Update service/socket files to match main OS's defaults

Specifics:
 * Debian 12 has no longer the instantiated service using inet, see the
   following commit:

0dc73888bb

 * I am not matching the Description tag verbosely as I do not find it
   crucial for functionality.
 * We generate additional -f switch to the sshd CLI pointing go the main
   sshd config we manage
 * The Before=sshd.service in the socket is not generated as I find it
   unnecessary when we conflict the service.
 * Recent Ubuntu versions have RuntimeDirectoryPreserve option, which I
   set for all Ubuntu/Debian as it should not hurt.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2023-10-30 17:51:44 +01:00
parent 84e6a71509
commit f6ae2094fe
16 changed files with 153 additions and 4 deletions

View file

@ -10,6 +10,7 @@
group: root group: root
mode: "0644" mode: "0644"
notify: reload_sshd notify: reload_sshd
- name: Install instanced service unit file - name: Install instanced service unit file
ansible.builtin.template: ansible.builtin.template:
src: "{{ sshd_service_template_at_service }}" src: "{{ sshd_service_template_at_service }}"
@ -18,6 +19,9 @@
group: root group: root
mode: "0644" mode: "0644"
notify: reload_sshd notify: reload_sshd
when:
- __sshd_socket_accept | bool
- name: Install socket unit file - name: Install socket unit file
ansible.builtin.template: ansible.builtin.template:
src: "{{ sshd_service_template_socket }}" src: "{{ sshd_service_template_socket }}"

View file

@ -1,15 +1,37 @@
[Unit] [Unit]
Description=OpenBSD Secure Shell server Description=OpenBSD Secure Shell server
After=network.target{{ (__sshd_service_after is none) | ternary('', ' ' ~ __sshd_service_after) }}
{% if __sshd_service_wants is string %}
Wants={{ __sshd_service_wants }}
{% elif __sshd_service_wants is iterable %}
{% for file in __sshd_service_wants %}
Wants={{ file }}
{% endfor %}
{% endif %}
Documentation=man:sshd(8) man:sshd_config(5) Documentation=man:sshd(8) man:sshd_config(5)
[Service] [Service]
Type=notify Type=notify
{% if __sshd_environment_file is string %}
EnvironmentFile=-{{ __sshd_environment_file }}
{% elif __sshd_environment_file is iterable %}
{% for file in __sshd_environment_file %}
EnvironmentFile=-{{ file }}
{% endfor %}
{% endif %}
ExecStartPre={{ sshd_binary }} -t ExecStartPre={{ sshd_binary }} -t
ExecStart={{ sshd_binary }} -D -f {{ sshd_config_file }} ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
{{- sshd_main_config_file }}
{% else %}
{{- sshd_config_file }}
{% endif %}
ExecReload={{ sshd_binary }} -t ExecReload={{ sshd_binary }} -t
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure
{% if __sshd_service_restart_timeout is not none %}
RestartSec={{ __sshd_service_restart_timeout }}
{% endif %}
RestartPreventExitStatus=255 RestartPreventExitStatus=255
{% if __sshd_runtime_directory is not none %} {% if __sshd_runtime_directory is not none %}
RuntimeDirectory={{ __sshd_runtime_directory }} RuntimeDirectory={{ __sshd_runtime_directory }}
@ -18,3 +40,6 @@ RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
{% if __sshd_service_alias is not none %}
Alias={{ __sshd_service_alias }}.service
{% endif %}

View file

@ -1,12 +1,19 @@
[Unit] [Unit]
Description=OpenBSD Secure Shell server socket Description=OpenBSD Secure Shell server socket
Documentation=man:sshd(8) man:sshd_config(5) Documentation=man:sshd(8) man:sshd_config(5)
Before={{ sshd_service }}.service {% if __sshd_socket_accept %}
Conflicts={{ sshd_service }}.service Conflicts={{ sshd_service }}.service
{% else %}
Before=sockets.target
{% endif %}
[Socket] [Socket]
ListenStream=22 ListenStream=22
{% if __sshd_socket_accept %}
Accept=yes Accept=yes
{% else %}
Accept=no
{% endif %}
[Install] [Install]
WantedBy=sockets.target WantedBy=sockets.target

