mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-25 12:30:19 +01:00
Merge pull request #189 from willshersystems/docs-update
This commit is contained in:
commit
e45987e3c7
38 changed files with 302 additions and 273 deletions
|
@ -1,6 +1,4 @@
|
|||
warn_list: # or 'skip_list' to silence them completely
|
||||
- '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern
|
||||
- '306' # Shells that use pipes should set the pipefail option
|
||||
- 'fqcn-builtins' # this is not compatible with ansible 2.6 on RHEL6
|
||||
exclude_paths:
|
||||
- tests/roles/
|
||||
|
|
1
.github/workflows/ansible-centos-check.yml
vendored
1
.github/workflows/ansible-centos-check.yml
vendored
|
@ -11,6 +11,7 @@ jobs:
|
|||
# Workaround missing support for end_host in old ansible
|
||||
- run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml"
|
||||
- run: "sed -i -e 's/.*public: true//' tests/tasks/restore.yml"
|
||||
- run: "sed -i -e 's/ansible.builtin.//g' */*.yml */*/*.yml"
|
||||
|
||||
- name: ansible check with centos 6
|
||||
uses: roles-ansible/check-ansible-centos-centos6-action@master
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
repos:
|
||||
- repo: https://github.com/adrienverge/yamllint.git
|
||||
rev: v1.24.2
|
||||
rev: v1.26.3
|
||||
hooks:
|
||||
- id: yamllint
|
||||
files: \.(yaml|yml)$
|
||||
types: [file, yaml]
|
||||
entry: yamllint --strict
|
||||
- repo: https://github.com/ansible/ansible-lint.git
|
||||
rev: v4.3.5
|
||||
rev: v6.2.2
|
||||
hooks:
|
||||
- id: ansible-lint
|
||||
files: \.(yaml|yml)$
|
||||
|
|
|
@ -219,7 +219,8 @@ the above list.
|
|||
### Secondary role variables
|
||||
|
||||
These variables are used by the role internals and can be used to override the
|
||||
defaults that correspond to each supported platform.
|
||||
defaults that correspond to each supported platform. They are not tested and
|
||||
generally are not needed as the role will determine them from the OS type.
|
||||
|
||||
* `sshd_packages`
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Reload the SSH service
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: "{{ sshd_service }}"
|
||||
state: reloaded
|
||||
when:
|
||||
|
@ -16,7 +16,7 @@
|
|||
# Instead, use a dirty shell script:
|
||||
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
|
||||
- name: Reload sshd Service (AIX)
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
---
|
||||
galaxy_info:
|
||||
role_name: sshd
|
||||
author: Matt Willsher
|
||||
description: OpenSSH SSH daemon configuration
|
||||
company: Willsher Systems
|
||||
license: LGPLv3
|
||||
min_ansible_version: 2.9
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
|
@ -23,23 +24,23 @@ galaxy_info:
|
|||
- jammy
|
||||
- name: FreeBSD
|
||||
version:
|
||||
- 10.1
|
||||
- "10.1"
|
||||
- name: EL
|
||||
versions:
|
||||
- 6
|
||||
- 7
|
||||
- 8
|
||||
- 9
|
||||
- "6"
|
||||
- "7"
|
||||
- "8"
|
||||
- "9"
|
||||
- name: Fedora
|
||||
versions:
|
||||
- all
|
||||
- name: OpenBSD
|
||||
versions:
|
||||
- 6.0
|
||||
- "6.0"
|
||||
- name: AIX
|
||||
versions:
|
||||
- 7.1
|
||||
- 7.2
|
||||
- "7.1"
|
||||
- "7.2"
|
||||
galaxy_tags:
|
||||
- networking
|
||||
- system
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
- name: Check the kernel FIPS mode
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /proc/sys/crypto/fips_enabled
|
||||
register: __sshd_kernel_fips_mode
|
||||
failed_when: false
|
||||
|
||||
- name: Check the userspace FIPS mode
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/system-fips
|
||||
register: __sshd_userspace_fips_mode
|
||||
failed_when: false
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
---
|
||||
- name: OS is supported
|
||||
meta: end_host
|
||||
ansible.builtin.meta: end_host
|
||||
when:
|
||||
- not __sshd_os_supported|bool
|
||||
|
||||
- name: Install ssh packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: "{{ sshd_packages }}"
|
||||
state: present
|
||||
|
||||
- name: Sysconfig configuration
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: sysconfig.j2
|
||||
dest: "/etc/sysconfig/sshd"
|
||||
owner: "root"
|
||||
|
@ -23,7 +23,7 @@
|
|||
notify: reload_sshd
|
||||
|
||||
- name: Check FIPS mode
|
||||
include_tasks: check_fips.yml
|
||||
ansible.builtin.include_tasks: check_fips.yml
|
||||
when:
|
||||
- __sshd_hostkeys_nofips | d([])
|
||||
|
||||
|
@ -70,7 +70,7 @@
|
|||
{% endif %}
|
||||
block:
|
||||
- name: Make sure hostkeys are available
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -85,7 +85,7 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Make sure private hostkeys have expected permissions
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
owner: "{{ sshd_hostkey_owner }}"
|
||||
group: "{{ sshd_hostkey_group }}"
|
||||
|
@ -97,7 +97,7 @@
|
|||
<<: *share_vars
|
||||
block:
|
||||
- name: Create a temporary hostkey for syntax verification if needed
|
||||
tempfile:
|
||||
ansible.builtin.tempfile:
|
||||
state: directory
|
||||
register: sshd_test_hostkey
|
||||
changed_when: false
|
||||
|
@ -105,13 +105,13 @@
|
|||
- __sshd_hostkeys_from_config | from_json == []
|
||||
|
||||
- name: Generate temporary hostkey
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
|
||||
changed_when: false
|
||||
when: sshd_test_hostkey.path is defined
|
||||
|
||||
- name: Make sure sshd runtime directory is present
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ __sshd_runtime_directory }}"
|
||||
state: directory
|
||||
owner: root
|
||||
|
@ -121,29 +121,29 @@
|
|||
- __sshd_runtime_directory | d(false)
|
||||
