rpms / rhel-system-roles

Clone
Source Code
GIT

Blame SOURCES/ansible-sshd.patch

c7-alt c7-extras c8 c8-beta c8s c9 c9-beta
  1.   3754e52f639c8b5151314a43e17943bda78d1f3d
  2.   SOURCES
  3.   ansible-sshd.patch
Blob History Raw
3754e5 
From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Wed, 6 Apr 2022 10:42:17 +0200
3754e5 
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
3754e5
3754e5 
This fixes up the commit 7f69d1e6
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 templates/sshd_config.j2         | 6 +++++-
3754e5 
 templates/sshd_config_snippet.j2 | 6 +++++-
3754e5 
 2 files changed, 10 insertions(+), 2 deletions(-)
3754e5
3754e5 
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
3754e5 
index 15ee668..8c7f322 100644
3754e5 
--- a/templates/sshd_config.j2
3754e5 
+++ b/templates/sshd_config.j2
3754e5 
@@ -22,7 +22,11 @@
3754e5 
 {%   elif sshd[key] is defined %}
3754e5 
 {%     set value = sshd[key] %}
3754e5 
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
3754e5 
-{%     set value = __sshd_defaults[key] %}
3754e5 
+{%     if key == 'HostKey' and __sshd_fips_mode %}
3754e5 
+{%       set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
3754e5 
+{%     else %}
3754e5 
+{%       set value = __sshd_defaults[key] %}
3754e5 
+{%     endif %}
3754e5 
 {%   endif %}
3754e5 
 {{ render_option(key,value) -}}
3754e5 
 {% endmacro %}
3754e5 
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
3754e5 
index 6766e09..6b23c76 100644
3754e5 
--- a/templates/sshd_config_snippet.j2
3754e5 
+++ b/templates/sshd_config_snippet.j2
3754e5 
@@ -21,7 +21,11 @@
3754e5 
 {%   elif sshd[key] is defined %}
3754e5 
 {%     set value = sshd[key] %}
3754e5 
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
3754e5 
-{%     set value = __sshd_defaults[key] %}
3754e5 
+{%     if key == 'HostKey' and __sshd_fips_mode %}
3754e5 
+{%       set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
3754e5 
+{%     else %}
3754e5 
+{%       set value = __sshd_defaults[key] %}
3754e5 
+{%     endif %}
3754e5 
 {%   endif %}
3754e5 
 {{ render_option(key,value) -}}
3754e5 
 {% endmacro %}
3754e5 
--
3754e5 
2.34.1
3754e5
3754e5
3754e5 
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Wed, 6 Apr 2022 11:10:27 +0200
3754e5 
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
3754e5 
 well with the drop-in directory
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 tests/tests_alternative_file.yml      | 2 ++
3754e5 
 tests/tests_alternative_file_role.yml | 2 ++
3754e5 
 2 files changed, 4 insertions(+)
3754e5
3754e5 
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
3754e5 
index 0a8ccaf..215c726 100644
3754e5 
--- a/tests/tests_alternative_file.yml
3754e5 
+++ b/tests/tests_alternative_file.yml
3754e5 
@@ -6,6 +6,7 @@
3754e5 
       - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
3754e5 
       - /etc/ssh/sshd_config_custom
3754e5 
       - /etc/ssh/sshd_config_custom_second
3754e5 
+      - /tmp/ssh_host_ecdsa_key
3754e5 
   tasks:
3754e5 
     - name: "Backup configuration files"
3754e5 
       include_tasks: tasks/backup.yml
3754e5 
@@ -52,6 +53,7 @@
3754e5 
       include_role:
3754e5 
         name: ansible-sshd
3754e5 
       vars:
3754e5 
+        sshd_config_file: /etc/ssh/sshd_config
3754e5 
         sshd:
3754e5 
           Banner: /etc/issue
3754e5 
           Ciphers: aes192-ctr
3754e5 
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
3754e5 
index 9177709..3e7c7ea 100644
3754e5 
--- a/tests/tests_alternative_file_role.yml
3754e5 
+++ b/tests/tests_alternative_file_role.yml
3754e5 
@@ -6,6 +6,7 @@
3754e5 
       - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
3754e5 
       - /etc/ssh/sshd_config_custom
3754e5 
       - /etc/ssh/sshd_config_custom_second
3754e5 
+      - /tmp/ssh_host_ecdsa_key
3754e5 
   tasks:
3754e5 
     - name: "Backup configuration files"
3754e5 
       include_tasks: tasks/backup.yml
3754e5 
@@ -57,6 +58,7 @@
3754e5 
   roles:
3754e5 
     - ansible-sshd
3754e5 
   vars:
3754e5 
+    sshd_config_file: /etc/ssh/sshd_config
3754e5 
     sshd:
3754e5 
       Banner: /etc/issue
3754e5 
       Ciphers: aes192-ctr
3754e5 
--
3754e5 
2.34.1
3754e5
3754e5
3754e5 
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Wed, 6 Apr 2022 11:17:12 +0200
3754e5 
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 tests/tasks/setup.yml | 5 ++---
3754e5 
 1 file changed, 2 insertions(+), 3 deletions(-)
