libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-22 02:50:18 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #189 from willshersystems/docs-update

Browse source
This commit is contained in:
Matt Willsher 2022-06-06 10:19:26 +01:00 committed by GitHub
commit e45987e3c7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 302 additions and 273 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.ansible-lint
View file

@ -1,6 +1,4 @@
warn_list: # or 'skip_list' to silence them completely
- '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern
- '306' # Shells that use pipes should set the pipefail option
- 'fqcn-builtins' # this is not compatible with ansible 2.6 on RHEL6
exclude_paths:
- tests/roles/

1
.github/workflows/ansible-centos-check.yml vendored
View file

@ -11,6 +11,7 @@ jobs:
# Workaround missing support for end_host in old ansible
- run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml"
- run: "sed -i -e 's/.*public: true//' tests/tasks/restore.yml"
- run: "sed -i -e 's/ansible.builtin.//g' */*.yml */*/*.yml"
- name: ansible check with centos 6
uses: roles-ansible/check-ansible-centos-centos6-action@master

4
.pre-commit-config.yaml
View file

@ -1,14 +1,14 @@
---
repos:
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.24.2
rev: v1.26.3
hooks:
- id: yamllint
files: \.(yaml|yml)$
types: [file, yaml]
entry: yamllint --strict
- repo: https://github.com/ansible/ansible-lint.git
rev: v4.3.5
rev: v6.2.2
hooks:
- id: ansible-lint
files: \.(yaml|yml)$

3
README.md
View file

@ -219,7 +219,8 @@ the above list.
### Secondary role variables
These variables are used by the role internals and can be used to override the
defaults that correspond to each supported platform.
defaults that correspond to each supported platform. They are not tested and
generally are not needed as the role will determine them from the OS type.
* `sshd_packages`

4
handlers/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Reload the SSH service
service:
ansible.builtin.service:
name: "{{ sshd_service }}"
state: reloaded
when:
@ -16,7 +16,7 @@
# Instead, use a dirty shell script:
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
- name: Reload sshd Service (AIX)
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail

19
meta/main.yml
View file

@ -1,10 +1,11 @@
---
galaxy_info:
role_name: sshd
author: Matt Willsher
description: OpenSSH SSH daemon configuration
company: Willsher Systems
license: LGPLv3
min_ansible_version: 2.9
min_ansible_version: "2.10"
platforms:
- name: Debian
versions:
@ -23,23 +24,23 @@ galaxy_info:
- jammy
- name: FreeBSD
version:
- 10.1
- "10.1"
- name: EL
versions:
- 6
- 7
- 8
- 9
- "6"
- "7"
- "8"
- "9"
- name: Fedora
versions:
- all
- name: OpenBSD
versions:
- 6.0
- "6.0"
- name: AIX
versions:
- 7.1
- 7.2
- "7.1"
- "7.2"
galaxy_tags:
- networking
- system

4
tasks/check_fips.yml
View file

@ -1,12 +1,12 @@
---
- name: Check the kernel FIPS mode
slurp:
ansible.builtin.slurp:
src: /proc/sys/crypto/fips_enabled
register: __sshd_kernel_fips_mode
failed_when: false
- name: Check the userspace FIPS mode
slurp:
ansible.builtin.slurp:
src: /etc/system-fips
register: __sshd_userspace_fips_mode
failed_when: false

