Commit graph

80 commits

Author SHA1 Message Date
Jakub Jelen
860e533713 Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
67fee24ecb Address review comments (to be squashed) 2021-11-16 15:05:22 +01:00
Jakub Jelen
7f69d1e69a Filter out Ed25519 keys from default in FIPS mode
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
Dominik Rimpf
ca83655c2a ADD: bullseye support 2021-08-17 15:26:43 +02:00
Jakub Jelen
91784d1874 Workaround namespace feature also for RHEL6
The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we
need some creative workaround for this old stuff.
2021-08-09 10:07:09 +02:00
Jakub Jelen
ee2096d680 Add support for RHEL 9 and adjust tests for it 2021-08-03 17:35:24 +02:00
Jakub Jelen
00ad695691 Move defaults to vars/main.yml 2021-06-10 19:53:00 +02:00
Jakub Jelen
e8b751335e Use proper variable precedence for configuratil file variables 2021-06-10 19:53:00 +02:00
Jakub Jelen
345eeed0c0 Fix variable precedence for sshd_hostkey_* variables
This worked fine with the new include_role: invocation, but not with
the old roles: invocation.
2021-06-10 19:53:00 +02:00
Alexander Christoph Bihlmaier
428d390668 UsePrivilegeSeparation is deprecated since 2017/OpenSSH 7.5 - https://www.openssh.com/txt/release-7.5 2021-02-17 13:58:25 +01:00
Michael Pardatscher
b2a48a4e4a Add Subsystem to _ssd_defaults
The Subsystem entry was missing for FreeBSD OS, noticed this while provisioning a TrueNAS box. After the first provision ansible was unable to upload any files due to that missing setting. Tested this change by adjusting the role locally and rerunning it with a clean sshd_config on the remote side, worked fine.
2021-02-17 13:48:07 +01:00
Jakub Jelen
70a9daf916 Use only RSA hostkeys in RHEL6 2020-12-11 13:25:19 +01:00
Jakub Jelen
4b0935c9a1 RHEL6: Fix defaults 2020-12-11 13:25:19 +01:00
Jakub Jelen
9b234acbd7 Remove non-default values from Debian 9 vars file 2020-12-11 13:25:19 +01:00
Jakub Jelen
ed4e968f66 Debian: Remove default values and drop what does not match system defaults 2020-12-11 13:25:19 +01:00
Jakub Jelen
6b36488299 Check runtime directory for running CI in Debian and Ubuntu 2020-12-11 13:25:19 +01:00
Jakub Jelen
e04dd2a1dc Update RHEL8 defaults to match reality 2020-11-20 23:10:00 +01:00
Jakub Jelen
dd820d1c24 Implement hostkey checks
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.

This is also helpful when running this role in containers, where
is no service running either.

The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.

This should fix #111
2020-11-16 11:10:16 +01:00
Jakub Jelen
f32003f051 Remove set_facts tasks not to polute global namespace
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series

ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00
Jakub Jelen
f1eef49960 gentoo: Remove bogus default values 2020-11-06 10:30:29 +01:00
Jakub Jelen
71b3f87308 Add support for sysconfig on Fedora/RHEL
This is useful for opting out from system-wide cryto policy for SSH
or configuring advanced use case (strong RNG seed).

Fixes: #141
2020-10-06 21:11:39 +02:00
Jakub Jelen
707e2e64a3 Update defaults for Fedora supporting Include keyword 2020-09-23 14:49:42 +02:00
Jakub Jelen
e6798c5d1e Fix default configuration for RHEL7 2020-09-23 14:49:42 +02:00
Jakub Jelen
9e7eae712d Reformat yaml files to avoid wrong indentation, trailing spaces and long lines 2020-09-23 14:49:42 +02:00
Matt Willsher
78c56e2129 Add pre-commit, fix issues 2020-09-18 20:49:22 +01:00
Matt Willsher
ed989f571c Update CI to Ubuntu focal, add Ubuntu focal support to module 2020-09-18 20:48:56 +01:00
oddlama
3792fbbebb
Add Gentoo support (with secure defaults) 2020-01-19 17:41:52 +01:00
Matt Willsher
e70dbc3007
Merge pull request #117 from MartinVerges/debian10
add debian 10 (buster) support
2019-11-19 13:54:19 +00:00
Martin Verges
1cbfc4e272 on debian10 securely configure SSH by default
verified configuration with 'ssh-audit'
removed controversial keys
removed insecure macs,keys,ciphers

tested on Debian 10 Buster
2019-10-24 13:44:43 +02:00
Martin Verges
59314077b9 add debian 10 (buster) support 2019-10-23 15:52:21 +02:00
Tiziano Müller
90b19f3b7c vars: add config for RedHat/CentOS 8
besides dropping the deprecated Sandbox option, set
`GSSAPICleanupCredentials no` since that's what I have on a fresh
installation of CentOS 8.
2019-10-14 14:48:06 +02:00
Tiziano Müller
6be10a2d17 vars: add config for openSUSE Leap 15 2019-10-14 14:45:08 +02:00
David Little
b5585b81f3 Newline at EOF 2019-07-10 13:05:19 -05:00
David Little
53a89b677e AIX support for role (including new AIX handler) 2019-07-10 12:07:07 -05:00
Kevin P. Fleming
e000716443
Remove 'UsePrivilegeSeparation' from Fedora defaults
This option has been deprecated in OpenSSH for nearly two years, was the default for five years before that, and is not part of the current Fedora default configuration. It should not be included in sshd_config on Fedora systems.
2019-04-28 21:12:06 -04:00
mfredholm
a3ca915dbd
Update Ubuntu_18.yml
Minimal vars using defaults.
2019-01-31 10:33:01 +01:00
mfredholm
03172b3c07
Remove deprecated options 2019-01-28 13:30:19 +01:00
Nikolaos Kakouros
133543cc1f Renames variables for all supported platforms 2018-09-03 00:23:58 +02:00
Nikolaos Kakouros
54715f9456 Fixes Ubuntu vars 2018-08-26 00:06:42 +02:00
Nikolaos Kakouros
f5c13ee90f Merge branch 'master' into systemd 2018-08-25 23:48:09 +02:00
Nikolaos Kakouros
5774f7f44f Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00
Daniel Duong
20488a5edc Add Ubuntu_18.yml
I copied it from Ubuntu_16.yml
2018-08-15 12:24:41 +07:00
Bo Huang
80fdedca43 Add CoreOS support 2018-06-15 16:29:07 -07:00
Bo Huang
f7f1e466e9 Amazon Linux default sshd var name should be sshd_defaults 2018-05-21 23:41:09 -07:00
Tim Fletcher
7afdd97726
Remove Deprecated options in default SSH config 2018-04-16 21:45:16 +02:00
Pieter Lexis
b559e19143 Fix Arch Linux var file 2017-10-26 16:21:29 +02:00
Ian Hattendorf
e14fbcfb99 Add Debian 9 (stretch) vars
Debian stretch has been released, copy Debian_8.yml into Debian_9.yml.
2017-06-23 11:26:16 -07:00
Matt Willsher
fffdf9df08 Add note about UsePAM 2017-05-04 15:03:19 +01:00
Harald Koch
f36d32e833 cleanup Archlinux support to match defaults in current package (openssh-7.4p1-2) 2017-02-11 11:11:18 -05:00
Markos Chandras
97e7660ac5 vars: SUSE: Add default variables for SUSE based distributions 2017-01-12 16:42:45 +00:00