linux-system-roles / ssh Goto Github PK

View Code? Open in Web Editor NEW

15.0 8.0 16.0 234 KB

Ansible role for configuring ssh clients

Home Page: https://linux-system-roles.github.io/ssh/

License: GNU Lesser General Public License v3.0

Shell 7.01% Jinja 48.17% Dockerfile 0.78% JavaScript 5.70% HTML 38.35%

ssh's Introduction

ssh

An Ansible role for managing ssh clients configuration.

Requirements

This role should work on any system that provides openssh client and is supported by ansible. The role was tested on:

RHEL/CentOS 6, 7, 8, 9
Fedora
Debian
Ubuntu

Collection requirements

In order to manage rpm-ostree systems, the role requires modules from external collections. Use the following command to install them:

ansible-galaxy collection install -vv -r meta/collection-requirements.yml

Role Variables

By default, the role should not modify the system configuration and generate global ssh_config that matches OS default (the generated configuration does not keep comments and order of the options).

ssh_user

By default (null) the role will modify the global configuration for all users. Other values will be interpreted as a username and the role will modify per-user configuration stored under ~/.ssh/config of the given user. The user needs to exist before invoking this role otherwise it will fail.

ssh_skip_defaults

By default (auto), the role writes the system-wide configuration file /etc/ssh/ssh_config and keeps OS defaults defined there (true). This is automatically disabled, when a drop-in configuration file is created (ssh_drop_in_name!=null) or when per-user configuration file is created (ssh_user!=null).

ssh_drop_in_name

This defines the name for the drop-in configuration file to be placed in system-wide drop-in directory. The name is used in the template /etc/ssh/ssh_config.d/{name}.conf to reference the configuration file to be modified. If the system does not support drop-in directory, setting this option will make the play fail. Default is null if the system does not support drop in directory and 00-ansible otherwise.

The suggested format is NN-name, where NN is two-digit number used for sorting the and name is any descriptive name for the content or the owner of the file.

ssh dict

A dict containing configuration options and respective values. See example below.

ssh_...:

Simple variables consisting of the option name prefixed with ssh_ can be used rather than a dict above. The simple variable overrides values in dict above.

ssh_additional_packages

This role automatically installs packages needed for most common use cases on given platform. If some additional packages need to be installed (for example openssh-keysign for host-based authentication), they can be specified in this variable.

ssh_config_file

The configuration file that will be written by this role. The default is defined by template /etc/ssh/ssh_config.d/{name}.conf if system has drop-in directory or /etc/ssh/ssh_config otherwise. If ssh_user!=null, the default is ~/.ssh/config.

To write /etc/ssh/ssh_config even if a drop-in directory is supported, set ssh_drop_in_name to null.

ssh_config_owner, ssh_config_group, ssh_config_mode

The owner, group and mode of the created configuration file. The files are owned by root:root with mode 0644 by default, unless ssh_user!=null. In that case, the mode is 0600 and owner and group are derived from username given in ssh_user variable.

ssh_backup

When set to false, the original ssh_config file is not backed up. Default is true.

Example Playbook

The following playbook configures the root user ssh configuration in his

home directory to use compression, control-master multiplexing and enable GSSAPI authentication in the "match final all" block. Additionally, it creates alias "example" for connecting to the example.com host as a user somebody. The last line disables X11 forwarding.

- name: Manage ssh clients
  hosts: all
  tasks:
  - name: Configure ssh clients
    include_role:
      name: linux-system-roles.ssh
    vars:
      ssh_user: root
      ssh:
        Compression: true
        # wokeignore:rule=master
        ControlMaster: auto
        ControlPath: ~/.ssh/.cm%C
        Match:
          - Condition: "final all"
            GSSAPIAuthentication: true
        Host:
          - Condition: example
            Hostname: example.com
            User: somebody
      ssh_ForwardX11: false

More examples are in the examples/ directory.

rpm-ostree

See README-ostree.md

License

LGPLv3, see the file LICENSE for more information.

Author Information

Jakub Jelen, 2021 - 2023

ssh's People

Contributors

Stargazers

Watchers

Forkers

richm jakuje nhosoi spetrosi jharuda bindtech-xyz global-localhost global19 global19-atlassian-net codingspiderfox maage ukulekek gokberkgunduzz skwde rafamoreira hvsharma12

ssh's Issues

Unspecified options in ssh_config.j2

If I want to use an option not specified in ssh_config.j2, am I able to do so? We use a set of options in our ssh_config, some of which aren't included in the template, and I'd like to know whether we can still use this supported role.

Is there a reason why the available options are specified explicitly, rather than just looping through a list of options?

Thanks

RFE: Allow removing unrecognized ssh configuration files

In case there's a configuration file present in the ssh_config.d directory then the role configured options do not necessarily get used if the unexpected configuration file has higher priority.