30
tasks/install.yml
View file

@ -1,16 +1,16 @@
---
- name: OS is supported
meta: end_host
ansible.builtin.meta: end_host
when:
- not __sshd_os_supported|bool
- name: Install ssh packages
package:
ansible.builtin.package:
name: "{{ sshd_packages }}"
state: present
- name: Sysconfig configuration
template:
ansible.builtin.template:
src: sysconfig.j2
dest: "/etc/sysconfig/sshd"
owner: "root"
@ -23,7 +23,7 @@
notify: reload_sshd
- name: Check FIPS mode
include_tasks: check_fips.yml
ansible.builtin.include_tasks: check_fips.yml
when:
- __sshd_hostkeys_nofips | d([])
@ -70,7 +70,7 @@
{% endif %}
block:
- name: Make sure hostkeys are available
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -85,7 +85,7 @@
changed_when: false
- name: Make sure private hostkeys have expected permissions
file:
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ sshd_hostkey_owner }}"
group: "{{ sshd_hostkey_group }}"
@ -97,7 +97,7 @@
<<: *share_vars
block:
- name: Create a temporary hostkey for syntax verification if needed
tempfile:
ansible.builtin.tempfile:
state: directory
register: sshd_test_hostkey
changed_when: false
@ -105,13 +105,13 @@
- __sshd_hostkeys_from_config | from_json == []
- name: Generate temporary hostkey
command: >
ansible.builtin.command: >
ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
changed_when: false
when: sshd_test_hostkey.path is defined
- name: Make sure sshd runtime directory is present
file:
ansible.builtin.file:
path: "{{ __sshd_runtime_directory }}"
state: directory
owner: root
@ -121,29 +121,29 @@
- __sshd_runtime_directory | d(false)
- name: Create the complete configuration file
include_tasks: install_config.yml
ansible.builtin.include_tasks: install_config.yml
when: sshd_config_namespace is none
- name: Update configuration file snippet
include_tasks: install_namespace.yml
ansible.builtin.include_tasks: install_namespace.yml
when: sshd_config_namespace is not none
rescue:
- name: re-raise the error
fail:
ansible.builtin.fail:
msg: "{{ ansible_failed_result }}"
always:
- name: Remove temporary host keys
file:
ansible.builtin.file:
path: "{{ sshd_test_hostkey.path }}"
state: absent
changed_when: false
when: sshd_test_hostkey.path is defined
- name: Install and start systemd service
include_tasks: install_service.yml
ansible.builtin.include_tasks: install_service.yml
- name: Register that this role has run
set_fact:
ansible.builtin.set_fact:
sshd_has_run: true
when: sshd_has_run is not defined

4
tasks/install_config.yml
View file

@ -1,6 +1,6 @@
---
- name: Create the complete configuration file
template:
ansible.builtin.template:
src: sshd_config.j2
dest: "{{ sshd_config_file }}"
owner: "{{ sshd_config_owner }}"
@ -16,7 +16,7 @@
notify: reload_sshd
- name: Make sure the include path is present in the main sshd_config
lineinfile:
ansible.builtin.lineinfile:
insertbefore: BOF
line: "Include {{ __sshd_defaults['Include'] }}"
path: "{{ __sshd_main_config_file }}"

2
tasks/install_namespace.yml
View file

@ -2,7 +2,7 @@
- name: Update configuration file snippet
vars:
sshd_skip_defaults: true
blockinfile:
ansible.builtin.blockinfile:
path: "{{ sshd_config_file }}"
owner: "{{ sshd_config_owner }}"
group: "{{ sshd_config_group }}"

10
tasks/install_service.yml
View file

@ -2,7 +2,7 @@
- name: Install systemd service files
block:
- name: Install service unit file
template:
ansible.builtin.template:
src: "{{ sshd_service_template_service }}"
dest: "/etc/systemd/system/{{ sshd_service }}.service"
owner: root
@ -10,7 +10,7 @@
mode: "0644"
notify: reload_sshd
- name: Install instanced service unit file
template:
ansible.builtin.template:
src: "{{ sshd_service_template_at_service }}"
dest: "/etc/systemd/system/{{ sshd_service }}@.service"
owner: root
@ -18,7 +18,7 @@
mode: "0644"
notify: reload_sshd
- name: Install socket unit file
template:
ansible.builtin.template:
src: "{{ sshd_service_template_socket }}"
dest: "/etc/systemd/system/{{ sshd_service }}.socket"
owner: root
@ -28,7 +28,7 @@
when: sshd_install_service|bool
- name: Service enabled and running
service:
ansible.builtin.service:
name: "{{ sshd_service }}"
enabled: true
state: started
@ -39,7 +39,7 @@
# Due to ansible bug 21026, cannot use service module on RHEL 7
- name: Enable service in chroot
command: systemctl enable {{ sshd_service }} # noqa 303
ansible.builtin.command: systemctl enable {{ sshd_service }} # noqa 303
when:
- ansible_connection == 'chroot'
- ansible_os_family == 'RedHat'

2
tasks/main.yml
View file

@ -1,4 +1,4 @@
---
- include_tasks: sshd.yml
- ansible.builtin.include_tasks: sshd.yml
when: sshd_enable|bool

