diff --git a/.gitignore b/.gitignore index 6ec4a27..50e375e 100644 --- a/.gitignore +++ b/.gitignore @@ -19,5 +19,5 @@ SOURCES/selinux-1.3.4.tar.gz SOURCES/ssh-1.1.4.tar.gz SOURCES/storage-1.7.0.tar.gz SOURCES/timesync-1.6.6.tar.gz -SOURCES/tlog-1.2.5.tar.gz +SOURCES/tlog-1.2.6.tar.gz SOURCES/vpn-1.3.2.tar.gz diff --git a/.rhel-system-roles.metadata b/.rhel-system-roles.metadata index 265b0e5..c7602f8 100644 --- a/.rhel-system-roles.metadata +++ b/.rhel-system-roles.metadata @@ -19,5 +19,5 @@ dcd2261fe6b6a998aca3eb6c968204152e2ffd51 SOURCES/network-1.7.1.tar.gz f38972c4b22a9f226b58725c7e9ba8fac692bba2 SOURCES/ssh-1.1.4.tar.gz 0728b4e01261f84ce470431a4ea21907db75f26a SOURCES/storage-1.7.0.tar.gz 0bd118c9df9bf556a76d42c92bde11fde5553eba SOURCES/timesync-1.6.6.tar.gz -17e6f3d437d161143c87b6709a42a3eff6ef7df0 SOURCES/tlog-1.2.5.tar.gz +d10a0dd866c1ce982d2ba22500718df3fb2ab766 SOURCES/tlog-1.2.6.tar.gz d1bb00636c04bc1b2d94ce0e491afe9ef921cd56 SOURCES/vpn-1.3.2.tar.gz diff --git a/SOURCES/ansible-sshd.patch b/SOURCES/ansible-sshd.patch new file mode 100644 index 0000000..8d6817d --- /dev/null +++ b/SOURCES/ansible-sshd.patch @@ -0,0 +1,428 @@ +From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 10:42:17 +0200 +Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter + +This fixes up the commit 7f69d1e6 + +Signed-off-by: Jakub Jelen +--- + templates/sshd_config.j2 | 6 +++++- + templates/sshd_config_snippet.j2 | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 +index 15ee668..8c7f322 100644 +--- a/templates/sshd_config.j2 ++++ b/templates/sshd_config.j2 +@@ -22,7 +22,11 @@ + {% elif sshd[key] is defined %} + {% set value = sshd[key] %} + {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} +-{% set value = __sshd_defaults[key] %} ++{% if key == 'HostKey' and __sshd_fips_mode %} ++{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} ++{% else %} ++{% set value = __sshd_defaults[key] %} ++{% endif %} + {% endif %} + {{ render_option(key,value) -}} + {% endmacro %} +diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2 +index 6766e09..6b23c76 100644 +--- a/templates/sshd_config_snippet.j2 ++++ b/templates/sshd_config_snippet.j2 +@@ -21,7 +21,11 @@ + {% elif sshd[key] is defined %} + {% set value = sshd[key] %} + {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} +-{% set value = __sshd_defaults[key] %} ++{% if key == 'HostKey' and __sshd_fips_mode %} ++{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} ++{% else %} ++{% set value = __sshd_defaults[key] %} ++{% endif %} + {% endif %} + {{ render_option(key,value) -}} + {% endmacro %} +-- +2.34.1 + + +From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 11:10:27 +0200 +Subject: [PATCH 2/7] Set explicit path to the main configuration file to work + well with the drop-in directory + +Signed-off-by: Jakub Jelen +--- + tests/tests_alternative_file.yml | 2 ++ + tests/tests_alternative_file_role.yml | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml +index 0a8ccaf..215c726 100644 +--- a/tests/tests_alternative_file.yml ++++ b/tests/tests_alternative_file.yml +@@ -6,6 +6,7 @@ + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf + - /etc/ssh/sshd_config_custom + - /etc/ssh/sshd_config_custom_second ++ - /tmp/ssh_host_ecdsa_key + tasks: + - name: "Backup configuration files" + include_tasks: tasks/backup.yml +@@ -52,6 +53,7 @@ + include_role: + name: ansible-sshd + vars: ++ sshd_config_file: /etc/ssh/sshd_config + sshd: + Banner: /etc/issue + Ciphers: aes192-ctr +diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml +index 9177709..3e7c7ea 100644 +--- a/tests/tests_alternative_file_role.yml ++++ b/tests/tests_alternative_file_role.yml +@@ -6,6 +6,7 @@ + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf + - /etc/ssh/sshd_config_custom + - /etc/ssh/sshd_config_custom_second ++ - /tmp/ssh_host_ecdsa_key + tasks: + - name: "Backup configuration files" + include_tasks: tasks/backup.yml +@@ -57,6 +58,7 @@ + roles: + - ansible-sshd + vars: ++ sshd_config_file: /etc/ssh/sshd_config + sshd: + Banner: /etc/issue + Ciphers: aes192-ctr +-- +2.34.1 + + +From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 11:17:12 +0200 +Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9 + +Signed-off-by: Jakub Jelen +--- + tests/tasks/setup.yml | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml +index 90a3f00..a0e9324 100644 +--- a/tests/tasks/setup.yml ++++ b/tests/tasks/setup.yml +@@ -26,6 +26,5 @@ + main_sshd_config_name: 00-ansible_system_role.conf + main_sshd_config_path: /etc/ssh/sshd_config.d/ + when: > +- ansible_facts['distribution'] == 'Fedora' or +- (ansible_facts['distribution'] == 'RedHat' and +- ansible_facts['distribution_major_version']|int > 8) ++ ansible_facts['os_family'] == 'RedHat' and ++ ansible_facts['distribution_major_version']|int > 8 +-- +2.34.1 + + +From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 11:20:34 +0200 +Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config + +Signed-off-by: Jakub Jelen +--- + tests/tests_alternative_file.yml | 2 +- + tests/tests_alternative_file_role.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml +index 215c726..172c73a 100644 +--- a/tests/tests_alternative_file.yml ++++ b/tests/tests_alternative_file.yml +@@ -82,7 +82,7 @@ + + - name: Print the main configuration file + slurp: +- src: "{{ main_sshd_config }}" ++ src: /etc/ssh/sshd_config + register: config3 + + - name: Check content of first configuration file +diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml +index 3e7c7ea..09fbce4 100644 +--- a/tests/tests_alternative_file_role.yml ++++ b/tests/tests_alternative_file_role.yml +@@ -98,7 +98,7 @@ + + - name: Print the main configuration file + slurp: +- src: "{{ main_sshd_config }}" ++ src: /etc/ssh/sshd_config + register: config3 + + - name: Check content of first configuration file +-- +2.34.1 + + +From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 20:28:32 +0200 +Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering + +Signed-off-by: Jakub Jelen +--- + tasks/install.yml | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/tasks/install.yml b/tasks/install.yml +index f1d8455..571281c 100644 +--- a/tasks/install.yml ++++ b/tasks/install.yml +@@ -40,10 +40,11 @@ + + - name: Make sure hostkeys are available and have expected permissions + vars: &share_vars ++ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default + __sshd_fips_mode: >- +- - __sshd_hostkeys_nofips | d([]) +- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \ +- __sshd_userspace_fips_mode.content | b64decode != "0" | bool ++ {{ __sshd_hostkeys_nofips | d([]) and ++ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or ++ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }} + # This mimics the macro body_option() in sshd_config.j2 + # The explicit to_json filter is needed for Python 2 compatibility + __sshd_hostkeys_from_config: >- +@@ -58,14 +59,14 @@ + {{ __sshd_defaults['HostKey'] | to_json }} + {% endif %} + {% else %} +- [] ++ {{ [] | to_json }} + {% endif %} + __sshd_verify_hostkeys: >- + {% if not sshd_verify_hostkeys %} +- [] ++ {{ [] | to_json }} + {% elif sshd_verify_hostkeys == 'auto' %} +- {% if sshd_HostKey is string %} +- [ {{ __sshd_hostkeys_from_config }} ] ++ {% if __sshd_hostkeys_from_config | from_json is string %} ++ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} + {% else %} + {{ __sshd_hostkeys_from_config }} + {% endif %} +-- +2.34.1 + + +From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 11 Apr 2022 13:06:24 +0200 +Subject: [PATCH 