429 lines
14 KiB
Diff
429 lines
14 KiB
Diff
|
From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Wed, 6 Apr 2022 10:42:17 +0200
|
||
|
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
|
||
|
|
||
|
This fixes up the commit 7f69d1e6
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
templates/sshd_config.j2 | 6 +++++-
|
||
|
templates/sshd_config_snippet.j2 | 6 +++++-
|
||
|
2 files changed, 10 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
|
||
|
index 15ee668..8c7f322 100644
|
||
|
--- a/templates/sshd_config.j2
|
||
|
+++ b/templates/sshd_config.j2
|
||
|
@@ -22,7 +22,11 @@
|
||
|
{% elif sshd[key] is defined %}
|
||
|
{% set value = sshd[key] %}
|
||
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||
|
-{% set value = __sshd_defaults[key] %}
|
||
|
+{% if key == 'HostKey' and __sshd_fips_mode %}
|
||
|
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||
|
+{% else %}
|
||
|
+{% set value = __sshd_defaults[key] %}
|
||
|
+{% endif %}
|
||
|
{% endif %}
|
||
|
{{ render_option(key,value) -}}
|
||
|
{% endmacro %}
|
||
|
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
|
||
|
index 6766e09..6b23c76 100644
|
||
|
--- a/templates/sshd_config_snippet.j2
|
||
|
+++ b/templates/sshd_config_snippet.j2
|
||
|
@@ -21,7 +21,11 @@
|
||
|
{% elif sshd[key] is defined %}
|
||
|
{% set value = sshd[key] %}
|
||
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||
|
-{% set value = __sshd_defaults[key] %}
|
||
|
+{% if key == 'HostKey' and __sshd_fips_mode %}
|
||
|
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||
|
+{% else %}
|
||
|
+{% set value = __sshd_defaults[key] %}
|
||
|
+{% endif %}
|
||
|
{% endif %}
|
||
|
{{ render_option(key,value) -}}
|
||
|
{% endmacro %}
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Wed, 6 Apr 2022 11:10:27 +0200
|
||
|
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
|
||
|
well with the drop-in directory
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
tests/tests_alternative_file.yml | 2 ++
|
||
|
tests/tests_alternative_file_role.yml | 2 ++
|
||
|
2 files changed, 4 insertions(+)
|
||
|
|
||
|
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
|
||
|
index 0a8ccaf..215c726 100644
|
||
|
--- a/tests/tests_alternative_file.yml
|
||
|
+++ b/tests/tests_alternative_file.yml
|
||
|
@@ -6,6 +6,7 @@
|
||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||
|
- /etc/ssh/sshd_config_custom
|
||
|
- /etc/ssh/sshd_config_custom_second
|
||
|
+ - /tmp/ssh_host_ecdsa_key
|
||
|
tasks:
|
||
|
- name: "Backup configuration files"
|
||
|
include_tasks: tasks/backup.yml
|
||
|
@@ -52,6 +53,7 @@
|
||
|
include_role:
|
||
|
name: ansible-sshd
|
||
|
vars:
|
||
|
+ sshd_config_file: /etc/ssh/sshd_config
|
||
|
sshd:
|
||
|
Banner: /etc/issue
|
||
|
Ciphers: aes192-ctr
|
||
|
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
|
||
|
index 9177709..3e7c7ea 100644
|
||
|
--- a/tests/tests_alternative_file_role.yml
|
||
|
+++ b/tests/tests_alternative_file_role.yml
|
||
|
@@ -6,6 +6,7 @@
|
||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||
|
- /etc/ssh/sshd_config_custom
|
||
|
- /etc/ssh/sshd_config_custom_second
|
||
|
+ - /tmp/ssh_host_ecdsa_key
|
||
|
tasks:
|
||
|
- name: "Backup configuration files"
|
||
|
include_tasks: tasks/backup.yml
|
||
|
@@ -57,6 +58,7 @@
|
||
|
roles:
|
||
|
- ansible-sshd
|
||
|
vars:
|
||
|
+ sshd_config_file: /etc/ssh/sshd_config
|
||
|
sshd:
|
||
|
Banner: /etc/issue
|
||
|
Ciphers: aes192-ctr
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Wed, 6 Apr 2022 11:17:12 +0200
|
||
|
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