4
tasks/set_common_vars.yml
View file

@ -1,9 +1,9 @@
---
- name: Ensure ansible_facts used by role
setup:
ansible.builtin.setup:
gather_subset: min
when: not ansible_facts.keys() | list |
intersect(__sshd_required_facts) == __sshd_required_facts
- name: Include common vars
include_vars: vars/common.yml
ansible.builtin.include_vars: vars/common.yml

6
tasks/sshd.yml
View file

@ -1,9 +1,9 @@
---
- name: Set common variables and ensure basic facts are gathered
include_tasks: set_common_vars.yml
ansible.builtin.include_tasks: set_common_vars.yml
- name: Set platform/version specific variables
include_tasks: variables.yml
ansible.builtin.include_tasks: variables.yml
- name: Execute the actual role tasks
include_tasks: install.yml
ansible.builtin.include_tasks: install.yml

4
tasks/variables.yml
View file

@ -1,9 +1,9 @@
---
- name: Set common vars
include_vars: vars/common.yml
ansible.builtin.include_vars: vars/common.yml
- name: Set OS dependent variables
include_vars: "{{ lookup('first_found', params) }}"
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
ansible_distribution_lts_offset: >-
{{

6
tests/tasks/backup.yml
View file

@ -1,9 +1,9 @@
---
- name: Setup
include_tasks: setup.yml
ansible.builtin.include_tasks: setup.yml
- name: Create a temporary directory for backup files
tempfile:
ansible.builtin.tempfile:
state: directory
register: __sshd_test_backup
changed_when: false
@ -11,7 +11,7 @@
- sshd_test_backup_skip is not defined
- name: Backup files
shell: |
ansible.builtin.shell: |
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi

8
tests/tasks/restore.yml
View file

@ -1,6 +1,6 @@
---
- name: Restore backed up files and remove what was not present
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -17,7 +17,7 @@
- __sshd_test_backup.path is defined
- name: Remove temporary directory for backup files
file:
ansible.builtin.file:
path: "{{ __sshd_test_backup.path }}"
state: absent
changed_when: false
@ -26,13 +26,13 @@
- __sshd_test_backup.path is defined
- name: Include common variables
include_role:
ansible.builtin.include_role:
name: ansible-sshd
tasks_from: set_common_vars.yml
public: true
- name: Restart sshd service
service:
ansible.builtin.service:
name: sshd
state: reloaded
changed_when: false

8
tests/tasks/setup.yml
View file

@ -1,11 +1,11 @@
---
- name: Make sure openssh is installed before creating backup
package:
ansible.builtin.package:
name: openssh-server
state: present
- name: Make sure openssh has runtime directory on debian
file:
ansible.builtin.file:
path: /run/sshd
state: directory
owner: root
@ -15,13 +15,13 @@
- ansible_facts['os_family'] == 'Debian'
- name: Define common variables
set_fact:
ansible.builtin.set_fact:
main_sshd_config: /etc/ssh/sshd_config
main_sshd_config_name: sshd_config
main_sshd_config_path: /etc/ssh/
- name: Define specific variables
set_fact:
ansible.builtin.set_fact:
main_sshd_config: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
main_sshd_config_name: 00-ansible_system_role.conf
main_sshd_config_path: /etc/ssh/sshd_config.d/

