mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-30 20:20:19 +01:00
70808e97fc
Use `true/false` instead of `yes/no` Ensure use of FQCN for builtin modules Use correct spacing in Jinja expressions All tasks and plays must have a `name`, and the `name` string must begin with an uppercase letter Use `ansible.posix.mount` instead of `ansible.builtin.mount` Use `set -o pipefail` with `shell` module where supported by the platform shell Signed-off-by: Rich Megginson <rmeggins@redhat.com>
118 lines
4.8 KiB
YAML
118 lines
4.8 KiB
YAML
---
|
|
- name: Test config namespaces
|
|
hosts: all
|
|
vars:
|
|
__sshd_test_backup_files:
|
|
- /etc/ssh/sshd_config
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
- /etc/ssh/ssh_host_rsa_key.pub
|
|
tasks:
|
|
- name: "Backup configuration files"
|
|
ansible.builtin.include_tasks: tasks/backup.yml
|
|
|
|
- name: Add configuration block to default configuration file
|
|
ansible.builtin.include_role:
|
|
name: ansible-sshd
|
|
vars:
|
|
sshd_config_file: /etc/ssh/sshd_config
|
|
sshd_config_namespace: nm1
|
|
sshd:
|
|
PasswordAuthentication: true
|
|
PermitRootLogin: true
|
|
Match:
|
|
Condition: user root
|
|
AllowAgentForwarding: false
|
|
|
|
- name: Add second configuration block to default configuration file
|
|
ansible.builtin.include_role:
|
|
name: ansible-sshd
|
|
vars:
|
|
sshd_config_file: /etc/ssh/sshd_config
|
|
sshd_config_namespace: nm2
|
|
sshd:
|
|
PasswordAuthentication: false
|
|
PermitRootLogin: false
|
|
Match:
|
|
Condition: Address 127.0.0.1
|
|
Banner: /etc/issue
|
|
|
|
- name: Verify the options are correctly set
|
|
tags: tests::verify
|
|
block:
|
|
- name: Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Print current configuration file
|
|
ansible.builtin.slurp:
|
|
src: /etc/ssh/sshd_config
|
|
register: config
|
|
|
|
- name: List effective configuration using sshd -T (matching)
|
|
ansible.builtin.shell: |
|
|
set -eu
|
|
if set -o | grep pipefail 2>&1 /dev/null ; then
|
|
set -o pipefail
|
|
fi
|
|
if test ! -f /etc/ssh/ssh_host_rsa_key; then
|
|
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
|
|
fi
|
|
sshd -T -Cuser=root,host=localhost,addr=127.0.0.1
|
|
register: runtime
|
|
changed_when: false
|
|
|
|
- name: List effective configuration using sshd -T (non-matching)
|
|
ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
|
|
register: nonmatching
|
|
changed_when: false
|
|
|
|
- name: Check content of configuration file (blocks)
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
|
|
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
|
|
when:
|
|
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
|
|
|
|
- name: Check content of configuration file (blocks for RHEL 6)
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
|
|
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
|
|
when:
|
|
- ansible_facts['os_family'] == 'RedHat'
|
|
- ansible_facts['distribution_major_version'] == '6'
|
|
|
|
- name: Check content of configuration file
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'PermitRootLogin yes' in config.content | b64decode"
|
|
- "'PasswordAuthentication yes' in config.content | b64decode"
|
|
- "'Match user root' in config.content | b64decode"
|
|
- "'AllowAgentForwarding no' in config.content | b64decode"
|
|
- "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')"
|
|
- "'PermitRootLogin no' in config.content | b64decode"
|
|
- "'PasswordAuthentication no' in config.content | b64decode"
|
|
- "'Match Address 127.0.0.1' in config.content | b64decode"
|
|
- "'Banner /etc/issue' in config.content | b64decode"
|
|
- "config.content | b64decode | regex_search('Match Address 127.0.0.1\\s*Banner /etc/issue')"
|
|
|
|
- name: Check the configuration values are effective
|
|
# note, the options are in lower-case here
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'permitrootlogin yes' in runtime.stdout"
|
|
- "'allowagentforwarding no' in runtime.stdout"
|
|
- "'banner /etc/issue' in runtime.stdout"
|
|
- "'passwordauthentication yes' in runtime.stdout"
|
|
|
|
- name: Check the configuration values are not effective for non-matching connection
|
|
# note, the options are in lower-case here
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'permitrootlogin yes' in runtime.stdout"
|
|
- "'allowAgentforwarding no' not in nonmatching.stdout"
|
|
- "'banner /etc/issue' not in nonmatching.stdout"
|
|
- "'passwordauthentication yes' in nonmatching.stdout"
|
|
|
|
- name: "Restore configuration files"
|
|
ansible.builtin.include_tasks: tasks/restore.yml
|