willshersystems / ansible-sshd Goto Github PK

Details of different configuration levels:

• defaults
• sshd dict
• sshd_* vars

Hi,

Is it possible to Append some part of sshd_config file? My case is that I need to add some values in AcceptEnv, but it overwrites. Any suggestion?

As Galaxy's meta data is very comprehensive, list supported OSs and version in the README.

Hi

In sshd_config.j2 file:
{{ body_option("GatewayPorts",sshd_GatewayPorts) -}} is duplicated.
Line: 122 and 128

This results in option GatewayPorts present in two places.

v0.7.5

I have a need to configure and run 2 ssh daemons / services on different ports and generally different configuration. AFAICT this is not possible currently with this role. Would there be interest to add this functionality? I could work on a first implementation.

Hello, Matt!
thanks for the terrific role!
I'm ansible newbie so I don't quite understand your code.
What this file ansible-sshd/meta/make_option_list is for?
When it comes to play?
there's only ansible-sshd/meta/main.yml described in docs.
What are other files there for?
thanks in advance!

It would be great if you provided a hardened / best practices example playbook.

CRYPTO_POLICY in /etc/sysconfig/sshd is requested in #140

Add support for anything else in there too.

Some sshd options require multiple-values to be expressed as a comma-separated list:

• AuthenticationMethods
• Ciphers
• HostbasedAcceptedKeyTypes
• KexAlgorithms
• MACs
• Match
• PubkeyAcceptedKeyTypes

Although the existing code parses any sshd_* value which is expressed as a list, it fails to join list items with commas. This PR ensures that list values associated with the above options are joined by commas.

I was browsing ansible galaxy and noticed that in listings the role shows as failed to build. For marketing purposes, maybe you want to look into this.

I'm new to ansible so please forgive my ignorance in advance. When I add this role to my playbook and run it against a node I get the following:

TASK: [willshersystems.apt | Update apt cache] ********************************
fatal: [anvil-connect] => error while evaluating conditional: ansible_pkg_mgr == 'apt' and apt_has_run is not defined

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/Users/smith/playbook.retry

anvil-connect              : ok=9    changed=3    unreachable=1    failed=0

This is the case with or without including the apt role explicitly.

  roles:
    - common
    - willshersystems.apt
    - willshersystems.sshd

Hello,
On Debian systems, there is a DebianBanner directive that can be set in sshd_config:

DebianBanner
Specifies whether the distribution-specified extra version suffix is included during initial protocol handshake. The default is “yes”.

Can you add it to your template?
Thanks

I do not know why it is necessary for this role to explicitly manage the directory /var/run/sshd. But apart from that, there is an exclusion for RHEL7 but not for Fedora. I checked that a default installation of Fedora with working sshd does not have such a directory.

The meta-data for the role is out-dated and README needs a bit of a spruce up. Minimal Ansible version should be 2.x+ etc. etc.

All:

I've been working on adding Alpine Linux 3.7 support to ansible-sshd. Getting it to work requires a code change beyond a new vars/Alpine.yml. I'd am more than happy to submit a pull/patch, but would appreciate input on how you want the change implemented.

The core of the problem is the validate statement in the Configuration task. Successful validation assumes that the ssh host keys have been generated as part of the install. Apparently under Alpine 3.7 this is not true. The host keys are generated when the openssh daemon is first run. Since it hasn't been run, the keys don't exist and the validation fails.

Currently I am working around that by adding a block statement prior to the Configuration task which is run if the os_family is Alpine and virtualization_type docker. The block contains two tasks - one starting the sshd server and one stopping it. With this present the Configuration task passes on Alpine Linux.

Question is whether this is an acceptable way to address the issue or if you would prefer some other approach? Or would you prefer that a patch/pull request not be submitted?

-steve

When using the role to install sshd in a centos7 Docker container the role installs the packages, but the sshd is never started before the "Configuration" step.

Due to this there are no hostkeys, which seem to be generated when sshd is started for the first time and there are no keys yet:

fatal: [localhost]: FAILED! => {"changed": false, "checksum": "3eb484dee3405d49871d72d546e490cd0a6bf897", "exit_status": 1, "msg": "failed to validate", "stderr": "Could not load host key: /etc/ssh/ssh_host_rsa_key\r\nCould not load host key: /etc/ssh/ssh_host_ed25519_key\r\nsshd: no hostkeys available -- exiting.\r\n", "stderr_lines": ["Could not load host key: /etc/ssh/ssh_host_rsa_key", "Could not load host key: /etc/ssh/ssh_host_ed25519_key", "sshd: no hostkeys available -- exiting."], "stdout": "", "stdout_lines": []}

I thought about just fixing this, but this seems more complicated, as one would have to actually dig through the sshd_config.hostkey variable to find the expected name for the hostkeys and actually figure out the type for the hostkey and then generate them, if they do not exist.

