|
|
3754e5 |
From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Wed, 6 Apr 2022 10:42:17 +0200
|
|
|
3754e5 |
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
|
|
|
3754e5 |
|
|
|
3754e5 |
This fixes up the commit 7f69d1e6
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
templates/sshd_config.j2 | 6 +++++-
|
|
|
3754e5 |
templates/sshd_config_snippet.j2 | 6 +++++-
|
|
|
3754e5 |
2 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
|
|
|
3754e5 |
index 15ee668..8c7f322 100644
|
|
|
3754e5 |
--- a/templates/sshd_config.j2
|
|
|
3754e5 |
+++ b/templates/sshd_config.j2
|
|
|
3754e5 |
@@ -22,7 +22,11 @@
|
|
|
3754e5 |
{% elif sshd[key] is defined %}
|
|
|
3754e5 |
{% set value = sshd[key] %}
|
|
|
3754e5 |
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
|
|
3754e5 |
-{% set value = __sshd_defaults[key] %}
|
|
|
3754e5 |
+{% if key == 'HostKey' and __sshd_fips_mode %}
|
|
|
3754e5 |
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
|
|
3754e5 |
+{% else %}
|
|
|
3754e5 |
+{% set value = __sshd_defaults[key] %}
|
|
|
3754e5 |
+{% endif %}
|
|
|
3754e5 |
{% endif %}
|
|
|
3754e5 |
{{ render_option(key,value) -}}
|
|
|
3754e5 |
{% endmacro %}
|
|
|
3754e5 |
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
|
|
|
3754e5 |
index 6766e09..6b23c76 100644
|
|
|
3754e5 |
--- a/templates/sshd_config_snippet.j2
|
|
|
3754e5 |
+++ b/templates/sshd_config_snippet.j2
|
|
|
3754e5 |
@@ -21,7 +21,11 @@
|
|
|
3754e5 |
{% elif sshd[key] is defined %}
|
|
|
3754e5 |
{% set value = sshd[key] %}
|
|
|
3754e5 |
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
|
|
3754e5 |
-{% set value = __sshd_defaults[key] %}
|
|
|
3754e5 |
+{% if key == 'HostKey' and __sshd_fips_mode %}
|
|
|
3754e5 |
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
|
|
3754e5 |
+{% else %}
|
|
|
3754e5 |
+{% set value = __sshd_defaults[key] %}
|
|
|
3754e5 |
+{% endif %}
|
|
|
3754e5 |
{% endif %}
|
|
|
3754e5 |
{{ render_option(key,value) -}}
|
|
|
3754e5 |
{% endmacro %}
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|
|
|
3754e5 |
|
|
|
3754e5 |
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Wed, 6 Apr 2022 11:10:27 +0200
|
|
|
3754e5 |
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
|
|
|
3754e5 |
well with the drop-in directory
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
tests/tests_alternative_file.yml | 2 ++
|
|
|
3754e5 |
tests/tests_alternative_file_role.yml | 2 ++
|
|
|
3754e5 |
2 files changed, 4 insertions(+)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
|
|
|
3754e5 |
index 0a8ccaf..215c726 100644
|
|
|
3754e5 |
--- a/tests/tests_alternative_file.yml
|
|
|
3754e5 |
+++ b/tests/tests_alternative_file.yml
|
|
|
3754e5 |
@@ -6,6 +6,7 @@
|
|
|
3754e5 |
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
|
|
3754e5 |
- /etc/ssh/sshd_config_custom
|
|
|
3754e5 |
- /etc/ssh/sshd_config_custom_second
|
|
|
3754e5 |
+ - /tmp/ssh_host_ecdsa_key
|
|
|
3754e5 |
tasks:
|
|
|
3754e5 |
- name: "Backup configuration files"
|
|
|
3754e5 |
include_tasks: tasks/backup.yml
|
|
|
3754e5 |
@@ -52,6 +53,7 @@
|
|
|
3754e5 |
include_role:
|
|
|
3754e5 |
name: ansible-sshd
|
|
|
3754e5 |
vars:
|
|
|
3754e5 |
+ sshd_config_file: /etc/ssh/sshd_config
|
|
|
3754e5 |
sshd:
|
|
|
3754e5 |
Banner: /etc/issue
|
|
|
3754e5 |
Ciphers: aes192-ctr
|
|
|
3754e5 |
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
|
|
|
3754e5 |
index 9177709..3e7c7ea 100644
|
|
|
3754e5 |
--- a/tests/tests_alternative_file_role.yml
|
