Merge branch 'master' into systemd

This commit is contained in:
Nikolaos Kakouros 2018-08-25 23:48:09 +02:00
commit f5c13ee90f
7 changed files with 123 additions and 12 deletions

View file

@ -15,11 +15,17 @@ install:
- "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
script:
# Check the roles syntax
- "ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
# Check the ansible version.
- >
ansible --version
| grep -q '^ansible 2'
&& (echo 'Ansible 2.0+ test: pass' && exit 0)
|| (echo 'Ansible 2.0+ test: fail' && exit 1)
# Check the roles syntax.
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
# Run the role
- "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo"
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v"
# Run the role/playbook again, checking to make sure it's idempotent.
- >

View file

@ -17,6 +17,9 @@ sshd_service_template_socket: sshd.socket.j2
# If the below is false, don't reload the ssh daemon on change
sshd_allow_reload: true
# If the below is true, create a backup of the config file when the template is copied
sshd_backup: false
# Empty dicts to avoid errors
sshd: {}

View file

@ -5,29 +5,29 @@
{{ match_block(sshd_match) -}}
{% endif %}
{% if sshd_match_1 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_1) -}}
{% endif %}
{% if sshd_match_2 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_2) -}}
{% endif %}
{% if sshd_match_3 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_3) -}}
{% endif %}
{% if sshd_match_4 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_4) -}}
{% endif %}
{% if sshd_match_5 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_5) -}}
{% endif %}
{% if sshd_match_6 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_6) -}}
{% endif %}
{% if sshd_match_7 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_7) -}}
{% endif %}
{% if sshd_match_8 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_8) -}}
{% endif %}
{% if sshd_match_9 is defined %}
{{ match_block(sshd_match) -}}
{{ match_block(sshd_match_9) -}}
{% endif %}

View file

@ -6,12 +6,15 @@ HostKey
AcceptEnv
AllowAgentForwarding
AllowGroups
AllowStreamLocalForwarding
AllowTcpForwarding
AllowUsers
AuthenticationMethods
AuthorizedKeysCommand
AuthorizedKeysCommandUser
AuthorizedKeysFile
AuthorizedPrincipalsCommand
AuthorizedPrincipalsCommandUser
AuthorizedPrincipalsFile
Banner
ChallengeResponseAuthentication
@ -23,7 +26,11 @@ Compression
DebianBanner
DenyGroups
DenyUsers
DisableForwarding
ExposeAuthInfo
FingerprintHash
ForceCommand
GatewayPorts
GSSAPIAuthentication
GSSAPICleanupCredentials
GSSAPIKeyExchange
@ -34,6 +41,8 @@ HPNBufferSize
HPNDisabled
HostCertificate
HostKeyAgent
HostKeyAlgorithms
HostbasedAcceptedKeyTypes
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
IPQoS
@ -60,15 +69,19 @@ PermitRootLogin
PermitTTY
PermitTunnel
PermitUserEnvironment
PermitUserRC
PidFile
PrintLastLog
PrintMotd
PubkeyAcceptedKeyTypes
PubkeyAuthentication
RSAAuthentication
RekeyLimit
RevokedKeys
RDomain
RhostsRSAAuthentication
ServerKeyBits
StreamLocalBindMask
StreamLocalBindUnlink
StrictModes
Subsystem

View file

@ -1,33 +1,51 @@
AcceptEnv
AllowAgentForwarding
AllowGroups
AllowStreamLocalForwarding
AllowTcpForwarding
AllowUsers
AuthenticationMethods
AuthorizedKeysCommand
AuthorizedKeysCommandUser
AuthorizedKeysFile
AuthorizedPrincipalsCommand
AuthorizedPrincipalsCommandUser
AuthorizedPrincipalsFile
Banner
ChrootDirectory
ClientAliveCountMax
ClientAliveInterval
DenyGroups
DenyUsers
ForceCommand
GatewayPorts
GSSAPIAuthentication
HostbasedAcceptedKeyTypes
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
IPQoS
KbdInteractiveAuthentication
KerberosAuthentication
LogLevel
MaxAuthTries
MaxSessions
PasswordAuthentication
PermitEmptyPasswords
PermitOpen
PermitRootLogin
PermitTTY
PermitTunnel
PermitUserRC
PubkeyAcceptedKeyTypes
PubkeyAuthentication
RDomain
RekeyLimit
RevokedKeys
RhostsRSAAuthentication
RSAAuthentication
StreamLocalBindMask
StreamLocalBindUnlink
TrustedUserCAKeys
X11DisplayOffset
X11Forwarding
X11UseLocalHost

