--- - name: Test alternative config file hosts: all vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config_custom - /etc/ssh/sshd_config_custom_second - /tmp/ssh_host_ecdsa_key tasks: - name: "Backup configuration files" ansible.builtin.include_tasks: tasks/backup.yml - name: Ensure group 'nobody' exists ansible.builtin.group: name: nobody - name: Ensure the user 'nobody' exists ansible.builtin.user: name: nobody group: nobody comment: nobody create_home: false shell: /sbin/nologin - name: Configure alternative sshd_config file ansible.builtin.include_role: name: ansible-sshd vars: # just anything -- will not get processed by sshd sshd_config_file: /etc/ssh/sshd_config_custom sshd_config_owner: "nobody" sshd_config_group: "nobody" sshd_config_mode: "660" sshd_config: AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr sshd_LogLevel: DEBUG1 # noqa var-naming - name: Configure second alternative sshd_config file ansible.builtin.include_role: name: ansible-sshd vars: # just anything -- will not get processed by sshd sshd_config_file: /etc/ssh/sshd_config_custom_second sshd_skip_defaults: true sshd_config: Banner: /etc/issue2 Ciphers: aes128-ctr sshd_MaxStartups: 100 # noqa var-naming - name: Now configure the main sshd_config file ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config sshd_config: Banner: /etc/issue Ciphers: aes192-ctr HostKey: - /tmp/ssh_host_ecdsa_key sshd_PasswordAuthentication: false # noqa var-naming - name: Verify the options are correctly set tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print current configuration file ansible.builtin.slurp: src: /etc/ssh/sshd_config_custom register: config - name: Get stat of the configuration file ansible.builtin.stat: path: /etc/ssh/sshd_config_custom register: config_stat - name: Print second configuration file ansible.builtin.slurp: src: /etc/ssh/sshd_config_custom_second register: config2 - name: Print the main configuration file ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config3 - name: Check content of first configuration file ansible.builtin.assert: that: - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" - "'Ciphers aes256-ctr' in config.content | b64decode" - "'LogLevel DEBUG1' in config.content | b64decode" - name: Check Fedora/RHEL9+ defaults are present in the first configuration file ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int > 8 - name: Check RHEL7 and RHEL8 defaults are present in the first configuration file ansible.builtin.assert: that: - "'X11Forwarding yes' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int > 6 - ansible_facts['distribution_major_version'] | int < 9 - name: Check RHEL6 defaults are present in the first configuration file ansible.builtin.assert: that: - "'Protocol 2' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] == '6' - name: Check Debian defaults are present in the first configuration file ansible.builtin.assert: that: - "'PrintMotd no' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" when: - ansible_facts['os_family'] == 'Debian' - ansible_facts['distribution_major_version'] | int < 22 - name: Check Ubuntu 20+ defaults are present in the first configuration file ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'UsePAM yes' in config.content | b64decode" when: - ansible_facts['distribution'] == 'Ubuntu' - ansible_facts['distribution_major_version'] | int >= 20 - name: Check Ubuntu 22+ defaults are present in the first configuration file ansible.builtin.assert: that: - "'KbdInteractiveAuthentication no' in config.content | b64decode" when: - ansible_facts['distribution'] == 'Ubuntu' - ansible_facts['distribution_major_version'] | int >= 22 - name: Check content of second configuration file ansible.builtin.assert: that: - "'Banner /etc/issue2' in config2.content | b64decode" - "'Ciphers aes128-ctr' in config2.content | b64decode" - "'HostKey' not in config2.content | b64decode" - "'MaxStartups 100' in config2.content | b64decode" - "'LogLevel DEBUG1' not in config2.content | b64decode" - name: Check content of the main configuration file ansible.builtin.assert: that: - "'Banner /etc/issue' in config3.content | b64decode" - "'Ciphers aes192-ctr' in config3.content | b64decode" - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode" - "'PasswordAuthentication no' in config3.content | b64decode" - "'MaxStartups 100' not in config3.content | b64decode" - "'LogLevel DEBUG1' not in config3.content | b64decode" - name: Check the main configuration file contains some default values for RHEL 9 ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode" - "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config3.content | b64decode" when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int > 8 - ansible_facts['distribution'] != 'Fedora' - name: Check the main configuration file contains some default values for Fedora ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode" - "'Subsystem sftp /usr/libexec/sftp-server' in config3.content | b64decode" when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] | int > 8 - ansible_facts['distribution'] == 'Fedora' - name: Check the generated config has requested properties ansible.builtin.assert: that: - config_stat.stat.exists - config_stat.stat.gr_name == 'nobody' - config_stat.stat.pw_name == 'nobody' - config_stat.stat.mode == '0660' - name: "Restore configuration files" ansible.builtin.include_tasks: tasks/restore.yml