3754e5
3754e5 
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
3754e5 
index 90a3f00..a0e9324 100644
3754e5 
--- a/tests/tasks/setup.yml
3754e5 
+++ b/tests/tasks/setup.yml
3754e5 
@@ -26,6 +26,5 @@
3754e5 
     main_sshd_config_name: 00-ansible_system_role.conf
3754e5 
     main_sshd_config_path: /etc/ssh/sshd_config.d/
3754e5 
   when: >
3754e5 
-    ansible_facts['distribution'] == 'Fedora' or
3754e5 
-    (ansible_facts['distribution'] == 'RedHat' and
3754e5 
-     ansible_facts['distribution_major_version']|int > 8)
3754e5 
+    ansible_facts['os_family'] == 'RedHat' and
3754e5 
+    ansible_facts['distribution_major_version']|int > 8
3754e5 
--
3754e5 
2.34.1
3754e5
3754e5
3754e5 
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Wed, 6 Apr 2022 11:20:34 +0200
3754e5 
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 tests/tests_alternative_file.yml      | 2 +-
3754e5 
 tests/tests_alternative_file_role.yml | 2 +-
3754e5 
 2 files changed, 2 insertions(+), 2 deletions(-)
3754e5
3754e5 
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
3754e5 
index 215c726..172c73a 100644
3754e5 
--- a/tests/tests_alternative_file.yml
3754e5 
+++ b/tests/tests_alternative_file.yml
3754e5 
@@ -82,7 +82,7 @@
3754e5
3754e5 
         - name: Print the main configuration file
3754e5 
           slurp:
3754e5 
-            src: "{{ main_sshd_config }}"
3754e5 
+            src: /etc/ssh/sshd_config
3754e5 
           register: config3
3754e5
3754e5 
         - name: Check content of first configuration file
3754e5 
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
3754e5 
index 3e7c7ea..09fbce4 100644
3754e5 
--- a/tests/tests_alternative_file_role.yml
3754e5 
+++ b/tests/tests_alternative_file_role.yml
3754e5 
@@ -98,7 +98,7 @@
3754e5
3754e5 
         - name: Print the main configuration file
3754e5 
           slurp:
3754e5 
-            src: "{{ main_sshd_config }}"
3754e5 
+            src: /etc/ssh/sshd_config
3754e5 
           register: config3
3754e5
3754e5 
         - name: Check content of first configuration file
3754e5 
--
3754e5 
2.34.1
3754e5
3754e5
3754e5 
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Wed, 6 Apr 2022 20:28:32 +0200
3754e5 
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 tasks/install.yml | 15 ++++++++-------
3754e5 
 1 file changed, 8 insertions(+), 7 deletions(-)
3754e5
3754e5 
diff --git a/tasks/install.yml b/tasks/install.yml
3754e5 
index f1d8455..571281c 100644
3754e5 
--- a/tasks/install.yml
3754e5 
+++ b/tasks/install.yml
3754e5 
@@ -40,10 +40,11 @@
3754e5
3754e5 
 - name: Make sure hostkeys are available and have expected permissions
3754e5 
   vars: &share_vars
3754e5 
+    # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
3754e5 
     __sshd_fips_mode: >-
3754e5 
-      - __sshd_hostkeys_nofips | d([])
3754e5 
-      - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
3754e5 
-        __sshd_userspace_fips_mode.content | b64decode != "0" | bool
3754e5 
+      {{ __sshd_hostkeys_nofips | d([]) and
3754e5 
+         (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
3754e5 
+          __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
3754e5 
     # This mimics the macro body_option() in sshd_config.j2
3754e5 
     # The explicit to_json filter is needed for Python 2 compatibility
3754e5 
     __sshd_hostkeys_from_config: >-
3754e5 
@@ -58,14 +59,14 @@
3754e5 
           {{ __sshd_defaults['HostKey'] | to_json }}
3754e5 
         {% endif %}
3754e5 
       {% else %}
3754e5 
-        []
3754e5 
+        {{ [] | to_json }}
3754e5 
       {% endif %}
3754e5 
     __sshd_verify_hostkeys: >-
3754e5 
       {% if not sshd_verify_hostkeys %}
3754e5 
-        []
3754e5 
+        {{ [] | to_json }}
3754e5 
       {% elif sshd_verify_hostkeys == 'auto' %}
3754e5 
-        {% if sshd_HostKey is string %}
3754e5 
-          [ {{ __sshd_hostkeys_from_config }} ]
3754e5 
+        {% if __sshd_hostkeys_from_config | from_json is string %}
3754e5 
+          {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
3754e5 
         {% else %}
3754e5 
           {{ __sshd_hostkeys_from_config }}
3754e5 
         {% endif %}
3754e5 
--
3754e5 
2.34.1
3754e5
3754e5
3754e5 
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Mon, 11 Apr 2022 13:06:24 +0200
3754e5 
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
3754e5
3754e5 
This fixes also a typo that was overlooked previously