6/7] tests: Add negative test for FIPS mode + +This fixes also a typo that was overlooked previously + +Signed-off-by: Jakub Jelen +--- + tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++----- + 1 file changed, 46 insertions(+), 7 deletions(-) + +diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml +index 65cc765..7cf3767 100644 +--- a/tests/tests_hostkeys_fips.yml ++++ b/tests/tests_hostkeys_fips.yml +@@ -4,13 +4,52 @@ + __sshd_test_backup_files: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf +- - /etc/ssh/ssh_host_ed255519_key +- - /etc/ssh/ssh_host_ed255519_key.pub ++ - /etc/ssh/ssh_host_ed25519_key ++ - /etc/ssh/ssh_host_ed25519_key.pub + - /etc/system-fips + tasks: + - name: "Backup configuration files" + include_tasks: tasks/backup.yml + ++ - name: Run the role with default parameters without FIPS mode ++ include_role: ++ name: ansible-sshd ++ ++ - name: Verify the options are correctly set ++ block: ++ - meta: flush_handlers ++ ++ - name: Print current configuration file ++ slurp: ++ src: "{{ main_sshd_config }}" ++ register: config ++ ++ - name: Get stat of private key ++ stat: ++ path: /etc/ssh/ssh_host_ed25519_key ++ register: privkey ++ ++ - name: Get stat of public key ++ stat: ++ path: /etc/ssh/ssh_host_ed25519_key.pub ++ register: pubkey ++ ++ - name: Check the key is in configuration file (without include) ++ assert: ++ that: ++ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode" ++ when: ++ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9 ++ ++ - name: Check host key was generated ++ assert: ++ that: ++ - privkey.stat.exists ++ - pubkey.stat.exists ++ when: ++ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6 ++ tags: tests::verify ++ + - name: Fake FIPS mode + block: + - name: Create temporary directory +@@ -40,13 +79,13 @@ + - name: Remove the Ed25519 hostkey + file: + path: +- /etc/ssh/ssh_host_ed255519_key ++ /etc/ssh/ssh_host_ed25519_key + state: absent + + - name: Remove the Ed25519 pubkey + file: + path: +- /etc/ssh/ssh_host_ed255519_key.pub ++ /etc/ssh/ssh_host_ed25519_key.pub + state: absent + + - name: Run the role with default parameters +@@ -64,18 +103,18 @@ + + - name: Get stat of private key + stat: +- path: /etc/ssh/ssh_host_ed255519_key ++ path: /etc/ssh/ssh_host_ed25519_key + register: privkey + + - name: Get stat of public key + stat: +- path: /etc/ssh/ssh_host_ed255519_key.pub ++ path: /etc/ssh/ssh_host_ed25519_key.pub + register: pubkey + + - name: Check the key is not in configuration file + assert: + that: +- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode" ++ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode" + + - name: Check no host key was generated + assert: +-- +2.34.1 + + +From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 11 Apr 2022 13:07:44 +0200 +Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in + directory + +Previously no hostkeys were checked if they were not present +in the generated configuration file. When the drop-in directory is +used, usually, there are no hostkeys in that file and no sanity +check for hostkeys was executed. + +This amends the "auto" value for the hostkeys check to allow checking +for default hostkeys that are read by OpenSSH by default. + +Signed-off-by: Jakub Jelen +--- + defaults/main.yml | 1 + + tasks/install.yml | 8 +++++++- + vars/Fedora.yml | 6 ++++++ + vars/RedHat_9.yml | 6 ++++++ + 4 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/defaults/main.yml b/defaults/main.yml +index 18d6114..7e40e51 100644 +--- a/defaults/main.yml ++++ b/defaults/main.yml +@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server + # configuration or restarting), we make sure the keys exist and have correct + # permissions. To disable this check, set sshd_verify_hostkeys to false + sshd_verify_hostkeys: "auto" ++__sshd_verify_hostkeys_default: [] + sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" + sshd_hostkey_group: "{{ __sshd_hostkey_group }}" + sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}" +diff --git a/tasks/install.yml b/tasks/install.yml +index 571281c..fa7d3c3 100644 +--- a/tasks/install.yml ++++ b/tasks/install.yml +@@ -65,7 +65,13 @@ + {% if not sshd_verify_hostkeys %} + {{ [] | to_json }} + {% elif sshd_verify_hostkeys == 'auto' %} +- {% if __sshd_hostkeys_from_config | from_json is string %} ++ {% if not __sshd_hostkeys_from_config | from_json %} ++ {% if __sshd_fips_mode %} ++ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }} ++ {% else %} ++ {{ __sshd_verify_hostkeys_default | to_json }} ++ {% endif %} ++ {% elif __sshd_hostkeys_from_config | from_json is string %} + {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} + {% else %} + {{ __sshd_hostkeys_from_config }} +diff --git a/vars/Fedora.yml b/vars/Fedora.yml +index 77bf172..cf2b081 100644 +--- a/vars/Fedora.yml ++++ b/vars/Fedora.yml +@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server + __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf + __sshd_defaults: + __sshd_os_supported: yes ++__sshd_verify_hostkeys_default: ++ - /etc/ssh/ssh_host_rsa_key ++ - /etc/ssh/ssh_host_ecdsa_key ++ - /etc/ssh/ssh_host_ed25519_key ++__sshd_hostkeys_nofips: ++ - /etc/ssh/ssh_host_ed25519_key + __sshd_hostkey_group: ssh_keys + __sshd_hostkey_mode: "0640" +diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml +index 33df26a..55239f4 100644 +--- a/vars/RedHat_9.yml ++++ b/vars/RedHat_9.yml +@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server + __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf + __sshd_defaults: + __sshd_os_supported: yes ++__sshd_verify_hostkeys_default: ++ - /etc/ssh/ssh_host_rsa_key ++ - /etc/ssh/ssh_host_ecdsa_key ++ - /etc/ssh/ssh_host_ed25519_key ++__sshd_hostkeys_nofips: ++ - /etc/ssh/ssh_host_ed25519_key + __sshd_hostkey_group: ssh_keys + __sshd_hostkey_mode: "0640" +-- +2.34.1 + diff --git a/SPECS/linux-system-roles.spec b/SPECS/linux-system-roles.spec index a3bb936..6fcfc63 100644 --- a/SPECS/linux-system-roles.spec +++ b/SPECS/linux-system-roles.spec @@ -31,7 +31,7 @@ Name: linux-system-roles Url: https://github.com/linux-system-roles Summary: Set of interfaces for unified system management Version: 1.16.2 -Release: 1%{?dist} +Release: 1%{?dist}.2 #Group: Development/Libraries License: GPLv3+ and MIT and BSD and Python @@ -155,7 +155,7 @@ BuildRequires: %{ansible_build_dep} #%%defcommit 8 2b9e53233ee3a68bdb532e62f289733e436a6106 %global rolename8 tlog -%deftag 8 1.2.5 +%deftag 8 1.2.6 #%%defcommit 9 9373303b98e09ef38df7afc8d06e5e55812096c7 %global rolename9 kernel_settings @@ -242,6 +242,8 @@ Source998: collection_readme.sh Patch51: network-disable-bondtests.diff +Patch1501: ansible-sshd.patch + BuildArch: noarch %if %{with html} @@ -334,6 +336,7 @@ cd %{rolename5} %patch51 -p1 cd .. cd %{rolename15} +%patch1501 -p1 sed -r -i -e "s/ansible-sshd/linux-system-roles.sshd/" tests/*.yml examples/*.yml sed -r -i -e "s/ willshersystems.sshd/ linux-system-roles.sshd/" tests/*.yml examples/*.yml README.md sed -r -i -e "s/min_ansible_version: 2.8/min_ansible_version: 2.9/" meta/main.yml @@ -710,6 +713,14 @@ fi %endif %changelog +* Thu Apr 21 2022 Rich Megginson - 1.16.2-1.2 +- sshd - FIPS mode detection in SSHD role is wrong + Resolves rhbz#2077475 (EL9) + +* Wed Apr 20 2022 Rich Megginson - 1.16.2-1.1 +- Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default + Resolves rhbz#2075545 (EL9) + * Tue Mar 29 2022 Rich Megginson - 1.16.2-1 - nbde_client - NBDE client system role does not support servers with static IP addresses previous fix did not handle some cases