View file

@ -1,12 +1,33 @@
[Unit] [Unit]
Description=OpenBSD Secure Shell server per-connection daemon Description=OpenBSD Secure Shell server per-connection daemon
Documentation=man:sshd(8) man:sshd_config(5) Documentation=man:sshd(8) man:sshd_config(5)
After=auditd.service {% if __sshd_service_after is not none %}
After={{ __sshd_service_after }}
{% endif %}
{% if __sshd_service_wants is string %}
Wants={{ __sshd_service_wants }}
{% elif __sshd_service_wants is iterable %}
{% for file in __sshd_service_wants %}
Wants={{ file }}
{% endfor %}
{% endif %}
[Service] [Service]
ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }} {% if __sshd_environment_file is string %}
EnvironmentFile=-{{ __sshd_environment_file }}
{% elif __sshd_environment_file is iterable %}
{% for file in __sshd_environment_file %}
EnvironmentFile=-{{ file }}
{% endfor %}
{% endif %}
ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
{{- sshd_main_config_file }}
{% else %}
{{- sshd_config_file }}
{% endif %}
StandardInput=socket StandardInput=socket
{% if __sshd_runtime_directory is not none %} {% if __sshd_runtime_directory is not none %}
RuntimeDirectory={{ __sshd_runtime_directory }} RuntimeDirectory={{ __sshd_runtime_directory }}
RuntimeDirectoryPreserve=yes
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }} RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
{% endif %} {% endif %}

View file

@ -45,6 +45,8 @@
- name: Read the instantiated service file - name: Read the instantiated service file
ansible.builtin.slurp: ansible.builtin.slurp:
src: /etc/systemd/system/ssh@.service src: /etc/systemd/system/ssh@.service
when:
- ansible_facts['distribution_major_version'] | int < 12
register: service_inst register: service_inst
- name: Read the main socket file - name: Read the main socket file
@ -57,6 +59,12 @@
that: that:
- '"RuntimeDirectory=sshd" in service.content | b64decode' - '"RuntimeDirectory=sshd" in service.content | b64decode'
- '"RuntimeDirectoryMode=0755" in service.content | b64decode' - '"RuntimeDirectoryMode=0755" in service.content | b64decode'
- name: Check the runtime directory is in instantiated service files
when:
- ansible_facts['distribution_major_version'] | int < 12
ansible.builtin.assert:
that:
- '"RuntimeDirectory=sshd" in service_inst.content | b64decode' - '"RuntimeDirectory=sshd" in service_inst.content | b64decode'
- '"RuntimeDirectoryMode=0755" in service_inst.content | b64decode' - '"RuntimeDirectoryMode=0755" in service_inst.content | b64decode'

View file

@ -13,3 +13,8 @@ __sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}" Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: true __sshd_os_supported: true
__sshd_runtime_directory: sshd __sshd_runtime_directory: sshd
__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
__sshd_service_after: auditd.service
__sshd_service_alias: sshd

View file

@ -14,3 +14,8 @@ __sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}" Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: true __sshd_os_supported: true
__sshd_runtime_directory: sshd __sshd_runtime_directory: sshd
__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
__sshd_service_after: auditd.service
__sshd_service_alias: sshd

View file

@ -14,3 +14,9 @@ __sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}" Subsystem: "sftp {{ __sshd_sftp_server }}"
__sshd_os_supported: true __sshd_os_supported: true
__sshd_runtime_directory: sshd __sshd_runtime_directory: sshd
__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
__sshd_service_after: auditd.service
__sshd_service_alias: sshd
__sshd_socket_accept: false

View file

@ -23,3 +23,11 @@ __sshd_hostkeys_nofips:
__sshd_drop_in_dir_mode: '0700' __sshd_drop_in_dir_mode: '0700'
__sshd_main_config_file: /etc/ssh/sshd_config __sshd_main_config_file: /etc/ssh/sshd_config
__sshd_environment_file: /etc/sysconfig/sshd
__sshd_environment_variable: $OPTIONS
__sshd_service_after: sshd-keygen.target
__sshd_service_wants:
- sshd-keygen.target
- ssh-host-keys-migration.service
__sshd_service_restart_timeout: 42s