Another idea would be to unconditionally start sshd before the configuration step, to ensure the existence of the hostkeys, but I do not know if this may create other problems.

This is a rather special corner case, as ansible works over SSH and so this will only ever be a problem, when setting up a container or any situation where the playbook does not rely on sshd actually running (ansible_connection=local e.g.).

If simply unconditionally starting sshd before the configuration step would be an option (or just doing this under certain conditions) I could come up with a quick PR.

Any ideas or suggestions?

Nice role--you cover a lot of handy stuff.

However, I noticed you've put a lot of variables in /vars/ rather than /defaults/ which makes it so I can't override the values without manually modifying the role: http://stackoverflow.com/questions/26475071/ansible-playbook-group-var-being-overriden-by-a-role-var

Would you be open to moving a bunch of the params to /defaults/?

My preference is to manage all my ansible-galaxy roles in one folder, and then individual project playbooks override various role parameters as needed: http://stackoverflow.com/questions/22201306/ansible-galaxy-roles-install-in-to-a-specific-directory/32728042#32728042

It just makes life easier as that way I only have one role to maintain, but can adjust values as necessary for each project.

For example, right now my playbooks can't override any of the values in here:
For example, most of the values here: https://github.com/willshersystems/ansible-sshd/blob/master/vars/RedHat_7.yml

sshd -t should be running before a reload is attempted and fail on warnings and errors. While sshd -t is being called it didn't pick up on the problem in #51

New warnings I noticed now that ansible 2.3 is in EPEL7 (slightly edited to remove unnecessary stuff):

TASK [ansible-role-sshd : Run directory] *******************************************************

[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ false if ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' else true }}

(we're using a slightly older version of ansible-sshd, but this comes from defaults/main.yml.)

TASK [ansible-role-sshd : Service enabled and running] ***********************************************

[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ false if ansible_virtualization_type == 'docker' else true }}

(This is also from defaults/main.yml)

Issue is in the ansible-lint action - ansible/ansible-lint-action#39

The readme currently provide ansible galaxy role mattwillsher.sshd
This role location is leading to a 404 on galaxy.ansible.com
[WARNING]: - mattwillsher.sshd was NOT installed successfully: - sorry, mattwillsher.sshd was not found on https://galaxy.ansible.com.

there's no need in doing it on centos7 hosts

sshd on CentOS8 seems to be not configured through /etc/ssh/sshd_config, but loads /etc/crypto-policies/back-ends/opensshserver.config via the systemd sshd.service configuration. So while you can use this role to manage /etc/ssh/sshd_config, it won't take effect.

I think the mix of version format means that this role cannot easily be install. The only work around is to specify a specific version.

- downloading role 'sshd', owned by willshersystems
 [WARNING]: - willshersystems.sshd was NOT installed successfully: Unable to
compare role versions (v0.7.2, 0.2.0, 0.4.1, 0.3.0, 0.4.5, 0.4.3, 0.2.5,
v0.7.1, v0.4.8, v0.4.10, v0.4.9, 0.1.0, 0.5.1, v0.4.7, v0.4.6, v0.6.2, v0.5,
v0.7.0, v0.6.0, 0.4.4, 0.2.3, 0.4.2, 0.4.0, 0.2.1, v0.6.1, 0.2.2, 0.3.1, 0.2.4,
0.3.2) to determine the most recent version due to incompatible version
formats. Please contact the role author to resolve versioning conflicts, or
specify an explicit role version to install.

Would it be possible to settle on one format, and delete the versions that use the other?

As far as I can see, the functionality for sshd_backup is not implemented

PR #121 introduced support for functionality only support in Ansible >2.7, breaking compatibility with old versions. Given the nature of the change, it will be reverted in #122 and can be reapplied once 2.7 is well out of support.

Add SSH defaults for EL 7 OS releases.

I need to be able to set CASignatureAlgorithms but adding it to sshd dict doesn't do anything

The README is somewhat out of date. List of support repos, possibly some of the options need updating.

Are you working on adding EL8 support?

