arillso / ansible.sshd Goto Github PK

sshd_config_path: /etc/ssh is not set in the RedHat-8.yml variables file which causes the role to fail.

Suggestion: Put "sshd_config_path: /etc/ssh" in ./vars/main.yml so that the default is /etc/ssh and it can get overridden by the appropriate ./vars/.yml files.

SyslogFacility is static, but should really be based on the default values of the distros, because otherwise /var/log/secure with the default rhel rsyslogd config doesn't work as expected. This might cause confusion for users and issues with other preconfigured packages.

I'm totally aware that rsyslog is kind of deprecated, but nonetheless it's still used widely and honoring distro defaults is always a good thing :)

The defaults for sftp are incorrect for RHEL systems.

The correct defaults are:

RHEL6: Subsystem sftp /usr/libexec/openssh/sftp-server
RHEL7: Subsystem sftp /usr/libexec/openssh/sftp-server
RHEL8: Subsystem sftp /usr/libexec/openssh/sftp-server

I'll put in a merge request.

#28

If the target system relies on RedHat 8, the role throws an error.

TASK [arillso.sshd : set hostkeys according to openssh-version] ****************
fatal: [****]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'sshd_config_path' is undefined\n\nThe error appears to be in '/builds/mw/infrastructure/ansible-management/projects/internal-server-landscape/.ansible/roles/arillso.sshd/tasks/distribution/subtasks/crypto.yml': line 4, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: set hostkeys according to openssh-version\n  ^ here\n"}

The reason for this is, that the file vars/RedHat-8.yml doesn't contain the definition of sshd_config_path.

The variable is also missing in:

• vars/Oracle Linux-8.yml

Closes #22

When ssh_banner is true then only '/etc/ssh/banner.txt' is configured in the sshd_config file. Allow a different banner file to be input.

Hi,

On Ubuntu, the role deploys fine with default settings. But with sftp_enabled: true, it fails on sshd_config creation at the validation step. Solved this as described in the dev-sec isse #188:

diff --git a/tasks/main.yml b/tasks/main.yml
index 596bbcc..a356dfa 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -166,7 +166,7 @@
     mode: 0600
     owner: "{{ ssh_owner }}"
     group: "{{ ssh_group }}"
-    validate: "/usr/sbin/sshd -T -f %s"
+    validate: "/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s"
   notify: restart sshd
   tags:
     - configuration

The task for installing selinux dependencies on RHEL or Oracle Linux fails when running >= 8:

It appears the package is now named: "policycoreutils-python-utils"

&& false with pipefail makes this task always fail.
So sorry for missing this one. slipped through my tests :-(

fixed in #4

The both options RhostsRSAAuthentication and RSAAuthentication from ssh_config got removed in OpenSSH 7.6.
Everytime I try to use the ssh config (on ubuntu 18.04 in my case) I get:
/etc/ssh/ssh_config line 72: Unsupported option "rhostsrsaauthentication"
/etc/ssh/ssh_config line 75: Unsupported option "rsaauthentication"

Unfortunately I couldn't verify that in a release note or changelog of OpenSSH, so I compared the man pages from the packages and noted that both options were removed in 7.6
Ubuntu 18.04 and Debian 10 use OpenSSH 7.6

To be able to use password authentication when using (S)FTP it's necessary to use a variable in https://github.com/arillso/ansible.sshd/blob/master/templates/opensshd.conf.j2#L254.