From b0903f37b8c56d724990555f0078477762d8dbe3 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 3 Nov 2023 20:32:07 +0100 Subject: [PATCH 1/4] Fix for Deprecated option --- README.md | 1 + Vagrantfile | 2 +- defaults/main.yml | 7 ++++--- tasks/main.yml | 23 +++++++++++++++++++++++ templates/etc/ssh/sshd_config.j2 | 11 +++++++++++ 5 files changed, 40 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 981ae49..c9ceb60 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ None * `ssh_server_print_last_log`: [default: `true`]: Specifies whether `sshd` should print the date and time of the last user login when a user logs in interactively * `ssh_server_tcp_keep_alive`: [default: `true`]: Specifies whether the system should send TCP keepalive messages to the other side * `ssh_server_use_login`: [default: `false`]: Specifies whether `login` is used for interactive login sessions +* `ssh_server_max_sessions`: [default: `10`]: Allows control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of `10`, disabling connection multiplexing (`1`) or disallowing login/shell/subsystem sessions entirely (`0`) * `ssh_server_max_startups`: [default: `'10:30:60'`]: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the `LoginGraceTime` expires for a connection * `ssh_server_banner`: [default: `none`]: The contents of the specified file are sent to the remote user before authentication is allowed * `ssh_server_ciphers`: [optional, default: `[]`]: Specifies the ciphers allowed for protocol version 2 diff --git a/Vagrantfile b/Vagrantfile index 7f58430..4f7c159 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -23,7 +23,7 @@ boxes = [ :box => "bento/ubuntu-20.04", :ip => '10.0.0.14', :cpu => "50", - :ram => "384" + :ram => "512" }, { :name => "debian-10", diff --git a/defaults/main.yml b/defaults/main.yml index 8372981..615a881 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,14 +11,14 @@ ssh_server_host_keys: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - - "{{ '/etc/ssh/ssh_host_ed25519_key' if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('14.04', '>=') or ansible_distribution == 'Debian' and ansible_distribution_version is version('8', '>=')) else '' }}" -ssh_server_server_key_bits: "{{ 1024 if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('14.04', '>=') or ansible_distribution == 'Debian' and ansible_distribution_version is version('8', '>=')) else 768 }}" + - /etc/ssh/ssh_host_ed25519_key +ssh_server_server_key_bits: 1024 ssh_server_use_privilege_separation: true ssh_server_key_regeneration_interval: 3600 ssh_server_syslog_facility: AUTH ssh_server_log_level: INFO ssh_server_login_grace_time: 120 -ssh_server_permit_root_login: "{{ 'without-password' if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('14.04', '>=') or ansible_distribution == 'Debian' and ansible_distribution_version is version('8', '>=')) else 'yes' }}" +ssh_server_permit_root_login: without-password ssh_server_strict_modes: true ssh_server_rsa_authentication: true ssh_server_pubkey_authentication: true @@ -37,6 +37,7 @@ ssh_server_print_motd: false ssh_server_print_last_log: true ssh_server_tcp_keep_alive: true ssh_server_use_login: false +ssh_server_max_sessions: 10 ssh_server_max_startups: '10:30:60' ssh_server_banner: none ssh_server_accept_env: LANG LC_* diff --git a/tasks/main.yml b/tasks/main.yml index 4664079..da4bcdb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,28 @@ # tasks file --- +- name: get (current) version + ansible.builtin.shell: > + dpkg-query -W -f='${Version}' openssh-server | awk -F':' '{print $2}' | awk -F'p' '{print $1}' + register: _get_current_version + changed_when: false + failed_when: false + tags: + - configuration + - ssh-server + - ssh-server-version + - ssh-server-version-get + +- name: set (current) version + ansible.builtin.set_fact: + ssh_server_version: "{{ _get_current_version.stdout | regex_search('^([0-9]+\\.[0-9]+\\.?