|
||||
- name: Create the complete configuration file
|
||||
include_tasks: install_config.yml
|
||||
ansible.builtin.include_tasks: install_config.yml
|
||||
when: sshd_config_namespace is none
|
||||
|
||||
- name: Update configuration file snippet
|
||||
include_tasks: install_namespace.yml
|
||||
ansible.builtin.include_tasks: install_namespace.yml
|
||||
when: sshd_config_namespace is not none
|
||||
|
||||
rescue:
|
||||
- name: re-raise the error
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "{{ ansible_failed_result }}"
|
||||
always:
|
||||
- name: Remove temporary host keys
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ sshd_test_hostkey.path }}"
|
||||
state: absent
|
||||
changed_when: false
|
||||
when: sshd_test_hostkey.path is defined
|
||||
|
||||
- name: Install and start systemd service
|
||||
include_tasks: install_service.yml
|
||||
ansible.builtin.include_tasks: install_service.yml
|
||||
|
||||
- name: Register that this role has run
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
sshd_has_run: true
|
||||
when: sshd_has_run is not defined
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: Create the complete configuration file
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: sshd_config.j2
|
||||
dest: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
|
@ -16,7 +16,7 @@
|
|||
notify: reload_sshd
|
||||
|
||||
- name: Make sure the include path is present in the main sshd_config
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
insertbefore: BOF
|
||||
line: "Include {{ __sshd_defaults['Include'] }}"
|
||||
path: "{{ __sshd_main_config_file }}"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
- name: Update configuration file snippet
|
||||
vars:
|
||||
sshd_skip_defaults: true
|
||||
blockinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
path: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
- name: Install systemd service files
|
||||
block:
|
||||
- name: Install service unit file
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "{{ sshd_service_template_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.service"
|
||||
owner: root
|
||||
|
@ -10,7 +10,7 @@
|
|||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
- name: Install instanced service unit file
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "{{ sshd_service_template_at_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}@.service"
|
||||
owner: root
|
||||
|
@ -18,7 +18,7 @@
|
|||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
- name: Install socket unit file
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "{{ sshd_service_template_socket }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.socket"
|
||||
owner: root
|
||||
|
@ -28,7 +28,7 @@
|
|||
when: sshd_install_service|bool
|
||||
|
||||
- name: Service enabled and running
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: true
|
||||
state: started
|
||||
|
@ -39,7 +39,7 @@
|
|||
|
||||
# Due to ansible bug 21026, cannot use service module on RHEL 7
|
||||
- name: Enable service in chroot
|
||||
command: systemctl enable {{ sshd_service }} # noqa 303
|
||||
ansible.builtin.command: systemctl enable {{ sshd_service }} # noqa 303
|
||||
when:
|
||||
- ansible_connection == 'chroot'
|
||||
- ansible_os_family == 'RedHat'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
|
||||
- include_tasks: sshd.yml
|
||||
- ansible.builtin.include_tasks: sshd.yml
|
||||
when: sshd_enable|bool
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
- name: Ensure ansible_facts used by role
|
||||
setup:
|
||||
ansible.builtin.setup:
|
||||
gather_subset: min
|
||||
when: not ansible_facts.keys() | list |
|
||||
intersect(__sshd_required_facts) == __sshd_required_facts
|
||||
|
||||
- name: Include common vars
|
||||
include_vars: vars/common.yml
|
||||
ansible.builtin.include_vars: vars/common.yml
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
- name: Set common variables and ensure basic facts are gathered
|
||||
include_tasks: set_common_vars.yml
|
||||
ansible.builtin.include_tasks: set_common_vars.yml
|
||||
|
||||
- name: Set platform/version specific variables
|
||||
include_tasks: variables.yml
|
||||
ansible.builtin.include_tasks: variables.yml
|
||||
|
||||
- name: Execute the actual role tasks
|
||||
include_tasks: install.yml
|
||||
ansible.builtin.include_tasks: install.yml
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
- name: Set common vars
|
||||
include_vars: vars/common.yml
|
||||
ansible.builtin.include_vars: vars/common.yml
|
||||
|
||||
- name: Set OS dependent variables
|
||||
include_vars: "{{ lookup('first_found', params) }}"
|
||||
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
|
||||
vars:
|
||||
ansible_distribution_lts_offset: >-
|
||||
{{
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
- name: Setup
|
||||
include_tasks: setup.yml
|
||||
ansible.builtin.include_tasks: setup.yml
|
||||
|
||||
- name: Create a temporary directory for backup files
|
||||
tempfile:
|
||||
ansible.builtin.tempfile:
|
||||
state: directory
|
||||
register: __sshd_test_backup
|
||||
changed_when: false
|
||||
|
@ -11,7 +11,7 @@
|
|||
- sshd_test_backup_skip is not defined
|
||||
|
||||
- name: Backup files
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
fi
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: Restore backed up files and remove what was not present
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -17,7 +17,7 @@
|
|||
- __sshd_test_backup.path is defined
|
||||
|
||||
- name: Remove temporary directory for backup files
