--- - name: Test hostkeys with FIPS hosts: all vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key.pub - /etc/system-fips tasks: - name: "Backup configuration files" ansible.builtin.include_tasks: tasks/backup.yml - name: Run the role with default parameters without FIPS mode ansible.builtin.include_role: name: ansible-sshd - name: Verify the options are correctly set when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int > 6 tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key register: privkey - name: Get stat of public key ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key.pub register: pubkey - name: Check the key is in configuration file (without include) ansible.builtin.assert: that: - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode" when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int < 9 - name: Check host key was generated ansible.builtin.assert: that: - privkey.stat.exists - pubkey.stat.exists - name: Fake FIPS mode block: - name: Create temporary directory ansible.builtin.tempfile: state: directory register: fips_directory - name: Create a /etc/system-fips ansible.builtin.copy: dest: /etc/system-fips content: userspace fips mode: "0644" - name: Create a fips_enabled file ansible.builtin.copy: dest: "{{ fips_directory.path }}/fips_enabled" content: "1" mode: "0644" - name: Bind mount the file where we need it ansible.posix.mount: path: /proc/sys/crypto/fips_enabled src: "{{ fips_directory.path }}/fips_enabled" opts: bind state: mounted fstype: none failed_when: false - name: Remove the Ed25519 hostkey ansible.builtin.file: path: /etc/ssh/ssh_host_ed25519_key state: absent - name: Remove the Ed25519 pubkey ansible.builtin.file: path: /etc/ssh/ssh_host_ed25519_key.pub state: absent - name: Run the role with default parameters ansible.builtin.include_role: name: ansible-sshd - name: Verify the options are correctly set when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int > 6 tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key register: privkey - name: Get stat of public key ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key.pub register: pubkey - name: Check the key is not in configuration file ansible.builtin.assert: that: - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode" - name: Check no host key was generated ansible.builtin.assert: that: - not privkey.stat.exists - not pubkey.stat.exists - name: Remove the FIPS mode indicators block: - name: Unmount the file ansible.posix.mount: path: /proc/sys/crypto/fips_enabled state: unmounted failed_when: false - name: Remove the temporary directory ansible.builtin.file: path: "{{ fips_directory.path }}" state: absent - name: "Restore configuration files" ansible.builtin.include_tasks: tasks/restore.yml