Jakub Jelen
c201ba2060
Support __sshd_supports_validate
2022-09-27 22:32:57 +02:00
Jakub Jelen
1cf57fe318
Document internal __sshd_runtime_directory variable and use it in the service files
2022-09-27 22:32:57 +02:00
Steffen Scheib
6819be90d3
- Adding support for OpenWrt 21.03
2022-09-24 21:42:01 +02:00
Nikolaos Kakouros
6bb0d7b456
tMakes drop-in functionality configurable by the user
2022-08-26 20:23:51 +00:00
Nikolaos Kakouros
db39a733aa
Moves internal non-overridable variables out of defaults
2022-08-23 15:18:41 +02:00
Nikolaos Kakouros
4e22a9618d
Fixes un-overrideable public api variables
2022-08-23 15:18:41 +02:00
Jakub Jelen
97bd62a387
Remove kvm from skipped environments
2022-05-25 09:02:28 +02:00
Jakub Jelen
74026ba2f8
Add support for Ubuntu 22 with drop-in directory
...
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
Jakub Jelen
9c202bd60e
Verify the Include is in main configuration file
...
... if drop-in file is modified
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
Jakub Jelen
e24ff31d2a
Ensure the ansible facts are available
2022-04-19 17:20:27 +02:00
Jakub Jelen
c515ffdf94
Move the common variables to separate file
2022-04-19 17:20:27 +02:00
Jakub Jelen
860e533713
Introduce default hostkeys to check when using drop-in directory
...
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.
This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
67fee24ecb
Address review comments (to be squashed)
2021-11-16 15:05:22 +01:00
Jakub Jelen
7f69d1e69a
Filter out Ed25519 keys from default in FIPS mode
...
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
Dominik Rimpf
ca83655c2a
ADD: bullseye support
2021-08-17 15:26:43 +02:00
Jakub Jelen
91784d1874
Workaround namespace feature also for RHEL6
...
The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we
need some creative workaround for this old stuff.
2021-08-09 10:07:09 +02:00
Jakub Jelen
ee2096d680
Add support for RHEL 9 and adjust tests for it
2021-08-03 17:35:24 +02:00
Jakub Jelen
00ad695691
Move defaults to vars/main.yml
2021-06-10 19:53:00 +02:00
Jakub Jelen
e8b751335e
Use proper variable precedence for configuratil file variables
2021-06-10 19:53:00 +02:00
Jakub Jelen
345eeed0c0
Fix variable precedence for sshd_hostkey_* variables
...
This worked fine with the new include_role: invocation, but not with
the old roles: invocation.
2021-06-10 19:53:00 +02:00
Alexander Christoph Bihlmaier
428d390668
UsePrivilegeSeparation is deprecated since 2017/OpenSSH 7.5 - https://www.openssh.com/txt/release-7.5
2021-02-17 13:58:25 +01:00
Michael Pardatscher
b2a48a4e4a
Add Subsystem to _ssd_defaults
...
The Subsystem entry was missing for FreeBSD OS, noticed this while provisioning a TrueNAS box. After the first provision ansible was unable to upload any files due to that missing setting. Tested this change by adjusting the role locally and rerunning it with a clean sshd_config on the remote side, worked fine.
2021-02-17 13:48:07 +01:00
Jakub Jelen
70a9daf916
Use only RSA hostkeys in RHEL6
2020-12-11 13:25:19 +01:00
Jakub Jelen
4b0935c9a1
RHEL6: Fix defaults
2020-12-11 13:25:19 +01:00
Jakub Jelen
9b234acbd7
Remove non-default values from Debian 9 vars file
2020-12-11 13:25:19 +01:00
Jakub Jelen
ed4e968f66
Debian: Remove default values and drop what does not match system defaults
2020-12-11 13:25:19 +01:00
Jakub Jelen
6b36488299
Check runtime directory for running CI in Debian and Ubuntu
2020-12-11 13:25:19 +01:00
Jakub Jelen
e04dd2a1dc
Update RHEL8 defaults to match reality
2020-11-20 23:10:00 +01:00
Jakub Jelen
dd820d1c24
Implement hostkey checks
...
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.
This is also helpful when running this role in containers, where
is no service running either.
The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.
This should fix #111
2020-11-16 11:10:16 +01:00
Jakub Jelen
f32003f051
Remove set_facts tasks not to polute global namespace
...
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series
ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00
Jakub Jelen
f1eef49960
gentoo: Remove bogus default values
2020-11-06 10:30:29 +01:00
Jakub Jelen
71b3f87308
Add support for sysconfig on Fedora/RHEL
...
This is useful for opting out from system-wide cryto policy for SSH
or configuring advanced use case (strong RNG seed).
Fixes : #141
2020-10-06 21:11:39 +02:00
Jakub Jelen
707e2e64a3
Update defaults for Fedora supporting Include keyword
2020-09-23 14:49:42 +02:00
Jakub Jelen
e6798c5d1e
Fix default configuration for RHEL7
2020-09-23 14:49:42 +02:00
Jakub Jelen
9e7eae712d
Reformat yaml files to avoid wrong indentation, trailing spaces and long lines
2020-09-23 14:49:42 +02:00
Matt Willsher
78c56e2129
Add pre-commit, fix issues
2020-09-18 20:49:22 +01:00
Matt Willsher
ed989f571c
Update CI to Ubuntu focal, add Ubuntu focal support to module
2020-09-18 20:48:56 +01:00
oddlama
3792fbbebb
Add Gentoo support (with secure defaults)
2020-01-19 17:41:52 +01:00
Matt Willsher
e70dbc3007
Merge pull request #117 from MartinVerges/debian10
...
add debian 10 (buster) support
2019-11-19 13:54:19 +00:00
Martin Verges
1cbfc4e272
on debian10 securely configure SSH by default
...
verified configuration with 'ssh-audit'
removed controversial keys
removed insecure macs,keys,ciphers
tested on Debian 10 Buster
2019-10-24 13:44:43 +02:00
Martin Verges
59314077b9
add debian 10 (buster) support
2019-10-23 15:52:21 +02:00
Tiziano Müller
90b19f3b7c
vars: add config for RedHat/CentOS 8
...
besides dropping the deprecated Sandbox option, set
`GSSAPICleanupCredentials no` since that's what I have on a fresh
installation of CentOS 8.
2019-10-14 14:48:06 +02:00
Tiziano Müller
6be10a2d17
vars: add config for openSUSE Leap 15
2019-10-14 14:45:08 +02:00
David Little
b5585b81f3
Newline at EOF
2019-07-10 13:05:19 -05:00
David Little
53a89b677e
AIX support for role (including new AIX handler)
2019-07-10 12:07:07 -05:00
Kevin P. Fleming
e000716443
Remove 'UsePrivilegeSeparation' from Fedora defaults
...
This option has been deprecated in OpenSSH for nearly two years, was the default for five years before that, and is not part of the current Fedora default configuration. It should not be included in sshd_config on Fedora systems.
2019-04-28 21:12:06 -04:00
mfredholm
a3ca915dbd
Update Ubuntu_18.yml
...
Minimal vars using defaults.
2019-01-31 10:33:01 +01:00
mfredholm
03172b3c07
Remove deprecated options
2019-01-28 13:30:19 +01:00
Nikolaos Kakouros
133543cc1f
Renames variables for all supported platforms
2018-09-03 00:23:58 +02:00
Nikolaos Kakouros
54715f9456
Fixes Ubuntu vars
2018-08-26 00:06:42 +02:00