mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-28 21:50:18 +01:00
Merge branch 'master' into systemd
This commit is contained in:
commit
f5c13ee90f
7 changed files with 123 additions and 12 deletions
12
.travis.yml
12
.travis.yml
|
@ -15,11 +15,17 @@ install:
|
|||
- "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
|
||||
|
||||
script:
|
||||
# Check the roles syntax
|
||||
- "ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
|
||||
# Check the ansible version.
|
||||
- >
|
||||
ansible --version
|
||||
| grep -q '^ansible 2'
|
||||
&& (echo 'Ansible 2.0+ test: pass' && exit 0)
|
||||
|| (echo 'Ansible 2.0+ test: fail' && exit 1)
|
||||
# Check the roles syntax.
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
|
||||
|
||||
# Run the role
|
||||
- "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo"
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v"
|
||||
|
||||
# Run the role/playbook again, checking to make sure it's idempotent.
|
||||
- >
|
||||
|
|
|
@ -17,6 +17,9 @@ sshd_service_template_socket: sshd.socket.j2
|
|||
# If the below is false, don't reload the ssh daemon on change
|
||||
sshd_allow_reload: true
|
||||
|
||||
# If the below is true, create a backup of the config file when the template is copied
|
||||
sshd_backup: false
|
||||
|
||||
# Empty dicts to avoid errors
|
||||
sshd: {}
|
||||
|
||||
|
|
|
@ -5,29 +5,29 @@
|
|||
{{ match_block(sshd_match) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_1 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_1) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_2 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_2) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_3 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_3) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_4 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_4) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_5 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_5) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_6 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_6) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_7 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_7) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_8 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_8) -}}
|
||||
{% endif %}
|
||||
{% if sshd_match_9 is defined %}
|
||||
{{ match_block(sshd_match) -}}
|
||||
{{ match_block(sshd_match_9) -}}
|
||||
{% endif %}
|
||||
|
|
|
@ -6,12 +6,15 @@ HostKey
|
|||
AcceptEnv
|
||||
AllowAgentForwarding
|
||||
AllowGroups
|
||||
AllowStreamLocalForwarding
|
||||
AllowTcpForwarding
|
||||
AllowUsers
|
||||
AuthenticationMethods
|
||||
AuthorizedKeysCommand
|
||||
AuthorizedKeysCommandUser
|
||||
AuthorizedKeysFile
|
||||
AuthorizedPrincipalsCommand
|
||||
AuthorizedPrincipalsCommandUser
|
||||
AuthorizedPrincipalsFile
|
||||
Banner
|
||||
ChallengeResponseAuthentication
|
||||
|
@ -23,7 +26,11 @@ Compression
|
|||
DebianBanner
|
||||
DenyGroups
|
||||
DenyUsers
|
||||
DisableForwarding
|
||||
ExposeAuthInfo
|
||||
FingerprintHash
|
||||
ForceCommand
|
||||
GatewayPorts
|
||||
GSSAPIAuthentication
|
||||
GSSAPICleanupCredentials
|
||||
GSSAPIKeyExchange
|
||||
|
@ -34,6 +41,8 @@ HPNBufferSize
|
|||
HPNDisabled
|
||||
HostCertificate
|
||||
HostKeyAgent
|
||||
HostKeyAlgorithms
|
||||
HostbasedAcceptedKeyTypes
|
||||
HostbasedAuthentication
|
||||
HostbasedUsesNameFromPacketOnly
|
||||
IPQoS
|
||||
|
@ -60,15 +69,19 @@ PermitRootLogin
|
|||
PermitTTY
|
||||
PermitTunnel
|
||||
PermitUserEnvironment
|
||||
PermitUserRC
|
||||
PidFile
|
||||
PrintLastLog
|
||||
PrintMotd
|
||||
PubkeyAcceptedKeyTypes
|
||||
PubkeyAuthentication
|
||||
RSAAuthentication
|
||||
RekeyLimit
|
||||
RevokedKeys
|
||||
RDomain
|
||||
RhostsRSAAuthentication
|
||||
ServerKeyBits
|
||||
StreamLocalBindMask
|
||||
StreamLocalBindUnlink
|
||||
StrictModes
|
||||
Subsystem
|
||||
|
|
|
@ -1,33 +1,51 @@
|
|||
AcceptEnv
|
||||
AllowAgentForwarding
|
||||
AllowGroups
|
||||
AllowStreamLocalForwarding
|
||||
AllowTcpForwarding
|
||||
AllowUsers
|
||||
AuthenticationMethods
|
||||
AuthorizedKeysCommand
|
||||
AuthorizedKeysCommandUser
|
||||
AuthorizedKeysFile
|
||||
AuthorizedPrincipalsCommand
|
||||
AuthorizedPrincipalsCommandUser
|
||||
AuthorizedPrincipalsFile
|
||||
Banner
|
||||
ChrootDirectory
|
||||
ClientAliveCountMax
|
||||
ClientAliveInterval
|
||||
DenyGroups
|
||||
DenyUsers
|