[0-9]*)$') }}" + changed_when: false + check_mode: false + tags: + - configuration + - ssh-server + - ssh-server-version + - ssh-server-version-set + - name: install dependencies ansible.builtin.apt: name: "{{ ssh_server_dependencies }}" diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index 214104b..11a776f 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -16,12 +16,16 @@ Protocol {{ ssh_server_protocol }} HostKey {{ ssh_server_host_key }} {% endif %} {% endfor %} +{% if ssh_server_version is version('7.5', '<') %} # Privilege Separation is turned on for security UsePrivilegeSeparation {{ 'yes' if ssh_server_use_privilege_separation else 'no' }} +{% endif %} +{% if ssh_server_version is version('7.4', '<') %} # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval {{ ssh_server_key_regeneration_interval }} ServerKeyBits {{ ssh_server_server_key_bits }} +{% endif %} # Logging SyslogFacility {{ ssh_server_syslog_facility }} @@ -32,14 +36,18 @@ LoginGraceTime {{ ssh_server_login_grace_time }} PermitRootLogin {{ ssh_server_permit_root_login }} StrictModes {{ 'yes' if ssh_server_strict_modes else 'no' }} +{% if ssh_server_version is version('7.4', '<') %} RSAAuthentication {{ 'yes' if ssh_server_rsa_authentication else 'no' }} +{% endif %} PubkeyAuthentication {{ 'yes' if ssh_server_pubkey_authentication else 'no' }} AuthorizedKeysFile {{ ssh_server_authorized_keys_file }} # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts {{ 'yes' if ssh_server_ignore_rhosts else 'no' }} +{% if ssh_server_version is version('7.4', '<') %} # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication {{ 'yes' if ssh_server_rhosts_rsa_authentication else 'no' }} +{% endif %} # similar for protocol version 2 HostbasedAuthentication {{ 'yes' if ssh_server_hostbased_authentication else 'no' }} # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication @@ -83,8 +91,11 @@ GatewayPorts {{ 'yes' if ssh_server_gateway_ports else 'no' }} PrintMotd {{ 'yes' if ssh_server_print_motd else 'no' }} PrintLastLog {{ 'yes' if ssh_server_print_last_log else 'no' }} TCPKeepAlive {{ 'yes' if ssh_server_tcp_keep_alive else 'no' }} +{% if ssh_server_version is version('7.4', '<') %} UseLogin {{ 'yes' if ssh_server_use_login else 'no' }} +{% endif %} +MaxSessions {{ ssh_server_max_sessions }} MaxStartups {{ ssh_server_max_startups }} Banner {{ ssh_server_banner }} From 4c19e8771b08f38ffa46bd109830898831e4acaf Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 3 Nov 2023 20:59:59 +0100 Subject: [PATCH 2/4] Template cleanup --- README.md | 18 ++--- Vagrantfile | 2 +- defaults/main.yml | 2 +- files/ubuntu-2004 | 126 +++++++++++++++++++++++++++++++ templates/etc/ssh/sshd_config.j2 | 52 ++++++------- 5 files changed, 163 insertions(+), 37 deletions(-) create mode 100644 files/ubuntu-2004 diff --git a/README.md b/README.md index c9ceb60..530c98b 100644 --- a/README.md +++ b/README.md @@ -16,20 +16,20 @@ None * `ssh_server_port`: [default: `22`]: Specifies the port number to connect on the remote host * `ssh_server_protocol`: [default: `2`]: Specifies the protocol versions `ssh` should support in order of preference. The possible values are `1` and `2`. Multiple versions must be comma-separated. The default is `2,1`. This means that ssh tries version 2 and falls back to version 1 if version 2 is not available * `ssh_server_listen_address:`: [default: `['0.0.0.0', '::']`]: Specifies the local addresses `sshd` should listen on -* `ssh_server_host_keys:`: [default: `[/etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key]` depending on OS version, see `defaults/main.yml`]: Specifies a file containing a private host key used by SSH -* `ssh_server_server_key_bits:`: [default: `1024` or `768` depending on OS version, see `defaults/main.yml`]: Defines the number of bits in the ephemeral protocol version 1 server key -* `ssh_server_use_privilege_separation`: [default: `true`]: Specifies whether `sshd` separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes -* `ssh_server_key_regeneration_interval`: [default: `3600`]: In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used) +* `ssh_server_host_keys:`: [default: `[/etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key]`]: Specifies a file containing a private host key used by SSH +* `ssh_server_server_key_bits:`: [default: `1024`]: Defines the number of bits in the ephemeral protocol version 1 server key (**deprecated**) +* `ssh_server_use_privilege_separation`: [default: `true`]: Specifies whether `sshd` separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes (**deprecated**) +* `ssh_server_key_regeneration_interval`: [default: `3600`]: In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used) (**deprecated**) * `ssh_server_syslog_facility`: [default: `AUTH`]: Gives the facility code that is used when logging messages from `sshd` * `ssh_server_log_level`: [default: `INFO`]: Gives the verbosity level that is used when logging messages from `sshd` * `ssh_server_login_grace_time`: [default: `120`]: The server disconnects after this time if the user has not successfully logged in -* `ssh_server_permit_root_login`: [default: `without-password` or `yes` depending on OS version, see `defaults/main.yml`]: Specifies whether root can log in using ssh +* `ssh_server_permit_root_login`: [default: `without-password`]: Specifies whether root can log in using ssh * `ssh_server_strict_modes`: [default: `true`]: Specifies whether `sshd` should check file modes and ownership of the user's files and home directory before accepting login -* `ssh_server_rsa_authentication`: [default: `true`]: Specifies whether pure RSA authentication is allowed +* `ssh_server_rsa_authentication`: [default: `true`]: Specifies whether pure RSA authentication is allowed (**deprecated**) * `ssh_server_pubkey_authentication`: [default: `true`]: Specifies whether public key authentication is allowed * `ssh_server_authorized_keys_file`: [default: `'%h/.ssh/authorized_keys'`]: Specifies the file that contains the public keys that can be used for user authentication * `ssh_server_ignore_rhosts`: [default: `true`]: Specifies that `.rhosts` and `.shosts` files will not be used -* `ssh_server_rhosts_rsa_authentication`: [default: `false`]: Specifies whether `rhosts` or `/etc/hosts.equiv` authentication together with successful RSA host authentication is allowed +* `ssh_server_rhosts_rsa_authentication`: [default: `false`]: Specifies whether `rhosts` or `/etc/hosts.equiv` authentication together with successful RSA host authentication is allowed (**deprecated**) * `ssh_server_hostbased_authentication`: [default: `false`]: Specifies whether `rhosts` or `/etc/hosts.equiv` authentication together with successful public key client host authentication is allowed (host-based authentication) * `ssh_server_ignore_user_known_hosts`: [default: `false`]: Specifies whether `sshd` should ignore the user's `~/.ssh/known_hosts` * `ssh_server_permit_empty_passwords`: [default: `false`]: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings @@ -47,9 +47,9 @@ None * `ssh_server_print_motd`: [default: `false`]: Specifies whether `sshd` should print `/etc/motd` when a user logs in interactively * `ssh_server_print_last_log`: [default: `true`]: Specifies whether `sshd` should print the date and time of the last user login when a user logs in interactively * `ssh_server_tcp_keep_alive`: [default: `true`]: Specifies whether the system should send TCP keepalive messages to the other side -* `ssh_server_use_login`: [default: `false`]: Specifies whether `login` is used for interactive login sessions +* `ssh_server_use_login`: [default: `false`]: Specifies whether `login` is used for interactive login sessions (**deprecated**) * `ssh_server_max_sessions`: [default: `10`]: Allows control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of `10`, disabling connection multiplexing (`1`) or disallowing login/shell/subsystem sessions entirely (`0`) -* `ssh_server_max_startups`: [default: `'10:30:60'`]: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the `LoginGraceTime` expires for a connection +* `ssh_server_max_startups`: [default: `'10:30:100'`]: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the `LoginGraceTime` expires for a connection * `ssh_server_banner`: [default: `none`]: The contents of the specified file are sent to the remote user before authentication is