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
3754e5 
 1 file changed, 46 insertions(+), 7 deletions(-)
3754e5
3754e5 
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
3754e5 
index 65cc765..7cf3767 100644
3754e5 
--- a/tests/tests_hostkeys_fips.yml
3754e5 
+++ b/tests/tests_hostkeys_fips.yml
3754e5 
@@ -4,13 +4,52 @@
3754e5 
     __sshd_test_backup_files:
3754e5 
       - /etc/ssh/sshd_config
3754e5 
       - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
3754e5 
-      - /etc/ssh/ssh_host_ed255519_key
3754e5 
-      - /etc/ssh/ssh_host_ed255519_key.pub
3754e5 
+      - /etc/ssh/ssh_host_ed25519_key
3754e5 
+      - /etc/ssh/ssh_host_ed25519_key.pub
3754e5 
       - /etc/system-fips
3754e5 
   tasks:
3754e5 
     - name: "Backup configuration files"
3754e5 
       include_tasks: tasks/backup.yml
3754e5
3754e5 
+    - name: Run the role with default parameters without FIPS mode
3754e5 
+      include_role:
3754e5 
+        name: ansible-sshd
3754e5 
+
3754e5 
+    - name: Verify the options are correctly set
3754e5 
+      block:
3754e5 
+        - meta: flush_handlers
3754e5 
+
3754e5 
+        - name: Print current configuration file
3754e5 
+          slurp:
3754e5 
+            src: "{{ main_sshd_config }}"
3754e5 
+          register: config
3754e5 
+
3754e5 
+        - name: Get stat of private key
3754e5 
+          stat:
3754e5 
+            path: /etc/ssh/ssh_host_ed25519_key
3754e5 
+          register: privkey
3754e5 
+
3754e5 
+        - name: Get stat of public key
3754e5 
+          stat:
3754e5 
+            path: /etc/ssh/ssh_host_ed25519_key.pub
3754e5 
+          register: pubkey
3754e5 
+
3754e5 
+        - name: Check the key is in configuration file (without include)
3754e5 
+          assert:
3754e5 
+            that:
3754e5 
+              - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
3754e5 
+          when:
3754e5 
+            - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
3754e5 
+
3754e5 
+        - name: Check host key was generated
3754e5 
+          assert:
3754e5 
+            that:
3754e5 
+              - privkey.stat.exists
3754e5 
+              - pubkey.stat.exists
3754e5 
+      when:
3754e5 
+        - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
3754e5 
+      tags: tests::verify
3754e5 
+
3754e5 
     - name: Fake FIPS mode
3754e5 
       block:
3754e5 
         - name: Create temporary directory
3754e5 
@@ -40,13 +79,13 @@
3754e5 
     - name: Remove the Ed25519 hostkey
3754e5 
       file:
3754e5 
         path:
3754e5 
-          /etc/ssh/ssh_host_ed255519_key
3754e5 
+          /etc/ssh/ssh_host_ed25519_key
3754e5 
         state: absent
3754e5
3754e5 
     - name: Remove the Ed25519 pubkey
3754e5 
       file:
3754e5 
         path:
3754e5 
-          /etc/ssh/ssh_host_ed255519_key.pub
3754e5 
+          /etc/ssh/ssh_host_ed25519_key.pub
3754e5 
         state: absent
3754e5
3754e5 
     - name: Run the role with default parameters
3754e5 
@@ -64,18 +103,18 @@
3754e5
3754e5 
         - name: Get stat of private key
3754e5 
           stat:
3754e5 
-            path: /etc/ssh/ssh_host_ed255519_key
3754e5 
+            path: /etc/ssh/ssh_host_ed25519_key
3754e5 
           register: privkey
3754e5
3754e5 
         - name: Get stat of public key
3754e5 
           stat:
3754e5 
-            path: /etc/ssh/ssh_host_ed255519_key.pub
3754e5 
+            path: /etc/ssh/ssh_host_ed25519_key.pub
3754e5 
           register: pubkey
3754e5
3754e5 
         - name: Check the key is not in configuration file
3754e5 
           assert:
3754e5 
             that:
3754e5 
-              - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
3754e5 
+              - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
3754e5
3754e5 
         - name: Check no host key was generated
3754e5 
           assert:
3754e5 
--
3754e5 
2.34.1
3754e5
3754e5
3754e5 
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
3754e5 
From: Jakub Jelen <jjelen@redhat.com>
3754e5 
Date: Mon, 11 Apr 2022 13:07:44 +0200
3754e5 
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
3754e5 
 directory
3754e5
3754e5 
Previously no hostkeys were checked if they were not present
3754e5 
in the generated configuration file. When the drop-in directory is
3754e5 
used, usually, there are no hostkeys in that file and no sanity
3754e5 
check for hostkeys was executed.