|
|
3754e5 |
+++ b/tests/tests_alternative_file_role.yml
|
|
|
3754e5 |
@@ -6,6 +6,7 @@
|
|
|
3754e5 |
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
|
|
3754e5 |
- /etc/ssh/sshd_config_custom
|
|
|
3754e5 |
- /etc/ssh/sshd_config_custom_second
|
|
|
3754e5 |
+ - /tmp/ssh_host_ecdsa_key
|
|
|
3754e5 |
tasks:
|
|
|
3754e5 |
- name: "Backup configuration files"
|
|
|
3754e5 |
include_tasks: tasks/backup.yml
|
|
|
3754e5 |
@@ -57,6 +58,7 @@
|
|
|
3754e5 |
roles:
|
|
|
3754e5 |
- ansible-sshd
|
|
|
3754e5 |
vars:
|
|
|
3754e5 |
+ sshd_config_file: /etc/ssh/sshd_config
|
|
|
3754e5 |
sshd:
|
|
|
3754e5 |
Banner: /etc/issue
|
|
|
3754e5 |
Ciphers: aes192-ctr
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|
|
|
3754e5 |
|
|
|
3754e5 |
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Wed, 6 Apr 2022 11:17:12 +0200
|
|
|
3754e5 |
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
tests/tasks/setup.yml | 5 ++---
|
|
|
3754e5 |
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
|
|
|
3754e5 |
index 90a3f00..a0e9324 100644
|
|
|
3754e5 |
--- a/tests/tasks/setup.yml
|
|
|
3754e5 |
+++ b/tests/tasks/setup.yml
|
|
|
3754e5 |
@@ -26,6 +26,5 @@
|
|
|
3754e5 |
main_sshd_config_name: 00-ansible_system_role.conf
|
|
|
3754e5 |
main_sshd_config_path: /etc/ssh/sshd_config.d/
|
|
|
3754e5 |
when: >
|
|
|
3754e5 |
- ansible_facts['distribution'] == 'Fedora' or
|
|
|
3754e5 |
- (ansible_facts['distribution'] == 'RedHat' and
|
|
|
3754e5 |
- ansible_facts['distribution_major_version']|int > 8)
|
|
|
3754e5 |
+ ansible_facts['os_family'] == 'RedHat' and
|
|
|
3754e5 |
+ ansible_facts['distribution_major_version']|int > 8
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|
|
|
3754e5 |
|
|
|
3754e5 |
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Wed, 6 Apr 2022 11:20:34 +0200
|
|
|
3754e5 |
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
tests/tests_alternative_file.yml | 2 +-
|
|
|
3754e5 |
tests/tests_alternative_file_role.yml | 2 +-
|
|
|
3754e5 |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
|
|
|
3754e5 |
index 215c726..172c73a 100644
|
|
|
3754e5 |
--- a/tests/tests_alternative_file.yml
|
|
|
3754e5 |
+++ b/tests/tests_alternative_file.yml
|
|
|
3754e5 |
@@ -82,7 +82,7 @@
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Print the main configuration file
|
|
|
3754e5 |
slurp:
|
|
|
3754e5 |
- src: "{{ main_sshd_config }}"
|
|
|
3754e5 |
+ src: /etc/ssh/sshd_config
|
|
|
3754e5 |
register: config3
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Check content of first configuration file
|
|
|
3754e5 |
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
|
|
|
3754e5 |
index 3e7c7ea..09fbce4 100644
|
|
|
3754e5 |
--- a/tests/tests_alternative_file_role.yml
|
|
|
3754e5 |
+++ b/tests/tests_alternative_file_role.yml
|
|
|
3754e5 |
@@ -98,7 +98,7 @@
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Print the main configuration file
|
|
|
3754e5 |
slurp:
|
|
|
3754e5 |
- src: "{{ main_sshd_config }}"
|
|
|
3754e5 |
+ src: /etc/ssh/sshd_config
|
|
|
3754e5 |
register: config3
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Check content of first configuration file
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|
|
|
3754e5 |
|
|
|
3754e5 |
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Wed, 6 Apr 2022 20:28:32 +0200
|
|
|
3754e5 |
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
tasks/install.yml | 15 ++++++++-------
|
|
|
3754e5 |