allowed * `ssh_server_ciphers`: [optional, default: `[]`]: Specifies the ciphers allowed for protocol version 2 * `ssh_server_key_algorithms`: [optional, default: `[]`]: Specifies the available KEX (Key Exchange) algorithms diff --git a/Vagrantfile b/Vagrantfile index 4f7c159..7f58430 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -23,7 +23,7 @@ boxes = [ :box => "bento/ubuntu-20.04", :ip => '10.0.0.14', :cpu => "50", - :ram => "512" + :ram => "384" }, { :name => "debian-10", diff --git a/defaults/main.yml b/defaults/main.yml index 615a881..e717642 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,7 +38,7 @@ ssh_server_print_last_log: true ssh_server_tcp_keep_alive: true ssh_server_use_login: false ssh_server_max_sessions: 10 -ssh_server_max_startups: '10:30:60' +ssh_server_max_startups: '10:30:100' ssh_server_banner: none ssh_server_accept_env: LANG LC_* ssh_server_subsystem: sftp /usr/lib/openssh/sftp-server diff --git a/files/ubuntu-2004 b/files/ubuntu-2004 new file mode 100644 index 0000000..a735c78 --- /dev/null +++ b/files/ubuntu-2004 @@ -0,0 +1,126 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +PasswordAuthentication yes +UseDNS no +GSSAPIAuthentication no diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index 11a776f..1f18735 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} # Package generated configuration file # See the sshd_config(5) manpage for details @@ -18,7 +18,7 @@ HostKey {{ ssh_server_host_key }} {% endfor %} {% if ssh_server_version is version('7.5', '<') %} # Privilege Separation is turned on for security -UsePrivilegeSeparation {{ 'yes' if ssh_server_use_privilege_separation else 'no' }} +UsePrivilegeSeparation {{ ssh_server_use_privilege_separation | bool | ternary('yes', 'no') }} {% endif %} {% if ssh_server_version is version('7.4', '<') %} @@ -34,65 +34,65 @@ LogLevel {{ ssh_server_log_level }} # Authentication: LoginGraceTime {{ ssh_server_login_grace_time }} PermitRootLogin {{ ssh_server_permit_root_login }} -StrictModes {{ 'yes' if ssh_server_strict_modes else 'no' }} +StrictModes {{ ssh_server_strict_modes | bool | ternary('yes', 'no') }} {% if ssh_server_version is version('7.4', '<') %} -RSAAuthentication {{ 'yes' if ssh_server_rsa_authentication else 'no' }} +RSAAuthentication {{ ssh_server_rsa_authentication | bool | ternary('yes', 'no') }} {% endif %} -PubkeyAuthentication {{ 'yes' if ssh_server_pubkey_authentication else 'no' }} +PubkeyAuthentication {{ ssh_server_pubkey_authentication | bool | ternary('yes', 'no') }} AuthorizedKeysFile {{ ssh_server_authorized_keys_file }} # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts {{ 'yes' if ssh_server_ignore_rhosts else 'no' }} +IgnoreRhosts {{ ssh_server_ignore_rhosts | bool | ternary('yes', 'no') }} {% if ssh_server_version is version('7.4', '<') %} # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication {{ 'yes' if ssh_server_rhosts_rsa_authentication else 'no' }} +RhostsRSAAuthentication {{ ssh_server_rhosts_rsa_authentication | bool | ternary('yes', 'no') }} {% endif %} # similar for protocol version 2 -HostbasedAuthentication {{ 'yes' if ssh_server_hostbased_authentication else 'no' }} +HostbasedAuthentication {{ ssh_server_hostbased_authentication | bool | ternary('yes', 'no') }} # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -IgnoreUserKnownHosts {{ 'yes' if ssh_server_ignore_user_known_hosts else 'no' }} +IgnoreUserKnownHosts {{ ssh_server_ignore_user_known_hosts | bool | ternary('yes', 'no') }} # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords {{ 'yes' if ssh_server_permit_empty_passwords else 'no' }} +PermitEmptyPasswords {{ ssh_server_permit_empty_passwords | bool | ternary('yes', 'no') }} # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication {{ 'yes' if ssh_server_challenge_response_authentication else 'no' }} +ChallengeResponseAuthentication {{ ssh_server_challenge_response_authentication | bool | ternary('yes', 'no') }} # Change to no to disable tunnelled clear text passwords -PasswordAuthentication {{ 'yes' if ssh_server_password_authentication else 'no' }} +PasswordAuthentication {{ ssh_server_password_authentication | bool | ternary('yes', 'no') }} # Kerberos options {% if ssh_server_kerberos_authentication is defined %} -KerberosAuthentication {{ 'yes' if ssh_server_kerberos_authentication else 'no' }} +KerberosAuthentication {{ ssh_server_kerberos_authentication | bool | ternary('yes', 'no') }} {% endif %} {% if ssh_server_kerberos_get_afs_token is defined %} -KerberosGetAFSToken {{ 'yes' if ssh_server_kerberos_get_afs_token else 'no' }} +KerberosGetAFSToken {{ ssh_server_kerberos_get_afs_token | bool | ternary('yes', 'no') }} {% endif %} {% if ssh_server_kerberos_or_local_passwd is defined %} -KerberosOrLocalPasswd {{ 'yes' if ssh_server_kerberos_or_local_passwd else 'no' }} +KerberosOrLocalPasswd {{ ssh_server_kerberos_or_local_passwd | bool | ternary('yes', 'no') }} {% endif %} {% if ssh_server_kerberos_ticket_cleanup is defined %} -KerberosTicketCleanup {{ 'yes' if ssh_server_kerberos_ticket_cleanup else 'no' }} +KerberosTicketCleanup {{ ssh_server_kerberos_ticket_cleanup | bool | ternary('yes', 'no') }} {% endif %} # GSSAPI options {% if ssh_server_gssapi_authentication is defined %} -GSSAPIAuthentication {{ 'yes' if ssh_server_gssapi_authentication else 'no' }} +GSSAPIAuthentication {{ ssh_server_gssapi_authentication | bool | ternary('yes', 'no') }} {% endif %} {% if ssh_server_gssapi_cleanup_credentials is defined %} -GSSAPICleanupCredentials {{ 'yes' if ssh_server_gssapi_cleanup_credentials else 'no' }} +GSSAPICleanupCredentials {{ ssh_server_gssapi_cleanup_credentials | bool | ternary('yes', 'no') }} {% endif %} -X11Forwarding {{ 'yes' if ssh_server_x11_forwarding else 'no' }} +X11Forwarding {{ ssh_server_x11_forwarding | bool | ternary('yes', 'no') }} X11DisplayOffset {{ ssh_server_x11_display_offset }} -GatewayPorts {{ 'yes' if ssh_server_gateway_ports else 'no' }} -PrintMotd {{ 'yes' if ssh_server_print_motd else 'no' }} -PrintLastLog {{ 'yes' if ssh_server_print_last_log else 'no' }} -TCPKeepAlive {{ 'yes' if ssh_server_tcp_keep_alive else 'no' }} +GatewayPorts {{ ssh_server_gateway_ports | bool | ternary('yes', 'no') }} +PrintMotd {{ ssh_server_print_motd | bool | ternary('yes', 'no') }} +PrintLastLog {{ ssh_server_print_last_log | bool | ternary('yes', 'no') }} +TCPKeepAlive {{ ssh_server_tcp_keep_alive | bool | ternary('yes', 'no') }} {% if ssh_server_version is version('7.4', '<') %} -UseLogin {{ 'yes' if ssh_server_use_login else 'no' }} +UseLogin {{ ssh_server_use_login | bool | ternary('yes', 'no') }} {% endif %} MaxSessions {{ ssh_server_max_sessions }} @@ -124,9 +124,9 @@ Subsystem {{ ssh_server_subsystem }} # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM {{ 'yes' if ssh_server_use_pam else 'no' }} +UsePAM {{ ssh_server_use_pam | bool | ternary('yes', 'no') }} -UseDNS {{ 'yes' if ssh_server_use_dns else 'no' }} +UseDNS {{ ssh_server_use_dns | bool | ternary('yes', 'no') }} {% if ssh_server_allow_groups %} AllowGroups {{ ssh_server_allow_groups | join(' ') }} From 28296e02ab7c90b4821cb5646bc62d6c985517a9 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 3 Nov 2023 21:07:54 +0100 Subject: [PATCH 3/4] Consistency changes --- templates/etc/ssh/sshd_config.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index 1f18735..18dffcf 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -1,7 +1,7 @@ {{ ansible_managed | comment }} -# Package generated configuration file -# See the sshd_config(5) manpage for details +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. # What ports, IPs and protocols we listen for Port {{ ssh_server_port }} From 3ada8578b0824e306f88a81d0b61c85f165523d8 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 3 Nov 2023 21:12:03 +0100 Subject: [PATCH 4/4] Cs fixes --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index da4bcdb..d2cbacd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ # tasks file --- -- name: get (current) version +- name: get (current) version # noqa risky-shell-pipe ansible.builtin.shell: > dpkg-query -W -f='${Version}' openssh-server | awk -F':' '{print $2}' | awk -F'p' '{print $1}' register: _get_current_version