View file

@ -33,36 +33,54 @@
{% if match_list is iterable %}
{% for match in match_list %}
Match {{ match["Condition"] }}
{{ render_option("AcceptEnv",match["AcceptEnv"],true) -}}
{{ render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
{{ render_option("AllowGroups",match["AllowGroups"],true) -}}
{{ render_option("AllowStreamLocalForwarding",match["AllowStreamLocalForwarding"],true) -}}
{{ render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}}
{{ render_option("AllowUsers",match["AllowUsers"],true) -}}
{{ render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}}
{{ render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}}
{{ render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}}
{{ render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}}
{{ render_option("AuthorizedPrincipalsCommand",match["AuthorizedPrincipalsCommand"],true) -}}
{{ render_option("AuthorizedPrincipalsCommandUser",match["AuthorizedPrincipalsCommandUser"],true) -}}
{{ render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}}
{{ render_option("Banner",match["Banner"],true) -}}
{{ render_option("ChrootDirectory",match["ChrootDirectory"],true) -}}
{{ render_option("ClientAliveCountMax",match["ClientAliveCountMax"],true) -}}
{{ render_option("ClientAliveInterval",match["ClientAliveInterval"],true) -}}
{{ render_option("DenyGroups",match["DenyGroups"],true) -}}
{{ render_option("DenyUsers",match["DenyUsers"],true) -}}
{{ render_option("ForceCommand",match["ForceCommand"],true) -}}
{{ render_option("GatewayPorts",match["GatewayPorts"],true) -}}
{{ render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}}
{{ render_option("HostbasedAcceptedKeyTypes",match["HostbasedAcceptedKeyTypes"],true) -}}
{{ render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
{{ render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
{{ render_option("IPQoS",match["IPQoS"],true) -}}
{{ render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
{{ render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
{{ render_option("LogLevel",match["LogLevel"],true) -}}
{{ render_option("MaxAuthTries",match["MaxAuthTries"],true) -}}
{{ render_option("MaxSessions",match["MaxSessions"],true) -}}
{{ render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
{{ render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
{{ render_option("PermitOpen",match["PermitOpen"],true) -}}
{{ render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
{{ render_option("PermitTTY",match["PermitTTY"],true) -}}
{{ render_option("PermitTunnel",match["PermitTunnel"],true) -}}
{{ render_option("PermitUserRC",match["PermitUserRC"],true) -}}
{{ render_option("PubkeyAcceptedKeyTypes",match["PubkeyAcceptedKeyTypes"],true) -}}
{{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
{{ render_option("RDomain",match["RDomain"],true) -}}
{{ render_option("RekeyLimit",match["RekeyLimit"],true) -}}
{{ render_option("RevokedKeys",match["RevokedKeys"],true) -}}
{{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
{{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
{{ render_option("StreamLocalBindMask",match["StreamLocalBindMask"],true) -}}
{{ render_option("StreamLocalBindUnlink",match["StreamLocalBindUnlink"],true) -}}
{{ render_option("TrustedUserCAKeys",match["TrustedUserCAKeys"],true) -}}
{{ render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
{{ render_option("X11Forwarding",match["X11Forwarding"],true) -}}
{{ render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
@ -77,12 +95,15 @@ Match {{ match["Condition"] }}
{{ body_option("AcceptEnv",sshd_AcceptEnv) -}}
{{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
{{ body_option("AllowGroups",sshd_AllowGroups) -}}
{{ body_option("AllowStreamLocalForwarding",sshd_AllowStreamLocalForwarding) -}}
{{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
{{ body_option("AllowUsers",sshd_AllowUsers) -}}
{{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
{{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
{{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
{{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
{{ body_option("AuthorizedPrincipalsCommand",sshd_AuthorizedPrincipalsCommand) -}}
{{ body_option("AuthorizedPrincipalsCommandUser",sshd_AuthorizedPrincipalsCommandUser) -}}
{{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
{{ body_option("Banner",sshd_Banner) -}}
{{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
@ -94,7 +115,11 @@ Match {{ match["Condition"] }}
{{ body_option("DebianBanner",sshd_DebianBanner) -}}
{{ body_option("DenyGroups",sshd_DenyGroups) -}}
{{ body_option("DenyUsers",sshd_DenyUsers) -}}
{{ body_option("DisableForwarding",sshd_DisableForwarding) -}}
{{ body_option("ExposeAuthInfo",sshd_ExposeAuthInfo) -}}
{{ body_option("FingerprintHash",sshd_FingerprintHash) -}}
{{ body_option("ForceCommand",sshd_ForceCommand) -}}
{{ body_option("GatewayPorts",sshd_GatewayPorts) -}}
{{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
{{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
{{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
@ -105,6 +130,8 @@ Match {{ match["Condition"] }}
{{ body_option("HPNDisabled",sshd_HPNDisabled) -}}
{{ body_option("HostCertificate",sshd_HostCertificate) -}}
{{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}}
{{ body_option("HostKeyAlgorithms",sshd_HostKeyAlgorithms) -}}
{{ body_option("HostbasedAcceptedKeyTypes",sshd_HostbasedAcceptedKeyTypes) -}}
{{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
{{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
{{ body_option("IPQoS",sshd_IPQoS) -}}
@ -131,15 +158,19 @@ Match {{ match["Condition"] }}
{{ body_option("PermitTTY",sshd_PermitTTY) -}}
{{ body_option("PermitTunnel",sshd_PermitTunnel) -}}
{{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
{{ body_option("PermitUserRC",sshd_PermitUserRC) -}}
{{ body_option("PidFile",sshd_PidFile) -}}
{{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
{{ body_option("PrintMotd",sshd_PrintMotd) -}}
{{ body_option("PubkeyAcceptedKeyTypes",sshd_PubkeyAcceptedKeyTypes) -}}
{{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
{{ body_option("RDomain",sshd_RDomain) -}}
{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
{{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
{{ body_option("StreamLocalBindMask",sshd_StreamLocalBindMask) -}}
{{ body_option("StreamLocalBindUnlink",sshd_StreamLocalBindUnlink) -}}
{{ body_option("StrictModes",sshd_StrictModes) -}}
{{ body_option("Subsystem",sshd_Subsystem) -}}

40
vars/Ubuntu_18.yml Normal file
View file

@ -0,0 +1,40 @@
---
sshd_service: ssh
sshd_packages:
- openssh-server
- openssh-sftp-server
sshd_config_mode: "0644"
sshd_defaults:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 1024
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: prohibit-password
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ sshd_sftp_server }}"
UsePAM: yes
UseDNS: no
sshd_os_supported: yes