Commit graph

627 commits

Author SHA1 Message Date
Jakub Jelen
860e533713 Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
9502c325ea tests: Add negative test for FIPS mode
This fixes also a typo that was overlooked previously

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
daa81ee84c Unbreak FIPS detection and hostkey filtering
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
09f2c6a999 Add another virtualization platform exception
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
57357b0be7 tests: Slurp the correct file when writing main config
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
17bc0cbb1b tests: Fix OS detection to match also CentOS 9
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
9345faa5a1 Set explicit path to the main configuration file to work well with the drop-in directory
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
295f1930d4 Update templates to apply FIPS hostkeys filter
This fixes up the commit 7f69d1e6

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
4b6332aaae CI: Unbreak the ansible-lint action 2022-04-19 17:20:27 +02:00
Jakub Jelen
afcefb6442 CI: Squash Debian targets into single file and remove the :latest
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
2d7009c59a CI: Squash CentOS actions into signle file
* add CentOS 9
 * use better tasks names

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Matt Willsher
59a3cb190f
Merge pull request #175 from Jakuje/runtime-directory 2022-01-21 09:31:09 +00:00
Jakub Jelen
fc998f21c2 Fix runtime directory check 2021-11-30 16:29:06 +01:00
Jakub Jelen
214df35c0b Do not try to execute requirements as a playbooks in CI 2021-11-16 15:05:22 +01:00
Jakub Jelen
67fee24ecb Address review comments (to be squashed) 2021-11-16 15:05:22 +01:00
Jakub Jelen
ee63bacdcd tests: Verify the default hostkeys can be excluded in FIPS mode
ignore failures to bind fips_enabled into /proc/sys/crypto as it looks
like this does not work in the Github Actions containers.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
Jakub Jelen
7f69d1e69a Filter out Ed25519 keys from default in FIPS mode
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
ColdPain
71eab116bd README: fix meta/make_option_lists link 2021-11-09 14:03:41 +01:00
Matt Willsher
57c54e5268
Merge pull request #171 from spetrosi/fix-ansible-managed 2021-09-23 07:36:07 +01:00
Sergei Petrosian
44a7d8fb20 Use {{ ansible_managed | comment }} to fix multi-line ansible_managed
BZ#2006230, BZ#2006231, BZ#2006233
2021-09-21 12:44:12 +02:00
Matt Willsher
b1fe667432
Merge pull request #164 from spetrosi/drop-ansible-2.8
Drop support for Ansible 2.8 by bumping the Ansible version to 2.9
2021-08-18 04:40:59 +01:00
Matt Willsher
8349916e52
Merge pull request #169 from Jakuje/rip-travis
Remove travis configuration and update readme with new badges
2021-08-18 04:32:53 +01:00
Jakub Jelen
d8b9ae4793 README: Replace travis icons with Github Actions 2021-08-17 15:51:53 +02:00
Jakub Jelen
1be967aac8 Remove unused travis configuration 2021-08-17 15:51:51 +02:00
Dominik Rimpf
961f10b710 FIX: indentation including tests 2021-08-17 15:50:36 +02:00
Dominik Rimpf
c6b89726ea FIX: syntax 2021-08-17 15:26:43 +02:00
L3D
00df9a1855 the bullseye check is using the "main" branch
The https://github.com/marketplace/actions/check-ansible-debian-bullseye is available at the "main" branch.
2021-08-17 15:26:43 +02:00
Dominik Rimpf
6b1b328de3 ADD: doc bullseye support & github workflow on bullseye 2021-08-17 15:26:43 +02:00
Dominik Rimpf
ca83655c2a ADD: bullseye support 2021-08-17 15:26:43 +02:00
Matt Willsher
1c5c48835e
Merge pull request #165 from Jakuje/centos6 2021-08-10 21:39:29 +01:00
Jakub Jelen
d9e1934a83 Add CentOS 6 to CI 2021-08-09 10:09:34 +02:00
Jakub Jelen
2e3b3c0581 tests: Skip the negative test in RHEL6
The ansible_failed_result is not available in old Ansible on RHEL6
2021-08-09 10:08:56 +02:00
Jakub Jelen
9326a46dd8 tests: Skip the OS defaults test on CentOS 6 too
The CentOS6/RHEL6 images have modified sshd_config from what is shipped
in rpm package
2021-08-09 10:08:22 +02:00
Jakub Jelen
f6d26d8781 tests: Skip service status check on RHEL6
the init system there can not just "check" the status
2021-08-09 10:07:52 +02:00
Jakub Jelen
d16170bf31 tests: Skip the negative test in RHEL6 entirely 2021-08-09 10:07:37 +02:00
Jakub Jelen
a2646b7551 tests: Fix condition to match also CentOS 2021-08-09 10:07:28 +02:00
Jakub Jelen
f1ab555084 tests: The AcceptEnv is not accepted in Match block on RHEL6 2021-08-09 10:07:28 +02:00
Jakub Jelen
91784d1874 Workaround namespace feature also for RHEL6
The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we
need some creative workaround for this old stuff.
2021-08-09 10:07:09 +02:00
Sergei Petrosian
5039e29910 Drop support for Ansible 2.8 by bumping the Ansible version to 2.9
Bug 1989197 - drop support for Ansible 2.8

https://bugzilla.redhat.com/show_bug.cgi?id=1989197
2021-08-06 10:01:31 +02:00
Jakub Jelen
ee2096d680 Add support for RHEL 9 and adjust tests for it 2021-08-03 17:35:24 +02:00
Jakub Jelen
c4db22f16d Add configuration options from OpenSSH 8.6 2021-06-12 08:31:10 +02:00
Jakub Jelen
d1446017e9 tests: Create temporary hostkey with proper backup 2021-06-11 21:49:31 +02:00
Jakub Jelen
b97a7b0bde Do not assume the hostkey for the main config exists 2021-06-11 21:49:31 +02:00
Jakub Jelen
8a85e7309b Rename sshd_namespace_append to sshd_config_namespace 2021-06-11 21:49:31 +02:00
Jakub Jelen
00ad695691 Move defaults to vars/main.yml 2021-06-10 19:53:00 +02:00
Jakub Jelen
eaa6f92a29 Move the adjusted configuration options to the public API 2021-06-10 19:53:00 +02:00
Jakub Jelen
2a1426453b Increase test coverage for sshd_config_{owner,group,mode} variables with both invocations 2021-06-10 19:53:00 +02:00
Jakub Jelen
e8b751335e Use proper variable precedence for configuratil file variables 2021-06-10 19:53:00 +02:00
Jakub Jelen
17022bb46d Test role invocation through old 'roles' 2021-06-10 19:53:00 +02:00
Jakub Jelen
345eeed0c0 Fix variable precedence for sshd_hostkey_* variables
This worked fine with the new include_role: invocation, but not with
the old roles: invocation.
2021-06-10 19:53:00 +02:00