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ __sshd_test_backup.path }}"
|
||||
state: absent
|
||||
changed_when: false
|
||||
|
@ -26,13 +26,13 @@
|
|||
- __sshd_test_backup.path is defined
|
||||
|
||||
- name: Include common variables
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
tasks_from: set_common_vars.yml
|
||||
public: true
|
||||
|
||||
- name: Restart sshd service
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
state: reloaded
|
||||
changed_when: false
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
- name: Make sure openssh is installed before creating backup
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: openssh-server
|
||||
state: present
|
||||
|
||||
- name: Make sure openssh has runtime directory on debian
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /run/sshd
|
||||
state: directory
|
||||
owner: root
|
||||
|
@ -15,13 +15,13 @@
|
|||
- ansible_facts['os_family'] == 'Debian'
|
||||
|
||||
- name: Define common variables
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
main_sshd_config: /etc/ssh/sshd_config
|
||||
main_sshd_config_name: sshd_config
|
||||
main_sshd_config_path: /etc/ssh/
|
||||
|
||||
- name: Define specific variables
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
main_sshd_config: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
main_sshd_config_name: 00-ansible_system_role.conf
|
||||
main_sshd_config_path: /etc/ssh/sshd_config.d/
|
||||
|
|
|
@ -9,14 +9,14 @@
|
|||
- /tmp/ssh_host_ecdsa_key
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Ensure group 'nobody' exists
|
||||
group:
|
||||
ansible.builtin.group:
|
||||
name: nobody
|
||||
|
||||
- name: Ensure the user 'nobody' exists
|
||||
user:
|
||||
ansible.builtin.user:
|
||||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
|
@ -24,7 +24,7 @@
|
|||
shell: /sbin/nologin
|
||||
|
||||
- name: Configure alternative sshd_config file
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
# just anything -- will not get processed by sshd
|
||||
|
@ -36,10 +36,10 @@
|
|||
AcceptEnv: LANG
|
||||
Banner: /etc/issue
|
||||
Ciphers: aes256-ctr
|
||||
sshd_Compression: no
|
||||
sshd_Compression: no # noqa var-naming
|
||||
|
||||
- name: Configure second alternative sshd_config file
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
# just anything -- will not get processed by sshd
|
||||
|
@ -48,10 +48,10 @@
|
|||
sshd:
|
||||
Banner: /etc/issue2
|
||||
Ciphers: aes128-ctr
|
||||
sshd_MaxStartups: 100
|
||||
sshd_MaxStartups: 100 # noqa var-naming
|
||||
|
||||
- name: Now configure the main sshd_config file
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_config_file: /etc/ssh/sshd_config
|
||||
|
@ -60,34 +60,35 @@
|
|||
Ciphers: aes192-ctr
|
||||
HostKey:
|
||||
- /tmp/ssh_host_ecdsa_key
|
||||
sshd_PasswordAuthentication: no
|
||||
sshd_PasswordAuthentication: no # noqa var-naming
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config_custom
|
||||
register: config
|
||||
|
||||
- name: Get stat of the configuration file
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /etc/ssh/sshd_config_custom
|
||||
register: config_stat
|
||||
|
||||
- name: Print second configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config_custom_second
|
||||
register: config2
|
||||
|
||||
- name: Print the main configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config
|
||||
register: config3
|
||||
|
||||
- name: Check content of first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'AcceptEnv LANG' in config.content | b64decode"
|
||||
- "'Banner /etc/issue' in config.content | b64decode"
|
||||
|
@ -95,7 +96,7 @@
|
|||
- "'Compression no' in config.content | b64decode"
|
||||
|
||||
- name: Check Fedora/RHEL9+ defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode"
|
||||
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
|
||||
|
@ -104,7 +105,7 @@
|
|||
- ansible_facts['distribution_major_version']|int > 8
|
||||
|
||||
- name: Check RHEL7 and RHEL8 defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'X11Forwarding yes' in config.content | b64decode"
|
||||
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
|
||||
|
@ -115,7 +116,7 @@
|
|||
- ansible_facts['distribution_major_version']|int < 9
|
||||
|
||||
- name: Check RHEL6 defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Protocol 2' in config.content | b64decode"
|
||||
- "'UsePAM yes' in config.content | b64decode"
|
||||
|
@ -124,7 +125,7 @@
|
|||
- ansible_facts['distribution_major_version'] == '6'
|
||||
|
||||
- name: Check Debian defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'PrintMotd no' in config.content | b64decode"
|
||||
- "'UsePAM yes' in config.content | b64decode"
|
||||
|
@ -133,7 +134,7 @@
|
|||
- ansible_facts['distribution_major_version']|int < 22
|
||||
|
||||
- name: Check Ubuntu 22 defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
|
||||
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
|
||||
|
@ -143,7 +144,7 @@
|
|||
- ansible_facts['distribution_major_version']|int >= 22
|
||||
|
||||
- name: Check content of second configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/issue2' in config2.content | b64decode"
|
||||
- "'Ciphers aes128-ctr' in config2.content | b64decode"
|
||||
|
@ -152,7 +153,7 @@
|
|||
- "'Compression no' not in config2.content | b64decode"
|
||||
|
||||
- name: Check content of the main configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/issue' in config3.content | b64decode"
|
||||
- "'Ciphers aes192-ctr' in config3.content | b64decode"
