578962e83f
The sshd role now implements the existing logic found within the legacy puppet manifest. This change will ensure our ssh configs are managed in the same way was as before, with the same user interface, resulting the same functional outcomes. A new molecule test has been added to ensure we're exercising all available code path's. This new test will run through our banner and motd configuration options. Change-Id: I68a12c0992455c5a9dc3362b8121151235f409a2 Signed-off-by: Kevin Carter <kecarter@redhat.com>
115 lines
3.7 KiB
YAML
115 lines
3.7 KiB
YAML
---
|
|
# Copyright 2019 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# found within the "vars/" path. If no OS files are found the task will skip.
|
|
- name: Gather variables for each operating system
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- skip: true
|
|
files:
|
|
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
|
|
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
|
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
|
- "{{ ansible_distribution | lower }}.yml"
|
|
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
|
- "{{ ansible_os_family | lower }}.yml"
|
|
tags:
|
|
- always
|
|
|
|
- name: Run sshd tasks as root
|
|
become: true
|
|
block:
|
|
- name: Install the OpenSSH server
|
|
package:
|
|
name: "{{ tripleo_sshd_packages }}"
|
|
state: "{{ tripleo_sshd_package_state }}"
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Flush all handlers
|
|
meta: flush_handlers
|
|
|
|
- name: Adjust ssh server configuration
|
|
template:
|
|
dest: /etc/ssh/sshd_config
|
|
src: sshd_config_block.j2
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: PasswordAuthentication notice
|
|
debug:
|
|
msg: >-
|
|
Notice - The option `tripleo_sshd_password_authentication` is set to
|
|
"{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is
|
|
undefined. While this may be perfectly valid, the sshd_config options
|
|
should be reviewed to ensure general user access is functional and
|
|
meeting expectations.
|
|
when:
|
|
- (tripleo_sshd_password_authentication != 'no') and
|
|
not (PermitRootLogin in tripleo_sshd_server_options)
|
|
|
|
- name: Adjust ssh server auth configuration
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: '^#?PasswordAuthentication.*'
|
|
line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Configure the banner text
|
|
copy:
|
|
content: "{{ tripleo_sshd_banner_text }}"
|
|
dest: /etc/issue
|
|
when:
|
|
- tripleo_sshd_banner_enabled | bool
|
|
|
|
- name: Adjust ssh server banner configuration
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: '^#?Banner.*'
|
|
line: 'Banner /etc/issue'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
when:
|
|
- tripleo_sshd_banner_enabled | bool
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Configure the motd banner
|
|
copy:
|
|
content: "{{ tripleo_sshd_message_of_the_day }}"
|
|
dest: /etc/motd
|
|
when:
|
|
- tripleo_sshd_motd_enabled | bool
|
|
|
|
- name: Adjust ssh server motd configuration
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: '^#?PrintMotd.*'
|
|
line: 'PrintMotd yes'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
when:
|
|
- tripleo_sshd_motd_enabled | bool
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Flush all handlers
|
|
meta: flush_handlers
|