1 file changed, 8 insertions(+), 7 deletions(-)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/tasks/install.yml b/tasks/install.yml
|
|
|
3754e5 |
index f1d8455..571281c 100644
|
|
|
3754e5 |
--- a/tasks/install.yml
|
|
|
3754e5 |
+++ b/tasks/install.yml
|
|
|
3754e5 |
@@ -40,10 +40,11 @@
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Make sure hostkeys are available and have expected permissions
|
|
|
3754e5 |
vars: &share_vars
|
|
|
3754e5 |
+ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
|
|
|
3754e5 |
__sshd_fips_mode: >-
|
|
|
3754e5 |
- - __sshd_hostkeys_nofips | d([])
|
|
|
3754e5 |
- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
|
|
|
3754e5 |
- __sshd_userspace_fips_mode.content | b64decode != "0" | bool
|
|
|
3754e5 |
+ {{ __sshd_hostkeys_nofips | d([]) and
|
|
|
3754e5 |
+ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
|
|
|
3754e5 |
+ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
|
|
|
3754e5 |
# This mimics the macro body_option() in sshd_config.j2
|
|
|
3754e5 |
# The explicit to_json filter is needed for Python 2 compatibility
|
|
|
3754e5 |
__sshd_hostkeys_from_config: >-
|
|
|
3754e5 |
@@ -58,14 +59,14 @@
|
|
|
3754e5 |
{{ __sshd_defaults['HostKey'] | to_json }}
|
|
|
3754e5 |
{% endif %}
|
|
|
3754e5 |
{% else %}
|
|
|
3754e5 |
- []
|
|
|
3754e5 |
+ {{ [] | to_json }}
|
|
|
3754e5 |
{% endif %}
|
|
|
3754e5 |
__sshd_verify_hostkeys: >-
|
|
|
3754e5 |
{% if not sshd_verify_hostkeys %}
|
|
|
3754e5 |
- []
|
|
|
3754e5 |
+ {{ [] | to_json }}
|
|
|
3754e5 |
{% elif sshd_verify_hostkeys == 'auto' %}
|
|
|
3754e5 |
- {% if sshd_HostKey is string %}
|
|
|
3754e5 |
- [ {{ __sshd_hostkeys_from_config }} ]
|
|
|
3754e5 |
+ {% if __sshd_hostkeys_from_config | from_json is string %}
|
|
|
3754e5 |
+ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
|
|
3754e5 |
{% else %}
|
|
|
3754e5 |
{{ __sshd_hostkeys_from_config }}
|
|
|
3754e5 |
{% endif %}
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|
|
|
3754e5 |
|
|
|
3754e5 |
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Mon, 11 Apr 2022 13:06:24 +0200
|
|
|
3754e5 |
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
|
|
|
3754e5 |
|
|
|
3754e5 |
This fixes also a typo that was overlooked previously
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
|
|
|
3754e5 |
1 file changed, 46 insertions(+), 7 deletions(-)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
|
|
|
3754e5 |
index 65cc765..7cf3767 100644
|
|
|
3754e5 |
--- a/tests/tests_hostkeys_fips.yml
|
|
|
3754e5 |
+++ b/tests/tests_hostkeys_fips.yml
|
|
|
3754e5 |
@@ -4,13 +4,52 @@
|
|
|
3754e5 |
__sshd_test_backup_files:
|
|
|
3754e5 |
- /etc/ssh/sshd_config
|
|
|
3754e5 |
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
|
|
3754e5 |
- - /etc/ssh/ssh_host_ed255519_key
|
|
|
3754e5 |
- - /etc/ssh/ssh_host_ed255519_key.pub
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ed25519_key.pub
|
|
|
3754e5 |
- /etc/system-fips
|
|
|
3754e5 |
tasks:
|
|
|
3754e5 |
- name: "Backup configuration files"
|
|
|
3754e5 |
include_tasks: tasks/backup.yml
|
|
|
3754e5 |
|
|
|
3754e5 |
+ - name: Run the role with default parameters without FIPS mode
|
|
|
3754e5 |
+ include_role:
|
|
|
3754e5 |
+ name: ansible-sshd
|
|
|
3754e5 |
+
|
|
|
3754e5 |
+ - name: Verify the options are correctly set
|
|
|
3754e5 |
+ block:
|
|
|
3754e5 |
+ - meta: flush_handlers
|
|
|
3754e5 |
+
|
|
|
3754e5 |
+ - name: Print current configuration file
|
|
|
3754e5 |
+ slurp:
|
|
|
3754e5 |
+ src: "{{ main_sshd_config }}"