51
tests/tests_alternative_file.yml
View file

@ -9,14 +9,14 @@
- /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Ensure group 'nobody' exists
group:
ansible.builtin.group:
name: nobody
- name: Ensure the user 'nobody' exists
user:
ansible.builtin.user:
name: nobody
group: nobody
comment: nobody
@ -24,7 +24,7 @@
shell: /sbin/nologin
- name: Configure alternative sshd_config file
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
# just anything -- will not get processed by sshd
@ -36,10 +36,10 @@
AcceptEnv: LANG
Banner: /etc/issue
Ciphers: aes256-ctr
sshd_Compression: no
sshd_Compression: no # noqa var-naming
- name: Configure second alternative sshd_config file
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
# just anything -- will not get processed by sshd
@ -48,10 +48,10 @@
sshd:
Banner: /etc/issue2
Ciphers: aes128-ctr
sshd_MaxStartups: 100
sshd_MaxStartups: 100 # noqa var-naming
- name: Now configure the main sshd_config file
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_config_file: /etc/ssh/sshd_config
@ -60,34 +60,35 @@
Ciphers: aes192-ctr
HostKey:
- /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no
sshd_PasswordAuthentication: no # noqa var-naming
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom
register: config
- name: Get stat of the configuration file
stat:
ansible.builtin.stat:
path: /etc/ssh/sshd_config_custom
register: config_stat
- name: Print second configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom_second
register: config2
- name: Print the main configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
assert:
ansible.builtin.assert:
that:
- "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode"
@ -95,7 +96,7 @@
- "'Compression no' in config.content | b64decode"
- name: Check Fedora/RHEL9+ defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -104,7 +105,7 @@
- ansible_facts['distribution_major_version']|int > 8
- name: Check RHEL7 and RHEL8 defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'X11Forwarding yes' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -115,7 +116,7 @@
- ansible_facts['distribution_major_version']|int < 9
- name: Check RHEL6 defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'Protocol 2' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode"
@ -124,7 +125,7 @@
- ansible_facts['distribution_major_version'] == '6'
- name: Check Debian defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'PrintMotd no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode"
@ -133,7 +134,7 @@
- ansible_facts['distribution_major_version']|int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
@ -143,7 +144,7 @@
- ansible_facts['distribution_major_version']|int >= 22
- name: Check content of second configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/issue2' in config2.content | b64decode"
- "'Ciphers aes128-ctr' in config2.content | b64decode"
@ -152,7 +153,7 @@
- "'Compression no' not in config2.content | b64decode"
- name: Check content of the main configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/issue' in config3.content | b64decode"
- "'Ciphers aes192-ctr' in config3.content | b64decode"
@ -162,7 +163,7 @@
- "'Compression no' not in config3.content | b64decode"
- name: Check the main configuration file contains some default values for RHEL 9 or Fedora
assert:
ansible.builtin.assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode"
@ -172,7 +173,7 @@
- ansible_facts['distribution_major_version']|int > 8
- name: Check the generated config has requested properties
assert:
ansible.builtin.assert:
that:
- config_stat.stat.exists
- config_stat.stat.gr_name == 'nobody'
@ -181,4 +182,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

45
tests/tests_alternative_file_role.yml
View file

@ -9,14 +9,14 @@
- /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Ensure group 'nobody' exists
group:
ansible.builtin.group:
name: nobody
- name: Ensure the user 'nobody' exists
user:
ansible.builtin.user:
name: nobody
group: nobody
comment: nobody
@ -37,7 +37,7 @@
AcceptEnv: LANG
Banner: /etc/issue
Ciphers: aes256-ctr
sshd_Compression: no
sshd_Compression: no # noqa var-naming
# Configure second alternative sshd_config file
- hosts: all
@ -50,7 +50,7 @@
sshd:
Banner: /etc/issue2
Ciphers: aes128-ctr
sshd_MaxStartups: 100
sshd_MaxStartups: 100 # noqa var-naming
# Now configure the main sshd_config file
- hosts: all
@ -63,7 +63,7 @@
Ciphers: aes192-ctr
HostKey:
- /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no
sshd_PasswordAuthentication: no # noqa var-naming
- hosts: all
vars:
@ -78,30 +78,31 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom
register: config
- name: Get stat of the configuration file
stat:
ansible.builtin.stat:
path: /etc/ssh/sshd_config_custom
register: config_stat
- name: Print second configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom_second
register: config2
- name: Print the main configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
assert:
ansible.builtin.assert:
that:
- "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode"
@ -109,7 +110,7 @@
- "'Compression no' in config.content | b64decode"
- name: Check Fedora/RHEL9+ defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -118,7 +119,7 @@
- ansible_facts['distribution_major_version']|int > 8
- name: Check RHEL7 and RHEL8 defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'X11Forwarding yes' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -129,7 +130,7 @@
- ansible_facts['distribution_major_version']|int < 9
- name: Check RHEL6 defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'Protocol 2' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode"
@ -138,7 +139,7 @@
- ansible_facts['distribution_major_version'] == '6'
- name: Check Debian defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'PrintMotd no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode"
@ -147,7 +148,7 @@
- ansible_facts['distribution_major_version']|int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file
assert:
ansible.builtin.assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
@ -158,7 +159,7 @@
- name: Check content of second configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/issue2' in config2.content | b64decode"
- "'Ciphers aes128-ctr' in config2.content | b64decode"
@ -167,7 +168,7 @@
- "'Compression no' not in config2.content | b64decode"
- name: Check content of the main configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/issue' in config3.content | b64decode"
- "'Ciphers aes192-ctr' in config3.content | b64decode"
@ -177,7 +178,7 @@
- "'Compression no' not in config3.content | b64decode"
- name: Check the main configuration file contains some default values for RHEL 9 or Fedora
assert:
ansible.builtin.assert:
that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode"
@ -187,7 +188,7 @@
- ansible_facts['distribution_major_version']|int > 8
- name: Check the generated config has requested properties
assert:
ansible.builtin.assert:
that:
- config_stat.stat.exists
- config_stat.stat.gr_name == 'nobody'
@ -196,4 +197,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

20
tests/tests_backup.yml
View file

@ -6,50 +6,50 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: Backup configuration files
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Find old backups files
find:
ansible.builtin.find:
paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config_name }}.*@*~"
register: backup_files
- name: Remove old backup files
file:
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
with_items: "{{ backup_files.files }}"
- name: Configure sshd without creating backup
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_backup: false
- name: Find new backups files
find:
ansible.builtin.find:
paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config_name }}.*@*~"
register: no_backup
- name: Configure sshd again with different configuration and with backup
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_Banner: /tmp/banner
sshd_Banner: /tmp/banner # noqa var-naming
register: second_run
- name: Find new backups files
find:
ansible.builtin.find:
paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config_name }}.*@*~"
register: new_backup
- name: Verify the backup was not done in the first attempt, but in the second one
assert:
ansible.builtin.assert:
that:
- no_backup.files == []
- new_backup.files != []
- name: Restore configuration files
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

29
tests/tests_config_namespace.yml
View file

@ -7,10 +7,10 @@
- /etc/ssh/ssh_host_rsa_key.pub
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Add configuration block to default configuration file
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_config_file: /etc/ssh/sshd_config
@ -23,7 +23,7 @@
AllowAgentForwarding: no
- name: Add second configuration block to default configuration file
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_config_file: /etc/ssh/sshd_config
@ -37,15 +37,16 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config
register: config
- name: List effective configuration using sshd -T (matching)
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -55,13 +56,15 @@
fi
sshd -T -Cuser=root,host=localhost,addr=127.0.0.1
register: runtime
changed_when: false
- name: List effective configuration using sshd -T (non-matching)
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
register: nonmatching
changed_when: false
- name: Check content of configuration file (blocks)
assert:
ansible.builtin.assert:
that:
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
@ -69,7 +72,7 @@
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
- name: Check content of configuration file (blocks for RHEL 6)
assert:
ansible.builtin.assert:
that:
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
@ -78,7 +81,7 @@
- ansible_facts['distribution_major_version'] == '6'
- name: Check content of configuration file
assert:
ansible.builtin.assert:
that:
- "'PermitRootLogin yes' in config.content | b64decode"
- "'PasswordAuthentication yes' in config.content | b64decode"
@ -93,7 +96,7 @@
- name: Check the configuration values are effective
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'permitrootlogin yes' in runtime.stdout"
- "'allowagentforwarding no' in runtime.stdout"
@ -102,7 +105,7 @@
- name: Check the configuration values are not effective for non-matching connection
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'permitrootlogin yes' in runtime.stdout"
- "'allowAgentforwarding no' not in nonmatching.stdout"
@ -111,4 +114,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

4
tests/tests_default.yml
View file

@ -6,7 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- hosts: all
roles:
@ -19,4 +19,4 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

6
tests/tests_default_include.yml
View file

@ -6,11 +6,11 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: "Configure sshd"
include_role:
ansible.builtin.include_role:
name: ansible-sshd
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

25
tests/tests_hostkeys.yml
View file

@ -7,19 +7,19 @@
- /tmp/ssh_host_rsa_key2
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove host key before the test
file:
ansible.builtin.file:
path: /tmp/ssh_host_rsa_key2
state: absent
- name: Ensure group 'nobody' exists
group:
ansible.builtin.group:
name: nobody
- name: Ensure the user 'nobody' exists
user:
ansible.builtin.user:
name: nobody
group: nobody
comment: nobody
@ -27,7 +27,7 @@
shell: /sbin/nologin
- name: Configure sshd with alternative host keys
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
# very BAD example
@ -40,30 +40,31 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Get stat of private key
stat:
ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2
register: privkey
- name: Get stat of public key
stat:
ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2.pub
register: pubkey
- name: Check the options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
- name: Check the generated host key has requested properties
assert:
ansible.builtin.assert:
that:
- privkey.stat.exists
- privkey.stat.gr_name == 'nobody'
@ -73,4 +74,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

50
tests/tests_hostkeys_fips.yml
View file

@ -9,33 +9,34 @@
- /etc/system-fips
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Run the role with default parameters without FIPS mode
include_role:
ansible.builtin.include_role:
name: ansible-sshd
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Get stat of private key
stat:
ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key
register: privkey
- name: Get stat of public key
stat:
ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey
- name: Check the key is in configuration file (without include)
assert:
ansible.builtin.assert:
that:
- "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
when:
@ -43,7 +44,7 @@
- ansible_facts['distribution_major_version']|int < 9
- name: Check host key was generated
assert:
ansible.builtin.assert:
that:
- privkey.stat.exists
- pubkey.stat.exists
@ -55,22 +56,24 @@
- name: Fake FIPS mode
block:
- name: Create temporary directory
tempfile:
ansible.builtin.tempfile:
state: directory
register: fips_directory
- name: Create a /etc/system-fips
copy:
ansible.builtin.copy:
dest: /etc/system-fips
content: userspace fips
mode: "0644"
- name: Create a fips_enabled file
copy:
ansible.builtin.copy:
dest: "{{ fips_directory.path }}/fips_enabled"
content: 1
mode: "0644"
- name: Bind mount the file where we need it
mount:
ansible.builtin.mount:
path: /proc/sys/crypto/fips_enabled
src: "{{ fips_directory.path }}/fips_enabled"
opts: bind
@ -79,47 +82,48 @@
failed_when: false
- name: Remove the Ed25519 hostkey
file:
ansible.builtin.file:
path:
/etc/ssh/ssh_host_ed25519_key
state: absent
- name: Remove the Ed25519 pubkey
file:
ansible.builtin.file:
path:
/etc/ssh/ssh_host_ed25519_key.pub
state: absent
- name: Run the role with default parameters
include_role:
ansible.builtin.include_role:
name: ansible-sshd
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Get stat of private key
stat:
ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key
register: privkey
- name: Get stat of public key
stat:
ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey
- name: Check the key is not in configuration file
assert:
ansible.builtin.assert:
that:
- "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
- name: Check no host key was generated
assert:
ansible.builtin.assert:
that:
- not privkey.stat.exists
- not pubkey.stat.exists
@ -137,9 +141,9 @@
failed_when: false
- name: Remove the temporary directory
file:
ansible.builtin.file:
path: "{{ fips_directory.path }}"
state: absent
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

14
tests/tests_hostkeys_missing.yml
View file

@ -7,12 +7,12 @@
- /tmp/missing_ssh_host_rsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with missing host keys and prevent their creation
block:
- name: Configure missing hostkey
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_verify_hostkeys: []
@ -22,12 +22,12 @@
register: role_result
- name: unreachable task
fail:
ansible.builtin.fail:
msg: UNREACH
rescue:
- name: Check that we failed in the role
assert:
ansible.builtin.assert:
that:
- ansible_failed_result.msg != 'UNREACH'
- not role_result.changed
@ -38,7 +38,7 @@
tags: tests::verify
- name: Make sure the key was not created
file:
ansible.builtin.file:
path: /tmp/missing_ssh_host_rsa_key
state: absent
register: key
@ -46,7 +46,7 @@
tags: tests::verify
- name: Make sure service is still running
service:
ansible.builtin.service:
name: sshd
state: started
register: result
@ -56,4 +56,4 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