View file

@ -20,8 +20,15 @@ __sshd_verify_hostkeys_default:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkeys_nofips: __sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"
__sshd_drop_in_dir_mode: '0700' __sshd_drop_in_dir_mode: '0700'
__sshd_main_config_file: /etc/ssh/sshd_config __sshd_main_config_file: /etc/ssh/sshd_config
__sshd_environment_file: /etc/sysconfig/sshd
__sshd_environment_variable: $OPTIONS
__sshd_service_after: sshd-keygen.target
__sshd_service_wants: sshd-keygen.target
__sshd_service_restart_timeout: 42s

View file

@ -31,3 +31,9 @@ __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"
__sshd_hostkeys_nofips: __sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
__sshd_environment_file: /etc/sysconfig/sshd
__sshd_environment_variable: $OPTIONS
__sshd_service_after: sshd-keygen.service
__sshd_service_wants: sshd-keygen.service
__sshd_service_restart_timeout: 42s

View file

@ -33,3 +33,11 @@ __sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640" __sshd_hostkey_mode: "0640"
__sshd_hostkeys_nofips: __sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
__sshd_environment_file:
- /etc/crypto-policies/back-ends/opensshserver.config
- /etc/sysconfig/sshd
__sshd_environment_variable: $OPTIONS $CRYPTO_POLICY
__sshd_service_after: sshd-keygen.target
__sshd_service_wants: sshd-keygen.target ssh-host-keys-migration.service
__sshd_service_restart_timeout: 42s

View file

@ -25,3 +25,9 @@ __sshd_hostkey_mode: "0640"
__sshd_drop_in_dir_mode: '0700' __sshd_drop_in_dir_mode: '0700'
__sshd_main_config_file: /etc/ssh/sshd_config __sshd_main_config_file: /etc/ssh/sshd_config
__sshd_environment_file: /etc/sysconfig/sshd
__sshd_environment_variable: $OPTIONS
__sshd_service_after: sshd-keygen.target
__sshd_service_wants: sshd-keygen.target
__sshd_service_restart_timeout: 42s

View file

@ -23,3 +23,9 @@ __sshd_runtime_directory: sshd
__sshd_drop_in_dir_mode: '0755' __sshd_drop_in_dir_mode: '0755'
__sshd_main_config_file: /etc/ssh/sshd_config __sshd_main_config_file: /etc/ssh/sshd_config
__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_service_after: auditd.service
__sshd_service_alias: sshd

View file

@ -21,3 +21,8 @@ __sshd_runtime_directory: sshd
__sshd_drop_in_dir_mode: '0755' __sshd_drop_in_dir_mode: '0755'
__sshd_main_config_file: /etc/ssh/sshd_config __sshd_main_config_file: /etc/ssh/sshd_config
__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
__sshd_service_after: auditd.service
__sshd_service_alias: sshd

View file

@ -64,3 +64,25 @@ __sshd_verify_hostkeys_default: []
# This switch can control if the validate step is supported by the target OS. # This switch can control if the validate step is supported by the target OS.
# This is useful for very old OpenSSH or for tests that generate invalid configurations # This is useful for very old OpenSSH or for tests that generate invalid configurations
__sshd_supports_validate: true __sshd_supports_validate: true
# The path to an environment file for the SSHD service
__sshd_environment_file: ~
# The variable name we are passing from the environment file as an argument to the sshd
__sshd_environment_variable: $OPTIONS
# The systemd targets that need to be up before starting the service.
# The `network.target` is included by default in the main sshd.service (not the instantiated one)
__sshd_service_after: ~
# The systemd service name alias
__sshd_service_alias: ~
# The systemd service wants directive
__sshd_service_wants: ~
# The systemd service RestartSec directive
__sshd_service_restart_timeout: ~
# The systemd socket file does not accept the connection
__sshd_socket_accept: true