option("AcceptEnv",sshd_AcceptEnv) -}}
{{ render_option("PermitTTY",sshd_PermitTTY) -}} {{ body_option("AddressFamily",sshd_AddressFamily) -}}
{{ render_option("PermitTunnel",sshd_PermitTunnel) -}} {{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
{{ render_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}} {{ body_option("AllowGroups",sshd_AllowGroups) -}}
{{ render_option("PidFile",sshd_PidFile) -}} {{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
{{ render_option("PrintLastLog",sshd_PrintLastLog) -}} {{ body_option("AllowUsers",sshd_AllowUsers) -}}
{{ render_option("PrintMotd",sshd_PrintMotd) -}} {{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
{{ render_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}} {{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
{{ render_option("RSAAuthentication",sshd_RSAAuthentication) -}} {{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
{{ render_option("RekeyLimit",sshd_RekeyLimit) -}} {{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
{{ render_option("RevokedKeys",sshd_RevokedKeys) -}} {{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
{{ render_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}} {{ body_option("Banner",sshd_Banner) -}}
{{ render_option("ServerKeyBits",sshd_ServerKeyBits) -}} {{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
{{ render_option("StrictModes",sshd_StrictModes) -}} {{ body_option("ChrootDirectory",sshd_ChrootDirectory) -}}
{{ render_option("Subsystem",sshd_Subsystem) -}} {{ body_option("Ciphers",sshd_Ciphers) -}}
{{ render_option("SyslogFacility",sshd_SyslogFacility) -}} {{ body_option("ClientAliveCountMax",sshd_ClientAliveCountMax) -}}
{{ render_option("TCPKeepAlive",sshd_TCPKeepAlive) -}} {{ body_option("ClientAliveInterval",sshd_ClientAliveInterval) -}}
{{ render_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}} {{ body_option("Compression",sshd_Compression) -}}
{{ render_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}} {{ body_option("DenyGroups",sshd_DenyGroups) -}}
{{ render_option("UseDNS",sshd_UseDNS) -}} {{ body_option("DenyUsers",sshd_DenyUsers) -}}
{{ render_option("UseLogin",sshd_UseLogin) -}} {{ body_option("ForceCommand",sshd_ForceCommand) -}}
{{ render_option("UsePAM",sshd_UsePAM) -}} {{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
{{ render_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}} {{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
{{ render_option("VersionAddendum",sshd_VersionAddendum) -}} {{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
{{ render_option("X11DisplayOffset",sshd_X11DisplayOffset) -}} {{ body_option("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) -}}
{{ render_option("X11Forwarding",sshd_X11Forwarding) -}} {{ body_option("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) -}}
{{ render_option("X11UseLocalhost",sshd_X11UseLocalhost) -}} {{ body_option("GatewayPorts",sshd_GatewayPorts) -}}
{{ render_option("XAuthLocation",sshd_XAuthLocation) -}} {{ body_option("HPNBufferSize",sshd_HPNBufferSize) -}}
{{ body_option("HPNDisabled",sshd_HPNDisabled) -}}
{{ body_option("HostCertificate",sshd_HostCertificate) -}}
{{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}}
{{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
{{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
{{ body_option("IPQoS",sshd_IPQoS) -}}
{{ body_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
{{ body_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}
{{ body_option("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) -}}
{{ body_option("KerberosAuthentication",sshd_KerberosAuthentication) -}}
{{ body_option("KerberosGetAFSToken",sshd_KerberosGetAFSToken) -}}
{{ body_option("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) -}}
{{ body_option("KerberosTicketCleanup",sshd_KerberosTicketCleanup) -}}
{{ body_option("KexAlgorithms",sshd_KexAlgorithms) -}}
{{ body_option("KeyRegenerationInterval",sshd_KeyRegenerationInterval) -}}
{{ body_option("LogLevel",sshd_LogLevel) -}}
{{ body_option("LoginGraceTime",sshd_LoginGraceTime) -}}
{{ body_option("MACs",sshd_MACs) -}}
{{ body_option("MaxAuthTries",sshd_MaxAuthTries) -}}
{{ body_option("MaxSessions",sshd_MaxSessions) -}}
{{ body_option("MaxStartups",sshd_MaxStartups) -}}
{{ body_option("NoneEnabled",sshd_NoneEnabled) -}}
{{ body_option("PasswordAuthentication",sshd_PasswordAuthentication) -}}
{{ body_option("PermitEmptyPasswords",sshd_PermitEmptyPasswords) -}}
{{ body_option("PermitOpen",sshd_PermitOpen) -}}
{{ body_option("PermitRootLogin",sshd_PermitRootLogin) -}}
{{ body_option("PermitTTY",sshd_PermitTTY) -}}
{{ body_option("PermitTunnel",sshd_PermitTunnel) -}}
{{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
{{ body_option("PidFile",sshd_PidFile) -}}
{{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
{{ body_option("PrintMotd",sshd_PrintMotd) -}}
{{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
{{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
{{ body_option("StrictModes",sshd_StrictModes) -}}
{{ body_option("Subsystem",sshd_Subsystem) -}}
{{ body_option("SyslogFacility",sshd_SyslogFacility) -}}
{{ body_option("TCPKeepAlive",sshd_TCPKeepAlive) -}}
{{ body_option("TcpRcvBufPoll",sshd_TcpRcvBufPoll) -}}
{{ body_option("TrustedUserCAKeys",sshd_TrustedUserCAKeys) -}}
{{ body_option("UseDNS",sshd_UseDNS) -}}
{{ body_option("UseLogin",sshd_UseLogin) -}}
{{ body_option("UsePAM",sshd_UsePAM) -}}
{{ body_option("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) -}}
{{ body_option("VersionAddendum",sshd_VersionAddendum) -}}
{{ body_option("X11DisplayOffset",sshd_X11DisplayOffset) -}}
{{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
{{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
{{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
{% if sshd['Match'] is defined %}
{{ match_block(sshd['Match']) -}}
{% endif %}
{% if sshd_match is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_1 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_2 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_3 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_4 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_5 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_6 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_7 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_8 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_9 is defined %}
{{ match_block(sshd_match) -}}
{% endif %}

22
vars/Amazon.yml Normal file
View file

@ -0,0 +1,22 @@
---
sshd_config_mode: '0644'
sshd_packages:
- openssh
- openssh-server
sshd_sftp_server: /usr/libexec/openssh/sftp-server
sshd:
SyslogFacility: AUTHPRIV
PermitRootLogin: forced-commands-only
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: no
ChallengeResponseAuthentication: no
UsePAM: yes
X11Forwarding: yes
PrintLastLog: yes
UsePrivilegeSeparation: sandbox
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"

View file

@ -5,10 +5,37 @@ sshd_packages:
- openssh-blacklist - openssh-blacklist
- openssh-blacklist-extra - openssh-blacklist-extra
- openssh-sftp-server - openssh-sftp-server
sshd_config_mode: "0644"
sshd_defaults: sshd_defaults:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeperation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbaseAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no ChallengeResponseAuthentication: no
X11Forwarding: yes X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: LANG LC_* AcceptEnv: LANG LC_*
Subsystem: sftp {{ sshd_sftp_server }} Subsystem: "sftp {{ sshd_sftp_server }}"
UsePAM: yes UsePAM: yes
Match:
- Condition: User vagrant
MaxSessions: 10

View file

@ -1,3 +1,4 @@
--- ---
sshd_config_group: wheel sshd_config_group: wheel
sshd_config_mode: "0644"
sshd_sftp_server: /usr/libexec/sftp-server sshd_sftp_server: /usr/libexec/sftp-server

20
vars/RedHat_6.yml Normal file
View file

@ -0,0 +1,20 @@
---
sshd_packages:
- openssh
- openssh-server
sshd_sftp_server: /usr/libexec/openssh/sftp-server
sshd_defaults:
Protocol: 2
SyslogFacility: AUTHPRIV
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
AcceptEnv:
- LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
X11Forwarding: yes
Subsystem: "sftp {{ sshd_sftp_server }}"

24
vars/RedHat_7.yml Normal file
View file

@ -0,0 +1,24 @@
---
sshd_packages:
- openssh
- openssh-server
sshd_sftp_server: /usr/libexec/openssh/sftp-server
sshd_defaults:
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
SyslogFacility: AUTHPRIV
AuthorizedKeysFile: .ssh/authorized_keys
PasswordAuthentication: yes
ChallengeResponseAuthentication: no
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
X11Forwarding: yes
UsePrivilegeSeperation: sandbox
AcceptEnv:
- LANG LC_TYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: "sftp {{ sshd_sftp_server }}"

View file

@ -34,5 +34,5 @@ sshd_defaults:
PrintLastLog: yes PrintLastLog: yes
TCPKeepAlive: yes TCPKeepAlive: yes
AcceptEnv: LANG LC_* AcceptEnv: LANG LC_*
Subsystem: sftp {{ sshd_sftp_server }} Subsystem: "sftp {{ sshd_sftp_server }}"
UsePAM: yes UsePAM: yes