Commit graph

97 commits

Author SHA1 Message Date
Rich Megginson
1d689ed992 BSD: define __sshd_packages 2023-04-13 16:32:37 -06:00
Rich Megginson
4ea9b1cc16 fix typo 2023-04-11 08:41:49 -06:00
Rich Megginson
70808e97fc ansible-lint - align with current Ansible recommendations
Use `true/false` instead of `yes/no`
Ensure use of FQCN for builtin modules
Use correct spacing in Jinja expressions
All tasks and plays must have a `name`, and the `name` string must begin with an uppercase letter
Use `ansible.posix.mount` instead of `ansible.builtin.mount`
Use `set -o pipefail` with `shell` module where supported by the platform shell

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
2023-04-10 14:21:30 -06:00
Jakub Jelen
806bab7720 Fedora 38 has no longer non-standard hostkey permissions
The Fedora commit introducing this change (now in Rawhide/Fedora 38
only):

7a21555354

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2023-03-02 09:49:01 +01:00
Jakub Jelen
317700c72e vars: Update defaults based on alpine:latest 2023-01-16 15:10:28 +01:00
Adrian Eib
16b4d4150d
Add vars for Alpine OS 2022-12-27 22:17:53 +01:00
Jakub Jelen
c201ba2060 Support __sshd_supports_validate 2022-09-27 22:32:57 +02:00
Jakub Jelen
1cf57fe318 Document internal __sshd_runtime_directory variable and use it in the service files 2022-09-27 22:32:57 +02:00
Steffen Scheib
6819be90d3 - Adding support for OpenWrt 21.03 2022-09-24 21:42:01 +02:00
Nikolaos Kakouros
6bb0d7b456 tMakes drop-in functionality configurable by the user 2022-08-26 20:23:51 +00:00
Nikolaos Kakouros
db39a733aa Moves internal non-overridable variables out of defaults 2022-08-23 15:18:41 +02:00
Nikolaos Kakouros
4e22a9618d Fixes un-overrideable public api variables 2022-08-23 15:18:41 +02:00
Jakub Jelen
97bd62a387 Remove kvm from skipped environments 2022-05-25 09:02:28 +02:00
Jakub Jelen
74026ba2f8 Add support for Ubuntu 22 with drop-in directory
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
Jakub Jelen
9c202bd60e Verify the Include is in main configuration file
... if drop-in file is modified

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
Jakub Jelen
e24ff31d2a Ensure the ansible facts are available 2022-04-19 17:20:27 +02:00
Jakub Jelen
c515ffdf94 Move the common variables to separate file 2022-04-19 17:20:27 +02:00
Jakub Jelen
860e533713 Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
67fee24ecb Address review comments (to be squashed) 2021-11-16 15:05:22 +01:00
Jakub Jelen
7f69d1e69a Filter out Ed25519 keys from default in FIPS mode
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
Dominik Rimpf
ca83655c2a ADD: bullseye support 2021-08-17 15:26:43 +02:00
Jakub Jelen
91784d1874 Workaround namespace feature also for RHEL6
The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we
need some creative workaround for this old stuff.
2021-08-09 10:07:09 +02:00
Jakub Jelen
ee2096d680 Add support for RHEL 9 and adjust tests for it 2021-08-03 17:35:24 +02:00
Jakub Jelen
00ad695691 Move defaults to vars/main.yml 2021-06-10 19:53:00 +02:00
Jakub Jelen
e8b751335e Use proper variable precedence for configuratil file variables 2021-06-10 19:53:00 +02:00
Jakub Jelen
345eeed0c0 Fix variable precedence for sshd_hostkey_* variables
This worked fine with the new include_role: invocation, but not with
the old roles: invocation.
2021-06-10 19:53:00 +02:00
Alexander Christoph Bihlmaier
428d390668 UsePrivilegeSeparation is deprecated since 2017/OpenSSH 7.5 - https://www.openssh.com/txt/release-7.5 2021-02-17 13:58:25 +01:00
Michael Pardatscher
b2a48a4e4a Add Subsystem to _ssd_defaults
The Subsystem entry was missing for FreeBSD OS, noticed this while provisioning a TrueNAS box. After the first provision ansible was unable to upload any files due to that missing setting. Tested this change by adjusting the role locally and rerunning it with a clean sshd_config on the remote side, worked fine.
2021-02-17 13:48:07 +01:00
Jakub Jelen
70a9daf916 Use only RSA hostkeys in RHEL6 2020-12-11 13:25:19 +01:00
Jakub Jelen
4b0935c9a1 RHEL6: Fix defaults 2020-12-11 13:25:19 +01:00
Jakub Jelen
9b234acbd7 Remove non-default values from Debian 9 vars file 2020-12-11 13:25:19 +01:00
Jakub Jelen
ed4e968f66 Debian: Remove default values and drop what does not match system defaults 2020-12-11 13:25:19 +01:00
Jakub Jelen
6b36488299 Check runtime directory for running CI in Debian and Ubuntu 2020-12-11 13:25:19 +01:00
Jakub Jelen
e04dd2a1dc Update RHEL8 defaults to match reality 2020-11-20 23:10:00 +01:00
Jakub Jelen
dd820d1c24 Implement hostkey checks
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.

This is also helpful when running this role in containers, where
is no service running either.

The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.

This should fix #111
2020-11-16 11:10:16 +01:00
Jakub Jelen
f32003f051 Remove set_facts tasks not to polute global namespace
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series

ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00
Jakub Jelen
f1eef49960 gentoo: Remove bogus default values 2020-11-06 10:30:29 +01:00
Jakub Jelen
71b3f87308 Add support for sysconfig on Fedora/RHEL
This is useful for opting out from system-wide cryto policy for SSH
or configuring advanced use case (strong RNG seed).

Fixes: #141
2020-10-06 21:11:39 +02:00
Jakub Jelen
707e2e64a3 Update defaults for Fedora supporting Include keyword 2020-09-23 14:49:42 +02:00
Jakub Jelen
e6798c5d1e Fix default configuration for RHEL7 2020-09-23 14:49:42 +02:00
Jakub Jelen
9e7eae712d Reformat yaml files to avoid wrong indentation, trailing spaces and long lines 2020-09-23 14:49:42 +02:00
Matt Willsher
78c56e2129 Add pre-commit, fix issues 2020-09-18 20:49:22 +01:00
Matt Willsher
ed989f571c Update CI to Ubuntu focal, add Ubuntu focal support to module 2020-09-18 20:48:56 +01:00
oddlama
3792fbbebb
Add Gentoo support (with secure defaults) 2020-01-19 17:41:52 +01:00
Matt Willsher
e70dbc3007
Merge pull request #117 from MartinVerges/debian10
add debian 10 (buster) support
2019-11-19 13:54:19 +00:00
Martin Verges
1cbfc4e272 on debian10 securely configure SSH by default
verified configuration with 'ssh-audit'
removed controversial keys
removed insecure macs,keys,ciphers

tested on Debian 10 Buster
2019-10-24 13:44:43 +02:00
Martin Verges
59314077b9 add debian 10 (buster) support 2019-10-23 15:52:21 +02:00
Tiziano Müller
90b19f3b7c vars: add config for RedHat/CentOS 8
besides dropping the deprecated Sandbox option, set
`GSSAPICleanupCredentials no` since that's what I have on a fresh
installation of CentOS 8.
2019-10-14 14:48:06 +02:00
Tiziano Müller
6be10a2d17 vars: add config for openSUSE Leap 15 2019-10-14 14:45:08 +02:00
David Little
b5585b81f3 Newline at EOF 2019-07-10 13:05:19 -05:00