It would nice to be able to have the role to remove all unrecognised configuration files from ssh_config.d. On RHEL, for instance, there might be few non-role configuration files created by security hardening tools such as oscap(8) which would be ok to be left in place whereas something like 0-test.conf or 0-rogue.conf should be removed.

Thanks.

Conscious Language: Please rename master branch to main branch

As part of the conscious language project, the master branch is to be renamed to the main branch.

Here are the instructions.

Rename the master branch to main: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/renaming-a-branch
Check this to ensure the default branch has been changed to main: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch - this should keep the github history, as well as updating the default branch configuration and updating any existing PRs

If you use the gh cli (highly recommended) you can use this to check which repos need to be updated:

gh repo list linux-system-roles -L 100 --json name,defaultBranchRef --source | \
  jq --raw-output '.[] | select(.defaultBranchRef.name == "master") | .name'

Thanks.

Confusing drop-in behavior

When using drop-in names the behaviour is unexpected:

- name: Test
  hosts: rhel8
  gather_facts: false
  become: true
  roles:
    - role: fedora.linux_system_roles.ssh
      vars:
        ssh_skip_defaults: false
        ssh_config_file: '~/src/tests/ssh/ssh_config_RHEL8_test'
    - role: fedora.linux_system_roles.ssh
      vars:
        ssh_skip_defaults: true
        ssh_config_file: '~/src/tests/ssh/ssh_config.d_RHEL8_test/99-some-test.conf'
        ssh:
          Match:
            - Condition: "User {{ user_list | join(',') }}"
              SendEnv: 'SOME_VAR'

  vars:
    ssh_config_owner: 'user'
    ssh_config_group: 'user'
    ssh_config_mode: '0600'
    user_list:
      - 'user1'
      - 'user2'

This generates the default ~/src/tests/ssh/ssh_config_RHEL8_test including the drop-in part

#
# Ansible managed
#
# system_role:ssh

Include /etc/ssh/ssh_config.d/*.conf
Match User user1,user2
  SendEnv SOME_ENV

and an ~/src/tests/ssh/ssh_config.d_RHEL8_test/99-some-test.conf

#
# Ansible managed
#
# system_role:ssh

Match User user1,user2
  SendEnv SOME_ENV

which is correct.

So it seems that the ssh variable defined in the second call is already available in the first call...

Is there a way around this?

Defaults hostblock ignored when non-default hostblock is used

The defaults host block is ignored when another host block is given.

Here is a playbook to reproduce the issue:

- name: Test
  hosts: rhel7
  gather_facts: false
  tasks:
    - name: Handle ssh_config for RHEL7
      ansible.builtin.import_role:
        name: fedora.linux_system_roles.ssh
      vars:
        ssh_config_file: '~/src/tests/ssh_config_test'
        ssh_skip_defaults: false
        ssh:
          Host:
            - Condition: '*.abc'
              PubkeyAuthentication: 'yes'

The output is the following:

#
# Ansible managed
#
# system_role:ssh

Host *.abc
  PubkeyAuthentication yes

while I would expect also the defaults to appear next to what I specify

#
# Ansible managed
#
# system_role:ssh

Host *
  ForwardX11Trusted yes
  GSSAPIAuthentication yes
  SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  SendEnv XMODIFIERS
Host *.abc
  PubkeyAuthentication yes

Default file generated as drop-in 00-ansible.conf

I expect following snippet to produce the default config for RHEL9:

- name: Test
  hosts: rhel9
  gather_facts: false
  tasks:
    - name: Generate ssh RHEL9
      become: true
      block:
        - name: Handle default ssh_config for RHEL9
          ansible.builtin.include_role:
            name: fedora.linux_system_roles.ssh

Instead it creates a drop in file 00-ansible.conf with the defaults. Why is that?

The fix I found for RHEL8 (#89), namely setting the variable ssh: {} does not work here.
It also doesn't help to set the variable ssh_skip_defaults: false...

Now the fix seems to be to explicitly set ssh_drop_in_name: null...

It is really not very convenient to do trial and error all the time for simple stuff like having a default config generated.

Can you please document with an example playbook how one should generate the default config and an additional drop in config.

Eliminate non-inclusive language

Hello, we have a project to eliminate non-inclusive language from the linux-system-roles.

Running a utility woke (now it's supported in tox. please install the latest tox-lsr and run tox -e woke), two non-inclusive words are reported - sanity and master.

The difficulty is ControlMaster is a configuration keyword for ssh. So, unless it's renamed in ssh, there is no way to avoid it in the ssh role. To skip the checking, there are two ways - adding wokeignore:rule=master to each ControlMaster appearing in the source code, or skipping them as warning by applying get-woke/woke#252. Which way is preferable?