Commit graph

10 commits

Author SHA1 Message Date
Jakub Jelen
860e533713 Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
e8b751335e Use proper variable precedence for configuratil file variables 2021-06-10 19:53:00 +02:00
Jakub Jelen
345eeed0c0 Fix variable precedence for sshd_hostkey_* variables
This worked fine with the new include_role: invocation, but not with
the old roles: invocation.
2021-06-10 19:53:00 +02:00
Jakub Jelen
dd820d1c24 Implement hostkey checks
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.

This is also helpful when running this role in containers, where
is no service running either.

The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.

This should fix #111
2020-11-16 11:10:16 +01:00
Jakub Jelen
f32003f051 Remove set_facts tasks not to polute global namespace
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series

ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00
Jakub Jelen
707e2e64a3 Update defaults for Fedora supporting Include keyword 2020-09-23 14:49:42 +02:00
Kevin P. Fleming
e000716443
Remove 'UsePrivilegeSeparation' from Fedora defaults
This option has been deprecated in OpenSSH for nearly two years, was the default for five years before that, and is not part of the current Fedora default configuration. It should not be included in sshd_config on Fedora systems.
2019-04-28 21:12:06 -04:00
Nikolaos Kakouros
133543cc1f Renames variables for all supported platforms 2018-09-03 00:23:58 +02:00
Martin Stefany
32de8c803a Add ed25519 key to default Fedora.yml
Currently only supported Fedora distributions are 22 and 23, and they both ship openssh 7.1p1 which supports all 'rsa', 'ecdsa' and 'ed25519' keys, turn them on by default.
2016-01-09 16:27:35 +01:00
jitakirin
e6d8ba264c Add Fedora support
Based on RedHat 7 with few modifications (ed25519 hostkey for F22,
GSSAPICleanupCredentials defaults to no, s/LC_TYPE/LC_CTYPE/ in
AcceptEnv).

Tested on Fedora 20 & 22.
2015-06-26 10:23:42 +01:00