|
||||
|
@ -162,7 +163,7 @@
|
|||
- "'Compression no' not in config3.content | b64decode"
|
||||
|
||||
- name: Check the main configuration file contains some default values for RHEL 9 or Fedora
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
|
||||
- "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode"
|
||||
|
@ -172,7 +173,7 @@
|
|||
- ansible_facts['distribution_major_version']|int > 8
|
||||
|
||||
- name: Check the generated config has requested properties
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- config_stat.stat.exists
|
||||
- config_stat.stat.gr_name == 'nobody'
|
||||
|
@ -181,4 +182,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -9,14 +9,14 @@
|
|||
- /tmp/ssh_host_ecdsa_key
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Ensure group 'nobody' exists
|
||||
group:
|
||||
ansible.builtin.group:
|
||||
name: nobody
|
||||
|
||||
- name: Ensure the user 'nobody' exists
|
||||
user:
|
||||
ansible.builtin.user:
|
||||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
|
@ -37,7 +37,7 @@
|
|||
AcceptEnv: LANG
|
||||
Banner: /etc/issue
|
||||
Ciphers: aes256-ctr
|
||||
sshd_Compression: no
|
||||
sshd_Compression: no # noqa var-naming
|
||||
|
||||
# Configure second alternative sshd_config file
|
||||
- hosts: all
|
||||
|
@ -50,7 +50,7 @@
|
|||
sshd:
|
||||
Banner: /etc/issue2
|
||||
Ciphers: aes128-ctr
|
||||
sshd_MaxStartups: 100
|
||||
sshd_MaxStartups: 100 # noqa var-naming
|
||||
|
||||
# Now configure the main sshd_config file
|
||||
- hosts: all
|
||||
|
@ -63,7 +63,7 @@
|
|||
Ciphers: aes192-ctr
|
||||
HostKey:
|
||||
- /tmp/ssh_host_ecdsa_key
|
||||
sshd_PasswordAuthentication: no
|
||||
sshd_PasswordAuthentication: no # noqa var-naming
|
||||
|
||||
- hosts: all
|
||||
vars:
|
||||
|
@ -78,30 +78,31 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config_custom
|
||||
register: config
|
||||
|
||||
- name: Get stat of the configuration file
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /etc/ssh/sshd_config_custom
|
||||
register: config_stat
|
||||
|
||||
- name: Print second configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config_custom_second
|
||||
register: config2
|
||||
|
||||
- name: Print the main configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config
|
||||
register: config3
|
||||
|
||||
- name: Check content of first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'AcceptEnv LANG' in config.content | b64decode"
|
||||
- "'Banner /etc/issue' in config.content | b64decode"
|
||||
|
@ -109,7 +110,7 @@
|
|||
- "'Compression no' in config.content | b64decode"
|
||||
|
||||
- name: Check Fedora/RHEL9+ defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode"
|
||||
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
|
||||
|
@ -118,7 +119,7 @@
|
|||
- ansible_facts['distribution_major_version']|int > 8
|
||||
|
||||
- name: Check RHEL7 and RHEL8 defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'X11Forwarding yes' in config.content | b64decode"
|
||||
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
|
||||
|
@ -129,7 +130,7 @@
|
|||
- ansible_facts['distribution_major_version']|int < 9
|
||||
|
||||
- name: Check RHEL6 defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Protocol 2' in config.content | b64decode"
|
||||
- "'UsePAM yes' in config.content | b64decode"
|
||||
|
@ -138,7 +139,7 @@
|
|||
- ansible_facts['distribution_major_version'] == '6'
|
||||
|
||||
- name: Check Debian defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'PrintMotd no' in config.content | b64decode"
|
||||
- "'UsePAM yes' in config.content | b64decode"
|
||||
|
@ -147,7 +148,7 @@
|
|||
- ansible_facts['distribution_major_version']|int < 22
|
||||
|
||||
- name: Check Ubuntu 22 defaults are present in the first configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
|
||||
- "'KbdInteractiveAuthentication no' in config.content | b64decode"
|
||||
|
@ -158,7 +159,7 @@
|
|||
|
||||
|
||||
- name: Check content of second configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/issue2' in config2.content | b64decode"
|
||||
- "'Ciphers aes128-ctr' in config2.content | b64decode"
|
||||
|
@ -167,7 +168,7 @@
|
|||
- "'Compression no' not in config2.content | b64decode"
|
||||
|
||||
- name: Check content of the main configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/issue' in config3.content | b64decode"
|
||||
- "'Ciphers aes192-ctr' in config3.content | b64decode"
|
||||
|
@ -177,7 +178,7 @@
|
|||
- "'Compression no' not in config3.content | b64decode"
|
||||
|
||||
- name: Check the main configuration file contains some default values for RHEL 9 or Fedora
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
|
||||
- "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode"
|
||||
|
@ -187,7 +188,7 @@
|
|||
- ansible_facts['distribution_major_version']|int > 8
|
||||
|
||||
- name: Check the generated config has requested properties
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- config_stat.stat.exists
|
||||
- config_stat.stat.gr_name == 'nobody'
|
||||
|
@ -196,4 +197,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,50 +6,50 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: Backup configuration files
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Find old backups files
|
||||
find:
|
||||
ansible.builtin.find:
|
||||
paths: "{{ main_sshd_config_path }}"
|
||||
patterns: "{{ main_sshd_config_name }}.*@*~"
|
||||
register: backup_files
|
||||
|
||||
- name: Remove old backup files