||||
ForceCommand
|
||||
GatewayPorts
|
||||
GSSAPIAuthentication
|
||||
HostbasedAcceptedKeyTypes
|
||||
HostbasedAuthentication
|
||||
HostbasedUsesNameFromPacketOnly
|
||||
IPQoS
|
||||
KbdInteractiveAuthentication
|
||||
KerberosAuthentication
|
||||
LogLevel
|
||||
MaxAuthTries
|
||||
MaxSessions
|
||||
PasswordAuthentication
|
||||
PermitEmptyPasswords
|
||||
PermitOpen
|
||||
PermitRootLogin
|
||||
PermitTTY
|
||||
PermitTunnel
|
||||
PermitUserRC
|
||||
PubkeyAcceptedKeyTypes
|
||||
PubkeyAuthentication
|
||||
RDomain
|
||||
RekeyLimit
|
||||
RevokedKeys
|
||||
RhostsRSAAuthentication
|
||||
RSAAuthentication
|
||||
StreamLocalBindMask
|
||||
StreamLocalBindUnlink
|
||||
TrustedUserCAKeys
|
||||
X11DisplayOffset
|
||||
X11Forwarding
|
||||
X11UseLocalHost
|
||||
|
|
|
@ -33,36 +33,54 @@
|
|||
{% if match_list is iterable %}
|
||||
{% for match in match_list %}
|
||||
Match {{ match["Condition"] }}
|
||||
{{ render_option("AcceptEnv",match["AcceptEnv"],true) -}}
|
||||
{{ render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
|
||||
{{ render_option("AllowGroups",match["AllowGroups"],true) -}}
|
||||
{{ render_option("AllowStreamLocalForwarding",match["AllowStreamLocalForwarding"],true) -}}
|
||||
{{ render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}}
|
||||
{{ render_option("AllowUsers",match["AllowUsers"],true) -}}
|
||||
{{ render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}}
|
||||
{{ render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}}
|
||||
{{ render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}}
|
||||
{{ render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}}
|
||||
{{ render_option("AuthorizedPrincipalsCommand",match["AuthorizedPrincipalsCommand"],true) -}}
|
||||
{{ render_option("AuthorizedPrincipalsCommandUser",match["AuthorizedPrincipalsCommandUser"],true) -}}
|
||||
{{ render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}}
|
||||
{{ render_option("Banner",match["Banner"],true) -}}
|
||||
{{ render_option("ChrootDirectory",match["ChrootDirectory"],true) -}}
|
||||
{{ render_option("ClientAliveCountMax",match["ClientAliveCountMax"],true) -}}
|
||||
{{ render_option("ClientAliveInterval",match["ClientAliveInterval"],true) -}}
|
||||
{{ render_option("DenyGroups",match["DenyGroups"],true) -}}
|
||||
{{ render_option("DenyUsers",match["DenyUsers"],true) -}}
|
||||
{{ render_option("ForceCommand",match["ForceCommand"],true) -}}
|
||||
{{ render_option("GatewayPorts",match["GatewayPorts"],true) -}}
|
||||
{{ render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}}
|
||||
{{ render_option("HostbasedAcceptedKeyTypes",match["HostbasedAcceptedKeyTypes"],true) -}}
|
||||
{{ render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
|
||||
{{ render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
|
||||
{{ render_option("IPQoS",match["IPQoS"],true) -}}
|
||||
{{ render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
|
||||
{{ render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
|
||||
{{ render_option("LogLevel",match["LogLevel"],true) -}}
|
||||
{{ render_option("MaxAuthTries",match["MaxAuthTries"],true) -}}
|
||||
{{ render_option("MaxSessions",match["MaxSessions"],true) -}}
|
||||
{{ render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
|
||||
{{ render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
|
||||
{{ render_option("PermitOpen",match["PermitOpen"],true) -}}
|
||||
{{ render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
|
||||
{{ render_option("PermitTTY",match["PermitTTY"],true) -}}
|
||||
{{ render_option("PermitTunnel",match["PermitTunnel"],true) -}}
|
||||
{{ render_option("PermitUserRC",match["PermitUserRC"],true) -}}
|
||||
{{ render_option("PubkeyAcceptedKeyTypes",match["PubkeyAcceptedKeyTypes"],true) -}}
|
||||
{{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
|
||||
{{ render_option("RDomain",match["RDomain"],true) -}}
|
||||
{{ render_option("RekeyLimit",match["RekeyLimit"],true) -}}
|
||||
{{ render_option("RevokedKeys",match["RevokedKeys"],true) -}}
|
||||
{{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
|
||||
{{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
|
||||
{{ render_option("StreamLocalBindMask",match["StreamLocalBindMask"],true) -}}
|
||||
{{ render_option("StreamLocalBindUnlink",match["StreamLocalBindUnlink"],true) -}}
|
||||
{{ render_option("TrustedUserCAKeys",match["TrustedUserCAKeys"],true) -}}
|
||||