|
|
|
3754e5 |
+ register: config
|
|
|
3754e5 |
+
|
|
|
3754e5 |
+ - name: Get stat of private key
|
|
|
3754e5 |
+ stat:
|
|
|
3754e5 |
+ path: /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
+ register: privkey
|
|
|
3754e5 |
+
|
|
|
3754e5 |
+ - name: Get stat of public key
|
|
|
3754e5 |
+ stat:
|
|
|
3754e5 |
+ path: /etc/ssh/ssh_host_ed25519_key.pub
|
|
|
3754e5 |
+ register: pubkey
|
|
|
3754e5 |
+
|
|
|
3754e5 |
+ - name: Check the key is in configuration file (without include)
|
|
|
3754e5 |
+ assert:
|
|
|
3754e5 |
+ that:
|
|
|
3754e5 |
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
|
|
|
3754e5 |
+ when:
|
|
|
3754e5 |
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
|
|
|
3754e5 |
+
|
|
|
3754e5 |
+ - name: Check host key was generated
|
|
|
3754e5 |
+ assert:
|
|
|
3754e5 |
+ that:
|
|
|
3754e5 |
+ - privkey.stat.exists
|
|
|
3754e5 |
+ - pubkey.stat.exists
|
|
|
3754e5 |
+ when:
|
|
|
3754e5 |
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
|
|
|
3754e5 |
+ tags: tests::verify
|
|
|
3754e5 |
+
|
|
|
3754e5 |
- name: Fake FIPS mode
|
|
|
3754e5 |
block:
|
|
|
3754e5 |
- name: Create temporary directory
|
|
|
3754e5 |
@@ -40,13 +79,13 @@
|
|
|
3754e5 |
- name: Remove the Ed25519 hostkey
|
|
|
3754e5 |
file:
|
|
|
3754e5 |
path:
|
|
|
3754e5 |
- /etc/ssh/ssh_host_ed255519_key
|
|
|
3754e5 |
+ /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
state: absent
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Remove the Ed25519 pubkey
|
|
|
3754e5 |
file:
|
|
|
3754e5 |
path:
|
|
|
3754e5 |
- /etc/ssh/ssh_host_ed255519_key.pub
|
|
|
3754e5 |
+ /etc/ssh/ssh_host_ed25519_key.pub
|
|
|
3754e5 |
state: absent
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Run the role with default parameters
|
|
|
3754e5 |
@@ -64,18 +103,18 @@
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Get stat of private key
|
|
|
3754e5 |
stat:
|
|
|
3754e5 |
- path: /etc/ssh/ssh_host_ed255519_key
|
|
|
3754e5 |
+ path: /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
register: privkey
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Get stat of public key
|
|
|
3754e5 |
stat:
|
|
|
3754e5 |
- path: /etc/ssh/ssh_host_ed255519_key.pub
|
|
|
3754e5 |
+ path: /etc/ssh/ssh_host_ed25519_key.pub
|
|
|
3754e5 |
register: pubkey
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Check the key is not in configuration file
|
|
|
3754e5 |
assert:
|
|
|
3754e5 |
that:
|
|
|
3754e5 |
- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
|
|
|
3754e5 |
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
|
|
|
3754e5 |
|
|
|
3754e5 |
- name: Check no host key was generated
|
|
|
3754e5 |
assert:
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|
|
|
3754e5 |
|
|
|
3754e5 |
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
|
|
|
3754e5 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
Date: Mon, 11 Apr 2022 13:07:44 +0200
|
|
|
3754e5 |
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
|
|
|
3754e5 |
directory
|
|
|
3754e5 |
|
|
|
3754e5 |
Previously no hostkeys were checked if they were not present
|
|
|
3754e5 |
in the generated configuration file. When the drop-in directory is
|
|
|
3754e5 |
used, usually, there are no hostkeys in that file and no sanity
|
|
|
3754e5 |
check for hostkeys was executed.
|
|
|
3754e5 |
|
|
|
3754e5 |
This amends the "auto" value for the hostkeys check to allow checking
|
|
|
3754e5 |
for default hostkeys that are read by OpenSSH by default.