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: absent
|
||||
with_items: "{{ backup_files.files }}"
|
||||
|
||||
- name: Configure sshd without creating backup
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_backup: false
|
||||
|
||||
- name: Find new backups files
|
||||
find:
|
||||
ansible.builtin.find:
|
||||
paths: "{{ main_sshd_config_path }}"
|
||||
patterns: "{{ main_sshd_config_name }}.*@*~"
|
||||
register: no_backup
|
||||
|
||||
- name: Configure sshd again with different configuration and with backup
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_Banner: /tmp/banner
|
||||
sshd_Banner: /tmp/banner # noqa var-naming
|
||||
register: second_run
|
||||
|
||||
- name: Find new backups files
|
||||
find:
|
||||
ansible.builtin.find:
|
||||
paths: "{{ main_sshd_config_path }}"
|
||||
patterns: "{{ main_sshd_config_name }}.*@*~"
|
||||
register: new_backup
|
||||
|
||||
- name: Verify the backup was not done in the first attempt, but in the second one
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- no_backup.files == []
|
||||
- new_backup.files != []
|
||||
|
||||
- name: Restore configuration files
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,10 +7,10 @@
|
|||
- /etc/ssh/ssh_host_rsa_key.pub
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Add configuration block to default configuration file
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_config_file: /etc/ssh/sshd_config
|
||||
|
@ -23,7 +23,7 @@
|
|||
AllowAgentForwarding: no
|
||||
|
||||
- name: Add second configuration block to default configuration file
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_config_file: /etc/ssh/sshd_config
|
||||
|
@ -37,15 +37,16 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config
|
||||
register: config
|
||||
|
||||
- name: List effective configuration using sshd -T (matching)
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -55,13 +56,15 @@
|
|||
fi
|
||||
sshd -T -Cuser=root,host=localhost,addr=127.0.0.1
|
||||
register: runtime
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T (non-matching)
|
||||
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
|
||||
ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
|
||||
register: nonmatching
|
||||
changed_when: false
|
||||
|
||||
- name: Check content of configuration file (blocks)
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
|
||||
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
|
||||
|
@ -69,7 +72,7 @@
|
|||
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
|
||||
|
||||
- name: Check content of configuration file (blocks for RHEL 6)
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
|
||||
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
|
||||
|
@ -78,7 +81,7 @@
|
|||
- ansible_facts['distribution_major_version'] == '6'
|
||||
|
||||
- name: Check content of configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'PermitRootLogin yes' in config.content | b64decode"
|
||||
- "'PasswordAuthentication yes' in config.content | b64decode"
|
||||
|
@ -93,7 +96,7 @@
|
|||
|
||||
- name: Check the configuration values are effective
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'permitrootlogin yes' in runtime.stdout"
|
||||
- "'allowagentforwarding no' in runtime.stdout"
|
||||
|
@ -102,7 +105,7 @@
|
|||
|
||||
- name: Check the configuration values are not effective for non-matching connection
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'permitrootlogin yes' in runtime.stdout"
|
||||
- "'allowAgentforwarding no' not in nonmatching.stdout"
|
||||
|
@ -111,4 +114,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- hosts: all
|
||||
roles:
|
||||
|
@ -19,4 +19,4 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,11 +6,11 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: "Configure sshd"
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,19 +7,19 @@
|
|||
- /tmp/ssh_host_rsa_key2
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Remove host key before the test
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /tmp/ssh_host_rsa_key2
|
||||
state: absent
|
||||
|
||||
- name: Ensure group 'nobody' exists
|
||||
group:
|
||||
ansible.builtin.group:
|
||||
name: nobody
|
||||
|
||||
- name: Ensure the user 'nobody' exists
|
||||
user:
|
||||
ansible.builtin.user:
|
||||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
|
@ -27,7 +27,7 @@
|
|||
shell: /sbin/nologin
|
||||
|
||||
- name: Configure sshd with alternative host keys
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
# very BAD example
|
||||
|
@ -40,30 +40,31 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Get stat of private key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /tmp/ssh_host_rsa_key2
|
||||
register: privkey
|
||||
|
||||
- name: Get stat of public key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /tmp/ssh_host_rsa_key2.pub
|
||||
register: pubkey
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
|
||||
|
||||
- name: Check the generated host key has requested properties
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- privkey.stat.exists
|
||||
- privkey.stat.gr_name == 'nobody'
|
||||
|
@ -73,4 +74,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -9,33 +9,34 @@
|
|||
- /etc/system-fips
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Run the role with default parameters without FIPS mode
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Get stat of private key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /etc/ssh/ssh_host_ed25519_key
|
||||
register: privkey
|
||||
|
||||
- name: Get stat of public key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /etc/ssh/ssh_host_ed25519_key.pub
|
||||
register: pubkey
|
||||
|
||||
- name: Check the key is in configuration file (without include)
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
|
||||
when:
|
||||
|
@ -43,7 +44,7 @@
|
|||
- ansible_facts['distribution_major_version']|int < 9
|
||||
|
||||
- name: Check host key was generated
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- privkey.stat.exists
|
||||
- pubkey.stat.exists
|
||||
|
@ -55,22 +56,24 @@
|
|||
- name: Fake FIPS mode
|
||||
block:
|
||||
- name: Create temporary directory
|
||||
tempfile:
|
||||
ansible.builtin.tempfile:
|
||||
state: directory
|
||||
register: fips_directory
|
||||
|
||||
- name: Create a /etc/system-fips
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/system-fips
|
||||
content: userspace fips
|
||||
mode: "0644"
|
||||
|
||||
- name: Create a fips_enabled file
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
dest: "{{ fips_directory.path }}/fips_enabled"
|
||||
content: 1
|
||||
mode: "0644"
|
||||
|
||||
- name: Bind mount the file where we need it
|
||||
mount:
|
||||
ansible.builtin.mount:
|
||||
path: /proc/sys/crypto/fips_enabled
|
||||
src: "{{ fips_directory.path }}/fips_enabled"
|
||||
opts: bind
|
||||
|
@ -79,47 +82,48 @@
|
|||
failed_when: false
|
||||
|
||||
- name: Remove the Ed25519 hostkey
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path:
|
||||
/etc/ssh/ssh_host_ed25519_key
|
||||
state: absent
|
||||
|
||||
- name: Remove the Ed25519 pubkey
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path:
|
||||
/etc/ssh/ssh_host_ed25519_key.pub
|
||||
state: absent
|
||||
|
||||
- name: Run the role with default parameters
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Get stat of private key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /etc/ssh/ssh_host_ed25519_key
|
||||
register: privkey
|
||||
|
||||
- name: Get stat of public key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /etc/ssh/ssh_host_ed25519_key.pub
|
||||
register: pubkey
|
||||
|
||||
- name: Check the key is not in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
|
||||
|
||||
- name: Check no host key was generated
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not privkey.stat.exists
|
||||
- not pubkey.stat.exists
|
||||
|
@ -137,9 +141,9 @@
|
|||
failed_when: false
|
||||
|
||||
- name: Remove the temporary directory
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ fips_directory.path }}"
|
||||
state: absent
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,12 +7,12 @@
|
|||
- /tmp/missing_ssh_host_rsa_key
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd with missing host keys and prevent their creation
|
||||
block:
|
||||
- name: Configure missing hostkey
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_verify_hostkeys: []
|
||||
|
@ -22,12 +22,12 @@
|
|||
register: role_result
|
||||
|
||||
- name: unreachable task
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: UNREACH
|
||||
|
||||
rescue:
|
||||
- name: Check that we failed in the role
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- ansible_failed_result.msg != 'UNREACH'
|
||||
- not role_result.changed
|
||||
|
@ -38,7 +38,7 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: Make sure the key was not created
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /tmp/missing_ssh_host_rsa_key
|
||||
state: absent
|
||||
register: key
|
||||
|
@ -46,7 +46,7 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: Make sure service is still running
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
state: started
|
||||
register: result
|
||||
|
@ -56,4 +56,4 @@
|
|||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,19 +7,19 @@
|
|||
- /tmp/ssh_host_rsa_key2
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Remove host key before the test
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /tmp/ssh_host_rsa_key2
|
||||
state: absent
|
||||
|
||||
- name: Ensure group 'nobody' exists
|
||||
group:
|
||||
ansible.builtin.group:
|
||||
name: nobody
|
||||
|
||||
- name: Ensure the user 'nobody' exists
|
||||
user:
|
||||
ansible.builtin.user:
|
||||
name: nobody
|
||||
group: nobody
|
||||
comment: nobody
|
||||
|
@ -47,34 +47,35 @@
|
|||
- /tmp/ssh_host_rsa_key2
|
||||
tasks:
|
||||
- name: Setup variables
|
||||
include_tasks: tasks/setup.yml
|
||||
ansible.builtin.include_tasks: tasks/setup.yml
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush metadata
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Get stat of private key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /tmp/ssh_host_rsa_key2
|
||||
register: privkey
|
||||
|
||||
- name: Get stat of public key
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /tmp/ssh_host_rsa_key2.pub
|
||||
register: pubkey
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
|
||||
|
||||
- name: Check the generated host key has requested properties
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- privkey.stat.exists
|
||||
- privkey.stat.gr_name == 'nobody'
|
||||
|
@ -84,4 +85,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,10 +7,10 @@
|
|||
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Remove include directory from the main config file
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/etc/ssh/sshd_config"
|
||||
regexp: "^Include"
|
||||
state: absent
|
||||
|
@ -19,7 +19,7 @@
|
|||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
|
||||
|
||||
- name: Create a new configuration in drop-in directory
