diff --git a/README.md b/README.md index 3035369..37440c8 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,8 @@ ListenAddress :: A list of dicts or just a dict for a Match section. Note, that these variables do not override match blocks as defined in the `sshd` dict. All of the sources -will be reflected in the resulting configuration file. +will be reflected in the resulting configuration file. The use of +`sshd_match_*` variant is deprecated and no longer recommended. * `sshd_backup` @@ -196,11 +197,12 @@ file that this role produces. * `sshd_verify_hostkeys` By default (*auto*), this list contains all the host keys that are present in -the produced configuration file. The paths are checked for presence and -generated if missing. Additionally, permissions and file owners are set to sane -defaults. This is useful if the role is used in deployment stage to make sure -the service is able to start on the first attempt. To disable this check, set -this to empty list. +the produced configuration file. If there are none, the OpenSSH default list +will be used after excluding non-FIPS approved keys in FIPS mode. The paths +are checked for presence and generated if missing. Additionally, permissions +and file owners are set to sane defaults. This is useful if the role is used +in deployment stage to make sure the service is able to start on the first +attempt. To disable this check, set this to empty list. * `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_mode` @@ -242,6 +244,9 @@ Dependencies None +For tests the `ansible.posix` collection is required for the `mount` role to +emulate FIPS mode. + Example Playbook ---------------- @@ -348,7 +353,7 @@ The [`sshd_config.j2`](templates/sshd_config.j2) template is programatically generated by the scripts in meta. New options should be added to the `options_body` or `options_match`. -To regenerate the template, from within the meta/ directory run: +To regenerate the template, from within the `meta/` directory run: `./make_option_lists` License @@ -357,9 +362,13 @@ License LGPLv3 -Author ------- +Authors +------- Matt Willsher © 2014,2015 Willsher Systems Ltd. + +Jakub Jelen + +© 2020 - 2022 Red Hat, Inc. diff --git a/defaults/main.yml b/defaults/main.yml index 7e40e51..aedbd2c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,6 +61,9 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server # configuration or restarting), we make sure the keys exist and have correct # permissions. To disable this check, set sshd_verify_hostkeys to false sshd_verify_hostkeys: "auto" +# The list of hostkeys to check when there are none listed in configuration file. +# This is usually the case when the selection is up to the OpenSSH defaults or +# drop-in directory is used. __sshd_verify_hostkeys_default: [] sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" sshd_hostkey_group: "{{ __sshd_hostkey_group }}"