{{ render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
|
||||
{{ render_option("X11Forwarding",match["X11Forwarding"],true) -}}
|
||||
{{ render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
|
||||
|
@ -77,12 +95,15 @@ Match {{ match["Condition"] }}
|
|||
{{ body_option("AcceptEnv",sshd_AcceptEnv) -}}
|
||||
{{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
|
||||
{{ body_option("AllowGroups",sshd_AllowGroups) -}}
|
||||
{{ body_option("AllowStreamLocalForwarding",sshd_AllowStreamLocalForwarding) -}}
|
||||
{{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
|
||||
{{ body_option("AllowUsers",sshd_AllowUsers) -}}
|
||||
{{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
|
||||
{{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
|
||||
{{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
|
||||
{{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
|
||||
{{ body_option("AuthorizedPrincipalsCommand",sshd_AuthorizedPrincipalsCommand) -}}
|
||||
{{ body_option("AuthorizedPrincipalsCommandUser",sshd_AuthorizedPrincipalsCommandUser) -}}
|
||||
{{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
|
||||
{{ body_option("Banner",sshd_Banner) -}}
|
||||
{{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
|
||||
|
@ -94,7 +115,11 @@ Match {{ match["Condition"] }}
|
|||
{{ body_option("DebianBanner",sshd_DebianBanner) -}}
|
||||
{{ body_option("DenyGroups",sshd_DenyGroups) -}}
|
||||
{{ body_option("DenyUsers",sshd_DenyUsers) -}}
|
||||
{{ body_option("DisableForwarding",sshd_DisableForwarding) -}}
|
||||
{{ body_option("ExposeAuthInfo",sshd_ExposeAuthInfo) -}}
|
||||
{{ body_option("FingerprintHash",sshd_FingerprintHash) -}}
|
||||
{{ body_option("ForceCommand",sshd_ForceCommand) -}}
|
||||
{{ body_option("GatewayPorts",sshd_GatewayPorts) -}}
|
||||
{{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
|
||||
{{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
|
||||
{{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
|
||||
|
@ -105,6 +130,8 @@ Match {{ match["Condition"] }}
|
|||
{{ body_option("HPNDisabled",sshd_HPNDisabled) -}}
|
||||
{{ body_option("HostCertificate",sshd_HostCertificate) -}}
|
||||
{{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}}
|
||||
{{ body_option("HostKeyAlgorithms",sshd_HostKeyAlgorithms) -}}
|
||||
{{ body_option("HostbasedAcceptedKeyTypes",sshd_HostbasedAcceptedKeyTypes) -}}
|
||||
{{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
|
||||
{{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
|
||||
{{ body_option("IPQoS",sshd_IPQoS) -}}
|
||||
|
@ -131,15 +158,19 @@ Match {{ match["Condition"] }}
|
|||
{{ body_option("PermitTTY",sshd_PermitTTY) -}}
|
||||
{{ body_option("PermitTunnel",sshd_PermitTunnel) -}}
|
||||
{{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
|
||||
{{ body_option("PermitUserRC",sshd_PermitUserRC) -}}
|
||||
{{ body_option("PidFile",sshd_PidFile) -}}
|
||||
{{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
|
||||
{{ body_option("PrintMotd",sshd_PrintMotd) -}}
|
||||
{{ body_option("PubkeyAcceptedKeyTypes",sshd_PubkeyAcceptedKeyTypes) -}}
|
||||
{{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
|
||||
{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
|
||||
{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
|
||||
{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
|
||||
{{ body_option("RDomain",sshd_RDomain) -}}
|
||||
{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
|
||||
{{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
|
||||
{{ body_option("StreamLocalBindMask",sshd_StreamLocalBindMask) -}}
|
||||
{{ body_option("StreamLocalBindUnlink",sshd_StreamLocalBindUnlink) -}}
|
||||
{{ body_option("StrictModes",sshd_StrictModes) -}}
|
||||
{{ body_option("Subsystem",sshd_Subsystem) -}}
|
||||
|
|
40
vars/Ubuntu_18.yml
Normal file
40
vars/Ubuntu_18.yml
Normal file
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
sshd_service: ssh
|
||||
sshd_packages:
|
||||
- openssh-server
|
||||
- openssh-sftp-server
|
||||
sshd_config_mode: "0644"
|
||||
sshd_defaults:
|
||||
Port: 22
|
||||
Protocol: 2
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation: yes
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 1024
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: prohibit-password
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
UseDNS: no
|
||||
sshd_os_supported: yes
|
Loading…
Reference in a new issue