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
|
@ -32,20 +32,21 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print drop-in configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
register: config
|
||||
|
||||
- name: Print the main configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config
|
||||
register: config_main
|
||||
|
||||
- name: Check content of drop-in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/include-issue' in config.content | b64decode"
|
||||
- "'Ciphers aes192-ctr' in config.content | b64decode"
|
||||
|
@ -54,20 +55,20 @@
|
|||
- "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode"
|
||||
|
||||
- name: Check common content of the main configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/include-issue' not in config_main.content | b64decode"
|
||||
- "'Ciphers aes192-ctr' not in config_main.content | b64decode"
|
||||
- "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
|
||||
|
||||
- name: Check RHEL content of the main configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
|
||||
when: ansible_facts['os_family'] == 'RedHat'
|
||||
|
||||
- name: Check Ubuntu content of the main configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode"
|
||||
when: ansible_facts['os_family'] == 'Ubuntu'
|
||||
|
@ -79,4 +80,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd with simple config options
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
|
@ -21,15 +21,16 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Check the options are correctly indented in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "config.content | b64decode | regex_search('^PasswordAuthentication yes$', multiline=True)"
|
||||
- "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)"
|
||||
|
@ -38,4 +39,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
||||
|
@ -35,32 +35,37 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: List effective configuration using sshd -T for xusers
|
||||
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
|
||||
register: xusers_effective
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T for bot
|
||||
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
|
||||
register: bot_effective
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T for sftponly
|
||||
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
|
||||
register: sftponly_effective
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T for root
|
||||
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
|
||||
register: root_effective
|
||||
changed_when: false
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Check the options are effective
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'x11forwarding yes' in xusers_effective.stdout"
|
||||
- "'banner /tmp/xusers-banner' in xusers_effective.stdout"
|
||||
|
@ -72,7 +77,7 @@
|
|||
- "'allowtcpforwarding yes' in root_effective.stdout"
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Match User xusers' in config.content | b64decode"
|
||||
- "'Match User bot' in config.content | b64decode"
|
||||
|
@ -81,4 +86,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
||||
|
@ -33,32 +33,37 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: List effective configuration using sshd -T for xusers
|
||||
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
|
||||
register: xusers_effective
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T for bot
|
||||
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
|
||||
register: bot_effective
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T for sftponly
|
||||
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
|
||||
register: sftponly_effective
|
||||
changed_when: false
|
||||
|
||||
- name: List effective configuration using sshd -T for root
|
||||
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
|
||||
ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
|
||||
register: root_effective
|
||||
changed_when: false
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Check the options are effective
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'x11forwarding yes' in xusers_effective.stdout"
|
||||
- "'banner /tmp/xusers-banner' in xusers_effective.stdout"
|
||||
|
@ -70,7 +75,7 @@
|
|||
- "'allowtcpforwarding yes' in root_effective.stdout"
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Match User xusers' in config.content | b64decode"
|
||||
- "'Match User bot' in config.content | b64decode"
|
||||
|
@ -79,4 +84,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -9,10 +9,10 @@
|
|||
|
||||
tasks:
|
||||
- name: Backup configuration files
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Show effective configuration before running role (system defaults)
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -25,16 +25,16 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
|
||||
- name: Show effective configuration after running role (role defaults)
|
||||
command: sshd -T
|
||||
ansible.builtin.command: sshd -T
|
||||
register: runtime_after
|
||||
changed_when: false
|
||||
|
||||
- name: Check that the effective configuration did not change from OS defaults
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- runtime_before.stdout == runtime_after.stdout
|
||||
when:
|
||||
|
@ -42,4 +42,4 @@
|
|||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: Restore configuration files
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,15 +7,15 @@
|
|||
- /tmp/ssh_host_rsa_key
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Remove host key before the test