tests/tasks/setup.yml | 5 ++---
|
||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
|
||
|
index 90a3f00..a0e9324 100644
|
||
|
--- a/tests/tasks/setup.yml
|
||
|
+++ b/tests/tasks/setup.yml
|
||
|
@@ -26,6 +26,5 @@
|
||
|
main_sshd_config_name: 00-ansible_system_role.conf
|
||
|
main_sshd_config_path: /etc/ssh/sshd_config.d/
|
||
|
when: >
|
||
|
- ansible_facts['distribution'] == 'Fedora' or
|
||
|
- (ansible_facts['distribution'] == 'RedHat' and
|
||
|
- ansible_facts['distribution_major_version']|int > 8)
|
||
|
+ ansible_facts['os_family'] == 'RedHat' and
|
||
|
+ ansible_facts['distribution_major_version']|int > 8
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Wed, 6 Apr 2022 11:20:34 +0200
|
||
|
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
tests/tests_alternative_file.yml | 2 +-
|
||
|
tests/tests_alternative_file_role.yml | 2 +-
|
||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
|
||
|
index 215c726..172c73a 100644
|
||
|
--- a/tests/tests_alternative_file.yml
|
||
|
+++ b/tests/tests_alternative_file.yml
|
||
|
@@ -82,7 +82,7 @@
|
||
|
|
||
|
- name: Print the main configuration file
|
||
|
slurp:
|
||
|
- src: "{{ main_sshd_config }}"
|
||
|
+ src: /etc/ssh/sshd_config
|
||
|
register: config3
|
||
|
|
||
|
- name: Check content of first configuration file
|
||
|
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
|
||
|
index 3e7c7ea..09fbce4 100644
|
||
|
--- a/tests/tests_alternative_file_role.yml
|
||
|
+++ b/tests/tests_alternative_file_role.yml
|
||
|
@@ -98,7 +98,7 @@
|
||
|
|
||
|
- name: Print the main configuration file
|
||
|
slurp:
|
||
|
- src: "{{ main_sshd_config }}"
|
||
|
+ src: /etc/ssh/sshd_config
|
||
|
register: config3
|
||
|
|
||
|
- name: Check content of first configuration file
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Wed, 6 Apr 2022 20:28:32 +0200
|
||
|
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
tasks/install.yml | 15 ++++++++-------
|
||
|
1 file changed, 8 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/tasks/install.yml b/tasks/install.yml
|
||
|
index f1d8455..571281c 100644
|
||
|
--- a/tasks/install.yml
|
||
|
+++ b/tasks/install.yml
|
||
|
@@ -40,10 +40,11 @@
|
||
|
|
||
|
- name: Make sure hostkeys are available and have expected permissions
|
||
|
vars: &share_vars
|
||
|
+ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
|
||
|
__sshd_fips_mode: >-
|
||
|
- - __sshd_hostkeys_nofips | d([])
|
||
|
- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
|
||
|
- __sshd_userspace_fips_mode.content | b64decode != "0" | bool
|
||
|
+ {{ __sshd_hostkeys_nofips | d([]) and
|
||
|
+ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
|
||
|
+ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
|
||
|
# This mimics the macro body_option() in sshd_config.j2
|
||
|
# The explicit to_json filter is needed for Python 2 compatibility
|
||
|
__sshd_hostkeys_from_config: >-
|
||
|
@@ -58,14 +59,14 @@
|
||
|
{{ __sshd_defaults['HostKey'] | to_json }}
|
||
|
{% endif %}
|
||
|
{% else %}
|
||
|
- []
|
||
|
+ {{ [] | to_json }}
|
||
|
{% endif %}
|
||
|
__sshd_verify_hostkeys: >-
|
||
|
{% if not sshd_verify_hostkeys %}
|
||
|
- []
|
||
|
+ {{ [] | to_json }}
|
||
|
{% elif sshd_verify_hostkeys == 'auto' %}
|
||
|
- {% if sshd_HostKey is string %}
|
||
|
- [ {{ __sshd_hostkeys_from_config }} ]
|
||
|
+ {% if __sshd_hostkeys_from_config | from_json is string %}
|
||
|
+ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
||
|
{% else %}
|
||
|
{{ __sshd_hostkeys_from_config }}
|
||
|
{% endif %}
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Mon, 11 Apr 2022 13:06:24 +0200