My experience has been that EL7 parameters and settings have worked well with my EL8 installs but I have not done a completely thorough checkup on all the parameters if they conform to best practices of the new releases.

includes and similar fixes for 2.5 need doing...

Thanks for a great plugin - I am impressed with how you set it up. I had trouble in getting it to reload though.

In tasks/main.yml you just have when: sshd_manage_service which runs, in handlers/main.yml you have when: sshd_allow_reload == True which gets skipped.

If I explicitly set sshd_allow_reload: True then the problem goes away.

I also noticed neither OS is supported nor Register that this role has run tasks are run if you restrict to sshd tag - was that deliberate?

DETAILS:

With settings:

sshd_Port: 234
sshd:
  PermitRootLogin: no

I would see output like the following indicating that the reload_sshd was skipped:

TASK: [willshersystems.sshd | Set OS dependent variables] ********************* 
ok: [lodge] => (item=/home/ianh/Projects/Acme/beaver/outfit/roles/willshersystems.sshd/vars/Ubuntu_14.yml)
ok: [outfit-test] => (item=/home/ianh/Projects/Acme/beaver/outfit/roles/willshersystems.sshd/vars/Ubuntu_14.yml)

TASK: [willshersystems.sshd | OS is supported] ******************************** 
ok: [lodge]
ok: [outfit-test]

TASK: [willshersystems.sshd | Installed] ************************************** 
ok: [outfit-test] => (item=openssh-server)
ok: [lodge] => (item=openssh-server)
ok: [outfit-test] => (item=openssh-sftp-server)
ok: [lodge] => (item=openssh-sftp-server)

TASK: [willshersystems.sshd | Run directory] ********************************** 
ok: [lodge]
ok: [outfit-test]

TASK: [willshersystems.sshd | Configuration] ********************************** 
changed: [outfit-test]
changed: [lodge]

TASK: [willshersystems.sshd | Service enabled and running] ******************** 
ok: [lodge]
ok: [outfit-test]

TASK: [willshersystems.sshd | Register that this role has run] **************** 
ok: [lodge]
ok: [outfit-test]

NOTIFIED: [willshersystems.sshd | check_and_reload_sshd] ********************** 
changed: [outfit-test]
changed: [lodge]

NOTIFIED: [willshersystems.sshd | reload_sshd] ******************************** 
skipping: [lodge]
skipping: [outfit-test]

When I added

sshd_allow_reload: True

(And altered the port manually in /etc/ssh/sshd_config from 234 back to 22 on lodge), I then got as expected:

NOTIFIED: [willshersystems.sshd | check_and_reload_sshd] ********************** 
changed: [lodge]

NOTIFIED: [willshersystems.sshd | reload_sshd] ******************************** 
changed: [lodge]

And netstat -an | egrep 234 reported the port was open on lodge.

I noted that Service enabled and running was not skipped so it appears sshd_manage_service is true even though is behaving as false.

how would I maintain a list of users in the variable
sshd_AllowUsers:
something like this
with_items:

• testuser1
• testuser2

Hi everyone

Our estate currently has a number of different OS, cnetos6 and centos7 being the majority of that we've got.

I've git cloned this repo into our ansible roles folder inside our project, created a link to the role itself, which is going to have to happen for each server.

• { role: 'ansible-sshd', tags: 'sshd' }

I've then edited roles/ansible-sshd/defaults/main.yml passing in my sshd_config options, as per this posting.

#46

Works an absolute charm on all my centos7 boxes, hooray!!

But, the ciphers, macs and kex algorithms wont work on centos6 :-(

I've found the ones that will work for me

https://infosec.mozilla.org/guidelines/openssh

So, what's the best way to accomplish having the role handle there being multiple OS's, and therefore multiple sshd_config variables needed?

I'm thinking I could leave the ones that change as blank, and then pass them in at each server point, but that's going to add an awful lot of code to the project. My brain is trying to tell me there's a smarter way, but the other part of my brain is blocking the solution appearing.

Does anyone have any pointers on how to achieve this with the least amount of code added?

Thanks in advance

Matt

Hi,

Since Ansible supports Python 3, what's the outlook for Python 3 support?

Hi Everyone

I've used ansible-sshd to secure my sshd on my server, but now future runs of ansible-sshd are failing.