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /tmp/ssh_host_rsa_key
|
||||
state: absent
|
||||
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
- name: Configure sshd # noqa var-naming
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
|
@ -28,27 +28,29 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush metadata
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: List effective configuration using sshd -T
|
||||
command: sshd -T
|
||||
ansible.builtin.command: sshd -T
|
||||
register: runtime
|
||||
changed_when: false
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ main_sshd_config }}"
|
||||
register: config
|
||||
|
||||
- name: Check the sshd_* values are effective in runtime
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'banner /etc/good-issue' in runtime.stdout"
|
||||
- "'ciphers aes128-ctr' in runtime.stdout"
|
||||
- "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout"
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Banner /etc/good-issue' in config.content | b64decode"
|
||||
- "'Ciphers aes128-ctr' in config.content | b64decode"
|
||||
|
@ -56,4 +58,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
|
@ -21,20 +21,22 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: List effective configuration using sshd -T
|
||||
command: sshd -T
|
||||
ansible.builtin.command: sshd -T
|
||||
register: runtime
|
||||
changed_when: false
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config
|
||||
register: config
|
||||
|
||||
- name: Check the options are effective
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'acceptenv LANG' in runtime.stdout"
|
||||
- "'banner /etc/issue' in runtime.stdout"
|
||||
|
@ -42,7 +44,7 @@
|
|||
- "'subsystem sftp internal-sftp' in runtime.stdout"
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'AcceptEnv LANG' in config.content | b64decode"
|
||||
- "'Banner /etc/issue' in config.content | b64decode"
|
||||
|
@ -51,4 +53,4 @@
|
|||
tags: tests::verify
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -6,12 +6,12 @@
|
|||
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd with uncommon options, making sure it keeps running
|
||||
block:
|
||||
- name: Configure ssh with unsupported options
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
|
@ -39,11 +39,11 @@
|
|||
register: role_result
|
||||
|
||||
- name: unreachable task
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: UNREACH
|
||||
rescue:
|
||||
- name: Check that we failed in the role
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- ansible_failed_result.msg != 'UNREACH'
|
||||
- not role_result.changed
|
||||
|
@ -52,7 +52,7 @@
|
|||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: Make sure service is still running
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
state: started
|
||||
register: result
|
||||
|
@ -62,4 +62,4 @@
|
|||
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -8,10 +8,10 @@
|
|||
- /etc/ssh/ssh_host_rsa_key.pub
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd with the role disabled
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_enable: false
|
||||
|
@ -22,12 +22,12 @@
|
|||
sshd_config_file: /etc/ssh/sshd_config
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/ssh/sshd_config
|
||||
register: config
|
||||
|
||||
- name: Print effective configuration
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -41,7 +41,7 @@
|
|||
|
||||
- name: Check the options were not applied
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'Acceptenv XDG_*' not in config.content | b64decode"
|
||||
- "'Banner /etc/issue' not in config.content | b64decode"
|
||||
|
@ -51,4 +51,4 @@
|
|||
- "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout"
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
|
@ -7,10 +7,10 @@
|
|||
- /etc/sysconfig/sshd
|
||||
tasks:
|
||||
- name: "Backup configuration files"
|
||||
include_tasks: tasks/backup.yml
|
||||
ansible.builtin.include_tasks: tasks/backup.yml
|
||||
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd_sysconfig: true
|
||||
|
@ -19,15 +19,16 @@
|
|||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
slurp:
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/sysconfig/sshd
|
||||
register: config
|
||||
|
||||
- name: Evaluate sysconfig similarly as systemd
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -39,7 +40,7 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Evaluate sysconfig similarly as systemd on RHEL 8
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -eu
|
||||
if set -o | grep pipefail 2>&1 /dev/null ; then
|
||||
set -o pipefail
|
||||
|
@ -55,7 +56,7 @@
|
|||
- ansible_facts['distribution_major_version'] == "8"
|
||||
|
||||
- name: Check the crypto policies is overridden in RHEL 8
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'CRYPTO_POLICY=' in config.content | b64decode"
|
||||
# these are string variants in default configuration file
|
||||
|
@ -66,7 +67,7 @@
|
|||
- ansible_facts['distribution_major_version'] == "8"
|
||||
|
||||
- name: Check the RNG options are in configuration file
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'SSH_USE_STRONG_RNG=32' in config.content | b64decode"
|
||||
# these are string variants in default configuration file
|
||||
|
@ -80,4 +81,4 @@
|
|||
- ansible_facts['distribution_major_version']|int < 9
|
||||
|
||||
- name: "Restore configuration files"
|
||||
include_tasks: tasks/restore.yml
|
||||
ansible.builtin.include_tasks: tasks/restore.yml
|
||||
|
|
Loading…
Reference in a new issue