80 lines
2.8 KiB
YAML
80 lines
2.8 KiB
YAML
---
|
|
- hosts: all
|
|
tasks:
|
|
- name: Configure sshd
|
|
include_role:
|
|
name: ansible-sshd
|
|
vars:
|
|
# For Fedora containers, we need to make sure we have keys for sshd -T below
|
|
sshd_verify_hostkeys:
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
sshd:
|
|
Match:
|
|
- Condition: "User xusers"
|
|
X11Forwarding: yes
|
|
Banner: /tmp/xusers-banner
|
|
- Condition: "User bot"
|
|
AllowTcpForwarding: no
|
|
Banner: /tmp/bot-banner
|
|
sshd_match:
|
|
- Condition: "User sftponly"
|
|
ForceCommand: "internal-sftp"
|
|
ChrootDirectory: "/var/uploads/"
|
|
- Condition: "User root"
|
|
PasswordAuthentication: no
|
|
PermitTunnel: yes
|
|
|
|
- name: Verify the options are correctly set
|
|
vars:
|
|
main_sshd_config: >-
|
|
{{
|
|
"/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
|
|
if ansible_facts['distribution'] == 'Fedora'
|
|
else "/etc/ssh/sshd_config"
|
|
}}
|
|
block:
|
|
- meta: flush_handlers
|
|
|
|
- name: List effective configuration using sshd -T for xusers
|
|
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
|
|
register: xusers_effective
|
|
|
|
- name: List effective configuration using sshd -T for bot
|
|
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
|
|
register: bot_effective
|
|
|
|
- name: List effective configuration using sshd -T for sftponly
|
|
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
|
|
register: sftponly_effective
|
|
|
|
- name: List effective configuration using sshd -T for root
|
|
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
|
|
register: root_effective
|
|
|
|
- name: Print current configuration file
|
|
slurp:
|
|
src: "{{ main_sshd_config }}"
|
|
register: config
|
|
|
|
- name: Check the options are effective
|
|
# note, the options are in lower-case here
|
|
assert:
|
|
that:
|
|
- "'x11forwarding yes' in xusers_effective.stdout"
|
|
- "'banner /tmp/xusers-banner' in xusers_effective.stdout"
|
|
- "'allowtcpforwarding no' in bot_effective.stdout"
|
|
- "'banner /tmp/bot-banner' in bot_effective.stdout"
|
|
- "'forcecommand internal-sftp' in sftponly_effective.stdout"
|
|
- "'chrootdirectory /var/uploads/' in sftponly_effective.stdout"
|
|
- "'passwordauthentication no' in root_effective.stdout"
|
|
- "'permittunnel yes' in root_effective.stdout"
|
|
|
|
- name: Check the options are in configuration file
|
|
assert:
|
|
that:
|
|
- "'Match User xusers' in config.content | b64decode"
|
|
- "'Match User bot' in config.content | b64decode"
|
|
- "'Match User sftponly' in config.content | b64decode"
|
|
- "'Match User root' in config.content | b64decode"
|
|
tags: tests::verify
|