Server is running centos7 with OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

Here's the error I'm getting when trying to change the settings

fatal: [tooling1]: FAILED! => {
    "assertion": "__sshd_os_supported == True",
    "changed": false,
    "evaluated_to": false
}

Here's the variables I used to secure

sshd_skip_defaults: false
sshd_allow_reload: false
sshd:
  KexAlgorithms: "[email protected],diffie-hellman-group-exchange-sha256"
  X11Forwarding: false
  Protocol: 2
  HostKey:
    - "/etc/ssh/ssh_host_ed25519_key"
    - "/etc/ssh/ssh_host_rsa_key"
  PasswordAuthentication: false
  ChallengeResponseAuthentication: false
  PubkeyAuthentication: true
  Ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
  MACs: "[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"

And here's the resulting sshd_config file

# Ansible managed
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
PasswordAuthentication no
PubkeyAuthentication yes
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UsePAM yes
UsePrivilegeSeparation sandbox
X11Forwarding no

I can ssh into the machine without a problem

Anyone got any ideas what's going on?

Thanks

Message posted to mailing list as per about page

I am getting this error when running the default playbook example provided on your README:

TASK: [willshersystems.sshd | Configuration] ********************************** 
fatal: [NAP1] => {'msg': "UnboundLocalError: local variable 'l_value' referenced before assignment", 'failed': True}
fatal: [NAP1] => {'msg': "UnboundLocalError: local variable 'l_value' referenced before assignment", 'failed': True}

FATAL: all hosts have already failed -- aborting

Hi Willsher,

with the latest ansible version (2.0.1.0) we get a deprecation warning.

example:
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{sshd_packages}}'). This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

I dont seem able to get anything but the OS defaults to apply. I want to modify the CIPHERS and MACs but cant seem to get it to go.

My play looks like this.

    - name: willshersystems.sshd
      include_role:
        name: willshersystems.sshd
      tags:
        - sshd

my groupvars for the hosts look like this.

sshd_skip_defaults: true
sshd_config_mode: '0644'
sshd_packages:
  - openssh
  - openssh-server
sshd_sftp_server: /usr/libexec/openssh/sftp-server
sshd:
  SyslogFacility: AUTHPRIV
  PermitRootLogin: forced-commands-only
  AuthorizedKeysFile: .ssh/authorized_keys
  PasswordAuthentication: no
  ChallengeResponseAuthentication: no
  UsePAM: yes
  X11Forwarding: yes
  PrintLastLog: yes
  UsePrivilegeSeparation: sandbox
  AcceptEnv:
    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
  Subsystem: "sftp {{ sshd_sftp_server }}"
  Ciphers:
    - [email protected]
    - [email protected]
    - [email protected]
    - aes256-ctr
    - aes192-ctr
    - aes128-ctr
  MACs:
    - [email protected]
    - [email protected]
    - [email protected]
    - [email protected]
    - hmac-sha2-512

Yet when I run the playbook, I just end up with the default sshd for Amazon linux. There must be something I am missing.

I have a global group_vars file called "all" which contains the following entry:
...
sshd_match:

• Condition: "User jdoe"
  Banner: none
  PrintMotd: no
  PrintLastLog: no
  ...
  but only the first entry is placed into /etc/ssh/sshd_config
  ...
  Match User jdoe
  Banner none
  ...
  All other parameters are completly ignored, even after putting them in first place.
  Isn`t this role capable of these parameters/more of one entry per condition?

Build is failing saying ansible_virtualization_type is undefined.

Support match section

With the following config

- src: willshersystems.sshd
  version: v0.8.1

sshd:
  Compression: yes
  ListenAddress:
    - "0.0.0.0"
    - "::"
  AllowAgentForwarding: yes
  AllowGroups: ssh_allowed
  AuthenticationMethods: publickey
  PermitRootLogin: no
  Port: 22
  UseDNS: no
  Subsystem: "sftp internal-sftp"

I get the following sshd_config

# Ansible managed
Port 22
ListenAddress 0.0.0.0
ListenAddress ::
AllowAgentForwarding yes
AllowGroups ssh_allowed
AuthenticationMethods publickey
Compression yes
PermitRootLogin no
UseDNS no

Note the lack of "Subsystem" in the second block. Am I missing something?

It looks like there is no support for the simple task of changing an existing configuration option without regenerating the whole configuration from a default. That limits the usefulness of this role severely.

Linting at https://galaxy.ansible.com/willshersystems/sshd shows a few issues. They need fixing.

The circular symlink in tests/roles causes copying the role to another server to break, especially with packer builds. Why not use an ansible.cfg file in tests/ with the following contents:

[defaults]
roles_path = ../../