3754e5
3754e5 
This amends the "auto" value for the hostkeys check to allow checking
3754e5 
for default hostkeys that are read by OpenSSH by default.
3754e5
3754e5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
3754e5 
---
3754e5 
 defaults/main.yml | 1 +
3754e5 
 tasks/install.yml | 8 +++++++-
3754e5 
 vars/Fedora.yml   | 6 ++++++
3754e5 
 vars/RedHat_9.yml | 6 ++++++
3754e5 
 4 files changed, 20 insertions(+), 1 deletion(-)
3754e5
3754e5 
diff --git a/defaults/main.yml b/defaults/main.yml
3754e5 
index 18d6114..7e40e51 100644
3754e5 
--- a/defaults/main.yml
3754e5 
+++ b/defaults/main.yml
3754e5 
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
3754e5 
 # configuration or restarting), we make sure the keys exist and have correct
3754e5 
 # permissions. To disable this check, set sshd_verify_hostkeys to false
3754e5 
 sshd_verify_hostkeys: "auto"
3754e5 
+__sshd_verify_hostkeys_default: []
3754e5 
 sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
3754e5 
 sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
3754e5 
 sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
3754e5 
diff --git a/tasks/install.yml b/tasks/install.yml
3754e5 
index 571281c..fa7d3c3 100644
3754e5 
--- a/tasks/install.yml
3754e5 
+++ b/tasks/install.yml
3754e5 
@@ -65,7 +65,13 @@
3754e5 
       {% if not sshd_verify_hostkeys %}
3754e5 
         {{ [] | to_json }}
3754e5 
       {% elif sshd_verify_hostkeys == 'auto' %}
3754e5 
-        {% if __sshd_hostkeys_from_config | from_json is string %}
3754e5 
+        {% if not __sshd_hostkeys_from_config | from_json %}
3754e5 
+          {% if __sshd_fips_mode %}
3754e5 
+            {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
3754e5 
+          {% else %}
3754e5 
+            {{ __sshd_verify_hostkeys_default | to_json }}
3754e5 
+          {% endif %}
3754e5 
+        {% elif __sshd_hostkeys_from_config | from_json is string %}
3754e5 
           {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
3754e5 
         {% else %}
3754e5 
           {{ __sshd_hostkeys_from_config }}
3754e5 
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
3754e5 
index 77bf172..cf2b081 100644
3754e5 
--- a/vars/Fedora.yml
3754e5 
+++ b/vars/Fedora.yml
3754e5 
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
3754e5 
 __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
3754e5 
 __sshd_defaults:
3754e5 
 __sshd_os_supported: yes
3754e5 
+__sshd_verify_hostkeys_default:
3754e5 
+  - /etc/ssh/ssh_host_rsa_key
3754e5 
+  - /etc/ssh/ssh_host_ecdsa_key
3754e5 
+  - /etc/ssh/ssh_host_ed25519_key
3754e5 
+__sshd_hostkeys_nofips:
3754e5 
+  - /etc/ssh/ssh_host_ed25519_key
3754e5 
 __sshd_hostkey_group: ssh_keys
3754e5 
 __sshd_hostkey_mode: "0640"
3754e5 
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
3754e5 
index 33df26a..55239f4 100644
3754e5 
--- a/vars/RedHat_9.yml
3754e5 
+++ b/vars/RedHat_9.yml
3754e5 
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
3754e5 
 __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
3754e5 
 __sshd_defaults:
3754e5 
 __sshd_os_supported: yes
3754e5 
+__sshd_verify_hostkeys_default:
3754e5 
+  - /etc/ssh/ssh_host_rsa_key
3754e5 
+  - /etc/ssh/ssh_host_ecdsa_key
3754e5 
+  - /etc/ssh/ssh_host_ed25519_key
3754e5 
+__sshd_hostkeys_nofips:
3754e5 
+  - /etc/ssh/ssh_host_ed25519_key
3754e5 
 __sshd_hostkey_group: ssh_keys
3754e5 
 __sshd_hostkey_mode: "0640"
3754e5 
--
3754e5 
2.34.1
3754e5

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation