No description
Find a file
Jakub Jelen d39c6f7daf tests: Check include directive is added when missing
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
.github/workflows CI: Workaround for CentOS 6 2022-04-19 17:20:27 +02:00
defaults Verify the Include is in main configuration file 2022-05-10 16:48:22 +02:00
examples Rename sshd_namespace_append to sshd_config_namespace 2021-06-11 21:49:31 +02:00
handlers Reuse the list of skipped virtualization environments 2022-04-19 17:20:27 +02:00
meta Verify the Include is in main configuration file 2022-05-10 16:48:22 +02:00
tasks Verify the Include is in main configuration file 2022-05-10 16:48:22 +02:00
templates Verify the Include is in main configuration file 2022-05-10 16:48:22 +02:00
tests tests: Check include directive is added when missing 2022-05-10 16:48:22 +02:00
vars Verify the Include is in main configuration file 2022-05-10 16:48:22 +02:00
.ansible-lint CI: Unbreak the ansible-lint action 2022-04-19 17:20:27 +02:00
.gitignore Add a symlink to make tests working in CI without modification to ansible.cfg 2020-11-06 11:35:10 +01:00
.pre-commit-config.yaml Add pre-commit, fix issues 2020-09-18 20:49:22 +01:00
.yamllint.yml Fix issues found by linters - enable all tests on all repos - remove suppressions 2021-04-09 10:27:42 -07:00
.yamllint_defaults.yml Fix issues found by linters - enable all tests on all repos - remove suppressions 2021-04-09 10:27:42 -07:00
CHANGELOG Release 0.2.5 changes 2015-01-23 10:44:54 +00:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2020-09-18 22:15:19 +01:00
LICENSE Use LGPL license 2014-12-26 10:09:34 +00:00
README.md README: Update links to the CI results 2022-05-10 16:48:22 +02:00
Vagrantfile Add note about UsePAM 2017-05-04 15:03:19 +01:00

OpenSSH Server

Ansible Lint Ansible Galaxy

This role configures the OpenSSH daemon. It:

  • By default configures the SSH daemon with the normal OS defaults.
  • Works across a variety of UN*X distributions
  • Can be configured by dict or simple variables
  • Supports Match sets
  • Supports all sshd_config options. Templates are programmatically generated. (see meta/make_option_lists)
  • Tests the sshd_config before reloading sshd.

WARNING Misconfiguration of this role can lock you out of your server! Please test your configuration and its interaction with your users configuration before using in production!

WARNING Digital Ocean allows root with passwords via SSH on Debian and Ubuntu. This is not the default assigned by this module - it will set PermitRootLogin without-password which will allow access via SSH key but not via simple password. If you need this functionality, be sure to set sshd_PermitRootLogin yes for those hosts.

Requirements

Tested on:

  • Ubuntu precise, trusty, xenial, bionic, focal
    • Run tests on Ubuntu latest
  • Debian wheezy, jessie, stretch, buster, bullseye
    • Run tests on Debian
  • EL 6, 7, 8, 9 derived distributions
    • Run tests on CentOS
  • Fedora 31, 32, 33, 34
    • Run tests on Fedora latest
  • FreeBSD 10.1
  • OpenBSD 6.0
  • AIX 7.1, 7.2

It will likely work on other flavours and more direct support via suitable vars/ files is welcome.

Role variables

Unconfigured, this role will provide a sshd_config that matches the OS default, minus the comments and in a different order.

  • sshd_enable

If set to false, the role will be completely disabled. Defaults to true.

  • sshd_skip_defaults

If set to true, don't apply default values. This means that you must have a complete set of configuration defaults via either the sshd dict, or sshd_Key variables. Defaults to false unless sshd_config_namespace is set.

  • sshd_manage_service

If set to false, the service/daemon won't be managed at all, i.e. will not try to enable on boot or start or reload the service. Defaults to true unless: Running inside a docker container (it is assumed ansible is used during build phase) or AIX (Ansible service module does not currently support enabled for AIX)

  • sshd_allow_reload

If set to false, a reload of sshd wont happen on change. This can help with troubleshooting. You'll need to manually reload sshd if you want to apply the changed configuration. Defaults to the same value as sshd_manage_service. (Except on AIX, where sshd_manage_service is default false, but sshd_allow_reload is default true)

  • sshd_install_service

If set to true, the role will install service files for the ssh service. Defaults to false.

The templates for the service files to be used are pointed to by the variables

  • sshd_service_template_service (default: templates/sshd.service.j2)
  • sshd_service_template_at_service (default: templates/sshd@.service.j2)
  • sshd_service_template_socket (default: templates/sshd.socket.j2)

Using these variables, you can use your own custom templates. With the above default templates, the name of the installed ssh service will be provided by the sshd_service variable.

  • sshd

A dict containing configuration. e.g.

sshd:
  Compression: delayed
  ListenAddress:
    - 0.0.0.0
  • sshd_...

Simple variables can be used rather than a dict. Simple values override dict values. e.g.:

sshd_Compression: off

In all cases, booleans are correctly rendered as yes and no in sshd configuration. Lists can be used for multiline configuration items. e.g.

sshd_ListenAddress:
  - 0.0.0.0
  - '::'

Renders as:

ListenAddress 0.0.0.0
ListenAddress ::
  • sshd_match, sshd_match_1 through sshd_match_9

A list of dicts or just a dict for a Match section. Note, that these variables do not override match blocks as defined in the sshd dict. All of the sources will be reflected in the resulting configuration file. The use of sshd_match_* variant is deprecated and no longer recommended.

  • sshd_backup

When set to false, the original sshd_config file is not backed up. Default is true.

  • sshd_sysconfig

On RHEL-based systems, sysconfig is used for configuring more details of sshd service. If set to true, this role will manage also the /etc/sysconfig/sshd configuration file based on the following configuration. Default is false.

  • sshd_sysconfig_override_crypto_policy

In RHEL8-based systems, this can be used to override system-wide crypto policy by setting to true. Defaults to false.

  • sshd_sysconfig_use_strong_rng

In RHEL-based systems, this can be used to force sshd to reseed openssl random number generator with the given amount of bytes as an argument. The default is 0, which disables this functionality. It is not recommended to turn this on if the system does not have hardware random number generator.

  • sshd_config_file

The path where the openssh configuration produced by this role should be saved. This is useful mostly when generating configuration snippets to Include.

  • sshd_config_namespace

By default (null), the role defines whole content of the configuration file including system defaults. You can use this variable to invoke this role from other roles or from multiple places in a single playbook on systems that do not support drop-in directory. The sshd_skip_defaults is ignored and no system defaults are used in this case.

When this variable is set, the role places the configuration that you specify to configuration snippets in a existing configuration file under the given namespace. You need to select different namespaces when invoking the role several times.

Note that limitations of the openssh configuration file still apply. For example, only the first option specified in a configuration file is effective for most of the variables.

Technically, the role places snippets in Match all blocks, unless they contain other match blocks, to ensure they are applied regardless of the previous match blocks in the existing configuration file. This allows configuring any non-conflicting options from different roles invocations.

  • sshd_config_owner, sshd_config_group, sshd_config_mode

Use these variables to set the ownership and permissions for the openssh config file that this role produces.

  • sshd_verify_hostkeys

By default (auto), this list contains all the host keys that are present in the produced configuration file. If there are none, the OpenSSH default list will be used after excluding non-FIPS approved keys in FIPS mode. The paths are checked for presence and generated if missing. Additionally, permissions and file owners are set to sane defaults. This is useful if the role is used in deployment stage to make sure the service is able to start on the first attempt. To disable this check, set this to empty list.

  • sshd_hostkey_owner, sshd_hostkey_group, sshd_hostkey_mode

Use these variables to set the ownership and permissions for the host keys from the above list.

Secondary role variables

These variables are used by the role internals and can be used to override the defaults that correspond to each supported platform.

  • sshd_packages

Use this variable to override the default list of packages to install.

  • sshd_binary

The path to the openssh executable

  • sshd_service

The name of the openssh service. By default, this variable contains the name of the ssh service that the target platform uses. But it can also be used to set the name of the custom ssh service when the sshd_install_service variable is used.

  • sshd_sftp_server

Default path to the sftp server binary.

Variables Exported by the Role

  • sshd_has_run

This variable is set to true after the role was successfully executed.

Dependencies

None

For tests the ansible.posix collection is required for the mount role to emulate FIPS mode.

Example Playbook

DANGER! This example is to show the range of configuration this role provides. Running it will likely break your SSH access to the server!

---
- hosts: all
  vars:
    sshd_skip_defaults: true
    sshd:
      Compression: true
      ListenAddress:
        - "0.0.0.0"
        - "::"
      GSSAPIAuthentication: no
      Match:
        - Condition: "Group user"
          GSSAPIAuthentication: yes
    sshd_UsePrivilegeSeparation: no
    sshd_match:
        - Condition: "Group xusers"
          X11Forwarding: yes
  roles:
    - role: willshersystems.sshd

Results in:

# Ansible managed: ...
Compression yes
GSSAPIAuthentication no
UsePrivilegeSeparation no
Match Group user
  GSSAPIAuthentication yes
Match Group xusers
  X11Forwarding yes

Since Ansible 2.4, the role can be invoked using include_role keyword, for example:

---
- hosts: all
  become: true
  tasks:
  - name: "Configure sshd"
    include_role:
      name: willshersystems.sshd
    vars:
      sshd_skip_defaults: true
      sshd:
        Compression: true
        ListenAddress:
          - "0.0.0.0"
          - "::"
        GSSAPIAuthentication: no
        Match:
          - Condition: "Group user"
            GSSAPIAuthentication: yes
      sshd_UsePrivilegeSeparation: no
      sshd_match:
          - Condition: "Group xusers"
            X11Forwarding: yes

You can just add a configuration snippet with the sshd_config_namespace option:

---
- hosts: all
  tasks:
  - name: Configure sshd to accept some useful environment variables
    include_role:
      name: ansible-sshd
    vars:
      sshd_config_namespace: accept-env
      sshd:
        # there are some handy environment variables to accept
        AcceptEnv:
          LANG
          LS_COLORS
          EDITOR

The following snippet will be added to the default configuration file (if not yet present):

# BEGIN sshd system role managed block: namespace accept-env
Match all
  AcceptEnv LANG LS_COLORS EDITOR
# END sshd system role managed block: namespace accept-env

More example playbooks can be found in examples/ directory.

Template Generation

The sshd_config.j2 template is programatically generated by the scripts in meta. New options should be added to the options_body or options_match.

To regenerate the template, from within the meta/ directory run: ./make_option_lists

License

LGPLv3

Authors

Matt Willsher matt@willsher.systems

© 2014,2015 Willsher Systems Ltd.

Jakub Jelen jjelen@redhat.com

© 2020 - 2022 Red Hat, Inc.