|
||
|
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
|
||
|
|
||
|
This fixes also a typo that was overlooked previously
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
|
||
|
1 file changed, 46 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
|
||
|
index 65cc765..7cf3767 100644
|
||
|
--- a/tests/tests_hostkeys_fips.yml
|
||
|
+++ b/tests/tests_hostkeys_fips.yml
|
||
|
@@ -4,13 +4,52 @@
|
||
|
__sshd_test_backup_files:
|
||
|
- /etc/ssh/sshd_config
|
||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||
|
- - /etc/ssh/ssh_host_ed255519_key
|
||
|
- - /etc/ssh/ssh_host_ed255519_key.pub
|
||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||
|
+ - /etc/ssh/ssh_host_ed25519_key.pub
|
||
|
- /etc/system-fips
|
||
|
tasks:
|
||
|
- name: "Backup configuration files"
|
||
|
include_tasks: tasks/backup.yml
|
||
|
|
||
|
+ - name: Run the role with default parameters without FIPS mode
|
||
|
+ include_role:
|
||
|
+ name: ansible-sshd
|
||
|
+
|
||
|
+ - name: Verify the options are correctly set
|
||
|
+ block:
|
||
|
+ - meta: flush_handlers
|
||
|
+
|
||
|
+ - name: Print current configuration file
|
||
|
+ slurp:
|
||
|
+ src: "{{ main_sshd_config }}"
|
||
|
+ register: config
|
||
|
+
|
||
|
+ - name: Get stat of private key
|
||
|
+ stat:
|
||
|
+ path: /etc/ssh/ssh_host_ed25519_key
|
||
|
+ register: privkey
|
||
|
+
|
||
|
+ - name: Get stat of public key
|
||
|
+ stat:
|
||
|
+ path: /etc/ssh/ssh_host_ed25519_key.pub
|
||
|
+ register: pubkey
|
||
|
+
|
||
|
+ - name: Check the key is in configuration file (without include)
|
||
|
+ assert:
|
||
|
+ that:
|
||
|
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
|
||
|
+ when:
|
||
|
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
|
||
|
+
|
||
|
+ - name: Check host key was generated
|
||
|
+ assert:
|
||
|
+ that:
|
||
|
+ - privkey.stat.exists
|
||
|
+ - pubkey.stat.exists
|
||
|
+ when:
|
||
|
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
|
||
|
+ tags: tests::verify
|
||
|
+
|
||
|
- name: Fake FIPS mode
|
||
|
block:
|
||
|
- name: Create temporary directory
|
||
|
@@ -40,13 +79,13 @@
|
||
|
- name: Remove the Ed25519 hostkey
|
||
|
file:
|
||
|
path:
|
||
|
- /etc/ssh/ssh_host_ed255519_key
|
||
|
+ /etc/ssh/ssh_host_ed25519_key
|
||
|
state: absent
|
||
|
|
||
|
- name: Remove the Ed25519 pubkey
|
||
|
file:
|
||
|
path:
|
||
|
- /etc/ssh/ssh_host_ed255519_key.pub
|
||
|
+ /etc/ssh/ssh_host_ed25519_key.pub
|
||
|
state: absent
|
||
|
|
||
|
- name: Run the role with default parameters
|
||
|
@@ -64,18 +103,18 @@
|
||
|
|
||
|
- name: Get stat of private key
|
||
|
stat:
|
||
|
- path: /etc/ssh/ssh_host_ed255519_key
|
||
|
+ path: /etc/ssh/ssh_host_ed25519_key
|
||
|
register: privkey
|
||
|
|
||
|
- name: Get stat of public key
|
||
|
stat:
|
||
|
- path: /etc/ssh/ssh_host_ed255519_key.pub
|
||
|
+ path: /etc/ssh/ssh_host_ed25519_key.pub
|
||
|
register: pubkey
|
||
|
|
||
|
- name: Check the key is not in configuration file
|
||
|
assert:
|
||
|
that:
|
||
|
- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
|
||
|
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
|
||
|
|
||
|
- name: Check no host key was generated
|
||
|
assert:
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Mon, 11 Apr 2022 13:07:44 +0200
|
||
|
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
|
||
|
directory
|
||
|
|
||
|
Previously no hostkeys were checked if they were not present
|
||
|
in the generated configuration file. When the drop-in directory is
|
||
|
used, usually, there are no hostkeys in that file and no sanity
|
||
|
check for hostkeys was executed.