25
tests/tests_hostkeys_role.yml
View file

@ -7,19 +7,19 @@
- /tmp/ssh_host_rsa_key2
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove host key before the test
file:
ansible.builtin.file:
path: /tmp/ssh_host_rsa_key2
state: absent
- name: Ensure group 'nobody' exists
group:
ansible.builtin.group:
name: nobody
- name: Ensure the user 'nobody' exists
user:
ansible.builtin.user:
name: nobody
group: nobody
comment: nobody
@ -47,34 +47,35 @@
- /tmp/ssh_host_rsa_key2
tasks:
- name: Setup variables
include_tasks: tasks/setup.yml
ansible.builtin.include_tasks: tasks/setup.yml
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush metadata
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Get stat of private key
stat:
ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2
register: privkey
- name: Get stat of public key
stat:
ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2.pub
register: pubkey
- name: Check the options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
- name: Check the generated host key has requested properties
assert:
ansible.builtin.assert:
that:
- privkey.stat.exists
- privkey.stat.gr_name == 'nobody'
@ -84,4 +85,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

23
tests/tests_include_present.yml
View file

@ -7,10 +7,10 @@
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove include directory from the main config file
lineinfile:
ansible.builtin.lineinfile:
path: "/etc/ssh/sshd_config"
regexp: "^Include"
state: absent
@ -19,7 +19,7 @@
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
- name: Create a new configuration in drop-in directory
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
@ -32,20 +32,21 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print drop-in configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
register: config
- name: Print the main configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config
register: config_main
- name: Check content of drop-in configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/include-issue' in config.content | b64decode"
- "'Ciphers aes192-ctr' in config.content | b64decode"
@ -54,20 +55,20 @@
- "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode"
- name: Check common content of the main configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/include-issue' not in config_main.content | b64decode"
- "'Ciphers aes192-ctr' not in config_main.content | b64decode"
- "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
- name: Check RHEL content of the main configuration file
assert:
ansible.builtin.assert:
that:
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
when: ansible_facts['os_family'] == 'RedHat'
- name: Check Ubuntu content of the main configuration file
assert:
ansible.builtin.assert:
that:
- "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode"
when: ansible_facts['os_family'] == 'Ubuntu'
@ -79,4 +80,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

13
tests/tests_indent.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with simple config options
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd:
@ -21,15 +21,16 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Check the options are correctly indented in configuration file
assert:
ansible.builtin.assert:
that:
- "config.content | b64decode | regex_search('^PasswordAuthentication yes$', multiline=True)"
- "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)"
@ -38,4 +39,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

27
tests/tests_match.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
# For Fedora containers, we need to make sure we have keys for sshd -T below
@ -35,32 +35,37 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T for xusers
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
register: xusers_effective
changed_when: false
- name: List effective configuration using sshd -T for bot
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
register: bot_effective
changed_when: false
- name: List effective configuration using sshd -T for sftponly
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
register: sftponly_effective
changed_when: false
- name: List effective configuration using sshd -T for root
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
register: root_effective
changed_when: false
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Check the options are effective
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'x11forwarding yes' in xusers_effective.stdout"
- "'banner /tmp/xusers-banner' in xusers_effective.stdout"
@ -72,7 +77,7 @@
- "'allowtcpforwarding yes' in root_effective.stdout"
- name: Check the options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'Match User xusers' in config.content | b64decode"
- "'Match User bot' in config.content | b64decode"
@ -81,4 +86,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

27
tests/tests_match_iterate.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
# For Fedora containers, we need to make sure we have keys for sshd -T below
@ -33,32 +33,37 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T for xusers
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
register: xusers_effective
changed_when: false
- name: List effective configuration using sshd -T for bot
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
register: bot_effective
changed_when: false
- name: List effective configuration using sshd -T for sftponly
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
register: sftponly_effective
changed_when: false
- name: List effective configuration using sshd -T for root
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
register: root_effective
changed_when: false
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Check the options are effective
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'x11forwarding yes' in xusers_effective.stdout"
- "'banner /tmp/xusers-banner' in xusers_effective.stdout"
@ -70,7 +75,7 @@
- "'allowtcpforwarding yes' in root_effective.stdout"
- name: Check the options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'Match User xusers' in config.content | b64decode"
- "'Match User bot' in config.content | b64decode"
@ -79,4 +84,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_os_defaults.yml
View file

@ -9,10 +9,10 @@
tasks:
- name: Backup configuration files
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Show effective configuration before running role (system defaults)
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -25,16 +25,16 @@
changed_when: false
- name: Configure sshd
include_role:
ansible.builtin.include_role:
name: ansible-sshd
- name: Show effective configuration after running role (role defaults)
command: sshd -T
ansible.builtin.command: sshd -T
register: runtime_after
changed_when: false
- name: Check that the effective configuration did not change from OS defaults
assert:
ansible.builtin.assert:
that:
- runtime_before.stdout == runtime_after.stdout
when:
@ -42,4 +42,4 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Restore configuration files
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

22
tests/tests_precedence.yml
View file

@ -7,15 +7,15 @@
- /tmp/ssh_host_rsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove host key before the test
file:
ansible.builtin.file:
path: /tmp/ssh_host_rsa_key
state: absent
- name: Configure sshd
include_role:
- name: Configure sshd # noqa var-naming
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd:
@ -28,27 +28,29 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush metadata
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T
command: sshd -T
ansible.builtin.command: sshd -T
register: runtime
changed_when: false
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: "{{ main_sshd_config }}"
register: config
- name: Check the sshd_* values are effective in runtime
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'banner /etc/good-issue' in runtime.stdout"
- "'ciphers aes128-ctr' in runtime.stdout"
- "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout"
- name: Check the options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'Banner /etc/good-issue' in config.content | b64decode"
- "'Ciphers aes128-ctr' in config.content | b64decode"
@ -56,4 +58,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

18
tests/tests_set_common.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd:
@ -21,20 +21,22 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T
command: sshd -T
ansible.builtin.command: sshd -T
register: runtime
changed_when: false
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config
register: config
- name: Check the options are effective
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'acceptenv LANG' in runtime.stdout"
- "'banner /etc/issue' in runtime.stdout"
@ -42,7 +44,7 @@
- "'subsystem sftp internal-sftp' in runtime.stdout"
- name: Check the options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode"
@ -51,4 +53,4 @@
tags: tests::verify
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_set_uncommon.yml
View file

@ -6,12 +6,12 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with uncommon options, making sure it keeps running
block:
- name: Configure ssh with unsupported options
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd:
@ -39,11 +39,11 @@
register: role_result
- name: unreachable task
fail:
ansible.builtin.fail:
msg: UNREACH
rescue:
- name: Check that we failed in the role
assert:
ansible.builtin.assert:
that:
- ansible_failed_result.msg != 'UNREACH'
- not role_result.changed
@ -52,7 +52,7 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Make sure service is still running
service:
ansible.builtin.service:
name: sshd
state: started
register: result
@ -62,4 +62,4 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_sshd_enable.yml
View file

@ -8,10 +8,10 @@
- /etc/ssh/ssh_host_rsa_key.pub
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with the role disabled
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_enable: false
@ -22,12 +22,12 @@
sshd_config_file: /etc/ssh/sshd_config
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: /etc/ssh/sshd_config
register: config
- name: Print effective configuration
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -41,7 +41,7 @@
- name: Check the options were not applied
# note, the options are in lower-case here
assert:
ansible.builtin.assert:
that:
- "'Acceptenv XDG_*' not in config.content | b64decode"
- "'Banner /etc/issue' not in config.content | b64decode"
@ -51,4 +51,4 @@
- "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout"
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml

19
tests/tests_sysconfig.yml
View file

@ -7,10 +7,10 @@
- /etc/sysconfig/sshd
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd
include_role:
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_sysconfig: true
@ -19,15 +19,16 @@
- name: Verify the options are correctly set
block:
- meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file
slurp:
ansible.builtin.slurp:
src: /etc/sysconfig/sshd
register: config
- name: Evaluate sysconfig similarly as systemd
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -39,7 +40,7 @@
changed_when: false
- name: Evaluate sysconfig similarly as systemd on RHEL 8
shell: |
ansible.builtin.shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
@ -55,7 +56,7 @@
- ansible_facts['distribution_major_version'] == "8"
- name: Check the crypto policies is overridden in RHEL 8
assert:
ansible.builtin.assert:
that:
- "'CRYPTO_POLICY=' in config.content | b64decode"
# these are string variants in default configuration file
@ -66,7 +67,7 @@
- ansible_facts['distribution_major_version'] == "8"
- name: Check the RNG options are in configuration file
assert:
ansible.builtin.assert:
that:
- "'SSH_USE_STRONG_RNG=32' in config.content | b64decode"
# these are string variants in default configuration file
@ -80,4 +81,4 @@
- ansible_facts['distribution_major_version']|int < 9
- name: "Restore configuration files"
include_tasks: tasks/restore.yml
ansible.builtin.include_tasks: tasks/restore.yml