From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 10:42:17 +0200
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
This fixes up the commit 7f69d1e6
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
templates/sshd_config.j2 | 6 +++++-
templates/sshd_config_snippet.j2 | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index 15ee668..8c7f322 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -22,7 +22,11 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{% set value = __sshd_defaults[key] %}
+{% if key == 'HostKey' and __sshd_fips_mode %}
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{% else %}
+{% set value = __sshd_defaults[key] %}
+{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
index 6766e09..6b23c76 100644
--- a/templates/sshd_config_snippet.j2
+++ b/templates/sshd_config_snippet.j2
@@ -21,7 +21,11 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{% set value = __sshd_defaults[key] %}
+{% if key == 'HostKey' and __sshd_fips_mode %}
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{% else %}
+{% set value = __sshd_defaults[key] %}
+{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
--
2.34.1
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:10:27 +0200
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
well with the drop-in directory
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_alternative_file.yml | 2 ++
tests/tests_alternative_file_role.yml | 2 ++
2 files changed, 4 insertions(+)
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
index 0a8ccaf..215c726 100644
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@@ -6,6 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second
+ - /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
@@ -52,6 +53,7 @@
include_role:
name: ansible-sshd
vars:
+ sshd_config_file: /etc/ssh/sshd_config
sshd:
Banner: /etc/issue
Ciphers: aes192-ctr
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
index 9177709..3e7c7ea 100644
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@@ -6,6 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second
+ - /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
@@ -57,6 +58,7 @@
roles:
- ansible-sshd
vars:
+ sshd_config_file: /etc/ssh/sshd_config
sshd:
Banner: /etc/issue
Ciphers: aes192-ctr
--
2.34.1
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:17:12 +0200
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tasks/setup.yml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
index 90a3f00..a0e9324 100644
--- a/tests/tasks/setup.yml
+++ b/tests/tasks/setup.yml
@@ -26,6 +26,5 @@
main_sshd_config_name: 00-ansible_system_role.conf
main_sshd_config_path: /etc/ssh/sshd_config.d/
when: >
- ansible_facts['distribution'] == 'Fedora' or
- (ansible_facts['distribution'] == 'RedHat' and
- ansible_facts['distribution_major_version']|int > 8)
+ ansible_facts['os_family'] == 'RedHat' and
+ ansible_facts['distribution_major_version']|int > 8
--
2.34.1
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:20:34 +0200
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_alternative_file.yml | 2 +-
tests/tests_alternative_file_role.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
index 215c726..172c73a 100644
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@@ -82,7 +82,7 @@
- name: Print the main configuration file
slurp:
- src: "{{ main_sshd_config }}"
+ src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
index 3e7c7ea..09fbce4 100644
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@@ -98,7 +98,7 @@
- name: Print the main configuration file
slurp:
- src: "{{ main_sshd_config }}"
+ src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
--
2.34.1
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 20:28:32 +0200
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tasks/install.yml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/tasks/install.yml b/tasks/install.yml
index f1d8455..571281c 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -40,10 +40,11 @@
- name: Make sure hostkeys are available and have expected permissions
vars: &share_vars
+ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
__sshd_fips_mode: >-
- - __sshd_hostkeys_nofips | d([])
- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
- __sshd_userspace_fips_mode.content | b64decode != "0" | bool
+ {{ __sshd_hostkeys_nofips | d([]) and
+ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
+ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
# This mimics the macro body_option() in sshd_config.j2
# The explicit to_json filter is needed for Python 2 compatibility
__sshd_hostkeys_from_config: >-
@@ -58,14 +59,14 @@
{{ __sshd_defaults['HostKey'] | to_json }}
{% endif %}
{% else %}
- []
+ {{ [] | to_json }}
{% endif %}