|
||
|
|
||
|
This amends the "auto" value for the hostkeys check to allow checking
|
||
|
for default hostkeys that are read by OpenSSH by default.
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
defaults/main.yml | 1 +
|
||
|
tasks/install.yml | 8 +++++++-
|
||
|
vars/Fedora.yml | 6 ++++++
|
||
|
vars/RedHat_9.yml | 6 ++++++
|
||
|
4 files changed, 20 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/defaults/main.yml b/defaults/main.yml
|
||
|
index 18d6114..7e40e51 100644
|
||
|
--- a/defaults/main.yml
|
||
|
+++ b/defaults/main.yml
|
||
|
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
|
||
|
# configuration or restarting), we make sure the keys exist and have correct
|
||
|
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
||
|
sshd_verify_hostkeys: "auto"
|
||
|
+__sshd_verify_hostkeys_default: []
|
||
|
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
|
||
|
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
|
||
|
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
|
||
|
diff --git a/tasks/install.yml b/tasks/install.yml
|
||
|
index 571281c..fa7d3c3 100644
|
||
|
--- a/tasks/install.yml
|
||
|
+++ b/tasks/install.yml
|
||
|
@@ -65,7 +65,13 @@
|
||
|
{% if not sshd_verify_hostkeys %}
|
||
|
{{ [] | to_json }}
|
||
|
{% elif sshd_verify_hostkeys == 'auto' %}
|
||
|
- {% if __sshd_hostkeys_from_config | from_json is string %}
|
||
|
+ {% if not __sshd_hostkeys_from_config | from_json %}
|
||
|
+ {% if __sshd_fips_mode %}
|
||
|
+ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
|
||
|
+ {% else %}
|
||
|
+ {{ __sshd_verify_hostkeys_default | to_json }}
|
||
|
+ {% endif %}
|
||
|
+ {% elif __sshd_hostkeys_from_config | from_json is string %}
|
||
|
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
||
|
{% else %}
|
||
|
{{ __sshd_hostkeys_from_config }}
|
||
|
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
|
||
|
index 77bf172..cf2b081 100644
|
||
|
--- a/vars/Fedora.yml
|
||
|
+++ b/vars/Fedora.yml
|
||
|
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||
|
__sshd_defaults:
|
||
|
__sshd_os_supported: yes
|
||
|
+__sshd_verify_hostkeys_default:
|
||
|
+ - /etc/ssh/ssh_host_rsa_key
|
||
|
+ - /etc/ssh/ssh_host_ecdsa_key
|
||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||
|
+__sshd_hostkeys_nofips:
|
||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||
|
__sshd_hostkey_group: ssh_keys
|
||
|
__sshd_hostkey_mode: "0640"
|
||
|
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
|
||
|
index 33df26a..55239f4 100644
|
||
|
--- a/vars/RedHat_9.yml
|
||
|
+++ b/vars/RedHat_9.yml
|
||
|
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||
|
__sshd_defaults:
|
||
|
__sshd_os_supported: yes
|
||
|
+__sshd_verify_hostkeys_default:
|
||
|
+ - /etc/ssh/ssh_host_rsa_key
|
||
|
+ - /etc/ssh/ssh_host_ecdsa_key
|
||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||
|
+__sshd_hostkeys_nofips:
|
||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||
|
__sshd_hostkey_group: ssh_keys
|
||
|
__sshd_hostkey_mode: "0640"
|
||
|
--
|
||
|
2.34.1
|
||
|
|