|
|
|
3754e5 |
|
|
|
3754e5 |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
3754e5 |
---
|
|
|
3754e5 |
defaults/main.yml | 1 +
|
|
|
3754e5 |
tasks/install.yml | 8 +++++++-
|
|
|
3754e5 |
vars/Fedora.yml | 6 ++++++
|
|
|
3754e5 |
vars/RedHat_9.yml | 6 ++++++
|
|
|
3754e5 |
4 files changed, 20 insertions(+), 1 deletion(-)
|
|
|
3754e5 |
|
|
|
3754e5 |
diff --git a/defaults/main.yml b/defaults/main.yml
|
|
|
3754e5 |
index 18d6114..7e40e51 100644
|
|
|
3754e5 |
--- a/defaults/main.yml
|
|
|
3754e5 |
+++ b/defaults/main.yml
|
|
|
3754e5 |
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
|
|
|
3754e5 |
# configuration or restarting), we make sure the keys exist and have correct
|
|
|
3754e5 |
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
|
|
3754e5 |
sshd_verify_hostkeys: "auto"
|
|
|
3754e5 |
+__sshd_verify_hostkeys_default: []
|
|
|
3754e5 |
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
|
|
|
3754e5 |
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
|
|
|
3754e5 |
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
|
|
|
3754e5 |
diff --git a/tasks/install.yml b/tasks/install.yml
|
|
|
3754e5 |
index 571281c..fa7d3c3 100644
|
|
|
3754e5 |
--- a/tasks/install.yml
|
|
|
3754e5 |
+++ b/tasks/install.yml
|
|
|
3754e5 |
@@ -65,7 +65,13 @@
|
|
|
3754e5 |
{% if not sshd_verify_hostkeys %}
|
|
|
3754e5 |
{{ [] | to_json }}
|
|
|
3754e5 |
{% elif sshd_verify_hostkeys == 'auto' %}
|
|
|
3754e5 |
- {% if __sshd_hostkeys_from_config | from_json is string %}
|
|
|
3754e5 |
+ {% if not __sshd_hostkeys_from_config | from_json %}
|
|
|
3754e5 |
+ {% if __sshd_fips_mode %}
|
|
|
3754e5 |
+ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
|
|
|
3754e5 |
+ {% else %}
|
|
|
3754e5 |
+ {{ __sshd_verify_hostkeys_default | to_json }}
|
|
|
3754e5 |
+ {% endif %}
|
|
|
3754e5 |
+ {% elif __sshd_hostkeys_from_config | from_json is string %}
|
|
|
3754e5 |
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
|
|
3754e5 |
{% else %}
|
|
|
3754e5 |
{{ __sshd_hostkeys_from_config }}
|
|
|
3754e5 |
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
|
|
|
3754e5 |
index 77bf172..cf2b081 100644
|
|
|
3754e5 |
--- a/vars/Fedora.yml
|
|
|
3754e5 |
+++ b/vars/Fedora.yml
|
|
|
3754e5 |
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
|
|
3754e5 |
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
|
|
3754e5 |
__sshd_defaults:
|
|
|
3754e5 |
__sshd_os_supported: yes
|
|
|
3754e5 |
+__sshd_verify_hostkeys_default:
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_rsa_key
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ecdsa_key
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
+__sshd_hostkeys_nofips:
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
__sshd_hostkey_group: ssh_keys
|
|
|
3754e5 |
__sshd_hostkey_mode: "0640"
|
|
|
3754e5 |
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
|
|
|
3754e5 |
index 33df26a..55239f4 100644
|
|
|
3754e5 |
--- a/vars/RedHat_9.yml
|
|
|
3754e5 |
+++ b/vars/RedHat_9.yml
|
|
|
3754e5 |
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
|
|
3754e5 |
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
|
|
3754e5 |
__sshd_defaults:
|
|
|
3754e5 |
__sshd_os_supported: yes
|
|
|
3754e5 |
+__sshd_verify_hostkeys_default:
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_rsa_key
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ecdsa_key
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
+__sshd_hostkeys_nofips:
|
|
|
3754e5 |
+ - /etc/ssh/ssh_host_ed25519_key
|
|
|
3754e5 |
__sshd_hostkey_group: ssh_keys
|
|
|
3754e5 |
__sshd_hostkey_mode: "0640"
|
|
|
3754e5 |
--
|
|
|
3754e5 |
2.34.1
|
|
|
3754e5 |
|