__sshd_verify_hostkeys: >-
{% if not sshd_verify_hostkeys %}
- []
+ {{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
- {% if sshd_HostKey is string %}
- [ {{ __sshd_hostkeys_from_config }} ]
+ {% if __sshd_hostkeys_from_config | from_json is string %}
+ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}
{% endif %}
--
2.34.1
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Apr 2022 13:06:24 +0200
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
This fixes also a typo that was overlooked previously
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
index 65cc765..7cf3767 100644
--- a/tests/tests_hostkeys_fips.yml
+++ b/tests/tests_hostkeys_fips.yml
@@ -4,13 +4,52 @@
__sshd_test_backup_files:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- - /etc/ssh/ssh_host_ed255519_key
- - /etc/ssh/ssh_host_ed255519_key.pub
+ - /etc/ssh/ssh_host_ed25519_key
+ - /etc/ssh/ssh_host_ed25519_key.pub
- /etc/system-fips
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
+ - name: Run the role with default parameters without FIPS mode
+ include_role:
+ name: ansible-sshd
+
+ - name: Verify the options are correctly set
+ block:
+ - meta: flush_handlers
+
+ - name: Print current configuration file
+ slurp:
+ src: "{{ main_sshd_config }}"
+ register: config
+
+ - name: Get stat of private key
+ stat:
+ path: /etc/ssh/ssh_host_ed25519_key
+ register: privkey
+
+ - name: Get stat of public key
+ stat:
+ path: /etc/ssh/ssh_host_ed25519_key.pub
+ register: pubkey
+
+ - name: Check the key is in configuration file (without include)
+ assert:
+ that:
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
+ when:
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
+
+ - name: Check host key was generated
+ assert:
+ that:
+ - privkey.stat.exists
+ - pubkey.stat.exists
+ when:
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
+ tags: tests::verify
+
- name: Fake FIPS mode
block:
- name: Create temporary directory
@@ -40,13 +79,13 @@
- name: Remove the Ed25519 hostkey
file:
path:
- /etc/ssh/ssh_host_ed255519_key
+ /etc/ssh/ssh_host_ed25519_key
state: absent
- name: Remove the Ed25519 pubkey
file:
path:
- /etc/ssh/ssh_host_ed255519_key.pub
+ /etc/ssh/ssh_host_ed25519_key.pub
state: absent
- name: Run the role with default parameters
@@ -64,18 +103,18 @@
- name: Get stat of private key
stat:
- path: /etc/ssh/ssh_host_ed255519_key
+ path: /etc/ssh/ssh_host_ed25519_key
register: privkey
- name: Get stat of public key
stat:
- path: /etc/ssh/ssh_host_ed255519_key.pub
+ path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey
- name: Check the key is not in configuration file
assert:
that:
- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
- name: Check no host key was generated
assert:
--
2.34.1
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Apr 2022 13:07:44 +0200
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.
This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
defaults/main.yml | 1 +
tasks/install.yml | 8 +++++++-
vars/Fedora.yml | 6 ++++++
vars/RedHat_9.yml | 6 ++++++
4 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index 18d6114..7e40e51 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
# configuration or restarting), we make sure the keys exist and have correct
# permissions. To disable this check, set sshd_verify_hostkeys to false
sshd_verify_hostkeys: "auto"
+__sshd_verify_hostkeys_default: []
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
diff --git a/tasks/install.yml b/tasks/install.yml
index 571281c..fa7d3c3 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -65,7 +65,13 @@
{% if not sshd_verify_hostkeys %}
{{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
- {% if __sshd_hostkeys_from_config | from_json is string %}
+ {% if not __sshd_hostkeys_from_config | from_json %}
+ {% if __sshd_fips_mode %}
+ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
+ {% else %}
+ {{ __sshd_verify_hostkeys_default | to_json }}
+ {% endif %}
+ {% elif __sshd_hostkeys_from_config | from_json is string %}
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
index 77bf172..cf2b081 100644
--- a/vars/Fedora.yml
+++ b/vars/Fedora.yml
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
+__sshd_verify_hostkeys_default:
+ - /etc/ssh/ssh_host_rsa_key
+ - /etc/ssh/ssh_host_ecdsa_key
+ - /etc/ssh/ssh_host_ed25519_key
+__sshd_hostkeys_nofips:
+ - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
index 33df26a..55239f4 100644
--- a/vars/RedHat_9.yml
+++ b/vars/RedHat_9.yml
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
+__sshd_verify_hostkeys_default:
+ - /etc/ssh/ssh_host_rsa_key
+ - /etc/ssh/ssh_host_ecdsa_key
+ - /etc/ssh/ssh_host_ed25519_key
+__sshd_hostkeys_nofips:
+ - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
--
2.34.1