Commit graph

34 commits

Author SHA1 Message Date
Jakub Jelen
ff56d75a6e Update documentation with recent changes
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
860e533713 Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
67fee24ecb Address review comments (to be squashed) 2021-11-16 15:05:22 +01:00
Jakub Jelen
7f69d1e69a Filter out Ed25519 keys from default in FIPS mode
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
Jakub Jelen
8a85e7309b Rename sshd_namespace_append to sshd_config_namespace 2021-06-11 21:49:31 +02:00
Jakub Jelen
00ad695691 Move defaults to vars/main.yml 2021-06-10 19:53:00 +02:00
Jakub Jelen
e8b751335e Use proper variable precedence for configuratil file variables 2021-06-10 19:53:00 +02:00
Jakub Jelen
345eeed0c0 Fix variable precedence for sshd_hostkey_* variables
This worked fine with the new include_role: invocation, but not with
the old roles: invocation.
2021-06-10 19:53:00 +02:00
Jakub Jelen
380ebd21d9 Support for appending a snippet to configuration file 2021-06-01 16:09:23 +02:00
Jakub Jelen
6b36488299 Check runtime directory for running CI in Debian and Ubuntu 2020-12-11 13:25:19 +01:00
Jakub Jelen
823cd2d055 Fix typos 2020-11-16 11:20:56 +01:00
Jakub Jelen
dd820d1c24 Implement hostkey checks
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.

This is also helpful when running this role in containers, where
is no service running either.

The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.

This should fix #111
2020-11-16 11:10:16 +01:00
Jakub Jelen
7741a06714 Document missing configuraiton variables & sort
as recommended by best practices:

> Every argument accepted from outside of the role should be given
> a default value in defaults/main.yml.

https://github.com/oasis-roles/meta_standards#vars-vs-defaults
2020-11-16 11:10:16 +01:00
Jakub Jelen
f32003f051 Remove set_facts tasks not to polute global namespace
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series

ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00
Jakub Jelen
71b3f87308 Add support for sysconfig on Fedora/RHEL
This is useful for opting out from system-wide cryto policy for SSH
or configuring advanced use case (strong RNG seed).

Fixes: #141
2020-10-06 21:11:39 +02:00
Jakub Jelen
f0de8fb16e Backup old configuration by default as recommended by OASIS
https://github.com/oasis-roles/meta_standards#generating-files-from-templates
2020-09-23 14:49:42 +02:00
Jakub Jelen
2c574fdcba avoid the use of True and False for boolean values
These are not in yml specification and come from python. Behavior
can differ in particular YAML implementation.
2020-09-23 14:43:40 +02:00
Nikolaos Kakouros
a6a21a9565 Adds on/off toggle 2018-09-08 09:14:39 +02:00
Nikolaos Kakouros
1c511219bf Updates README 2018-09-07 01:36:35 +02:00
Nikolaos Kakouros
f5c13ee90f Merge branch 'master' into systemd 2018-08-25 23:48:09 +02:00
Nikolaos Kakouros
5774f7f44f Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00
Andrew Eason
814fa367d4 expose sshd_config template backup option with sshd_backup 2018-07-27 10:08:17 -04:00
jamatute
f858380070
* defaults typo 2017-08-16 11:11:31 +02:00
Matt Willsher
43ed7c19a2 Fix Ansible 2.3 warnings 2017-05-04 14:31:26 +01:00
Harald Koch
f36d32e833 cleanup Archlinux support to match defaults in current package (openssh-7.4p1-2) 2017-02-11 11:11:18 -05:00
Aleksandr Kostyrev
7daa715bde Fix sshd_manage_var_run check 2015-08-12 23:29:51 +03:00
Aleksandr Kostyrev
445261a297 Do not manage /var/run/sshd on CentOS7 fixes #27 2015-08-12 18:41:46 +03:00
Matt Willsher
812a1e1267 Fix issues raised in #22 2015-06-28 10:18:45 +01:00
jitakirin
bcd864fea4 Add sshd_manage_service option
Allows disabling management of SSHd service completely, which is handy
when used in a container (where ansible is usually used during build
phase).
2015-06-25 14:54:24 +01:00
Matt Willsher
964496fcd1 Allow reload to be skipped 2015-01-13 17:42:10 +00:00
Matt Willsher
2194672579 Add EL6 defaults 2014-12-22 10:05:09 +00:00
Matt Willsher
26a0f5e350 Seperate defaults dict 2014-12-22 09:25:31 +00:00
Matt Willsher
1b5200c805 Improve option rendering, allow per OS defaults 2014-12-21 22:23:02 +00:00
Matt Willsher
c561b6e5f7 Allow overrides, force sftp for Ansible 2014-12-21 20:29:13 +00:00