import rhel-system-roles-1.16.2-1.el9_0.2

This commit is contained in:
CentOS Sources 2022-05-17 18:35:36 -04:00 committed by Stepan Oksanichenko
parent d5d834ba6a
commit 0440365642
4 changed files with 443 additions and 4 deletions

2
.gitignore vendored
View File

@ -19,5 +19,5 @@ SOURCES/selinux-1.3.4.tar.gz
SOURCES/ssh-1.1.4.tar.gz
SOURCES/storage-1.7.0.tar.gz
SOURCES/timesync-1.6.6.tar.gz
SOURCES/tlog-1.2.5.tar.gz
SOURCES/tlog-1.2.6.tar.gz
SOURCES/vpn-1.3.2.tar.gz

View File

@ -19,5 +19,5 @@ dcd2261fe6b6a998aca3eb6c968204152e2ffd51 SOURCES/network-1.7.1.tar.gz
f38972c4b22a9f226b58725c7e9ba8fac692bba2 SOURCES/ssh-1.1.4.tar.gz
0728b4e01261f84ce470431a4ea21907db75f26a SOURCES/storage-1.7.0.tar.gz
0bd118c9df9bf556a76d42c92bde11fde5553eba SOURCES/timesync-1.6.6.tar.gz
17e6f3d437d161143c87b6709a42a3eff6ef7df0 SOURCES/tlog-1.2.5.tar.gz
d10a0dd866c1ce982d2ba22500718df3fb2ab766 SOURCES/tlog-1.2.6.tar.gz
d1bb00636c04bc1b2d94ce0e491afe9ef921cd56 SOURCES/vpn-1.3.2.tar.gz

428
SOURCES/ansible-sshd.patch Normal file
View File

@ -0,0 +1,428 @@
From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 10:42:17 +0200
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
This fixes up the commit 7f69d1e6
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
templates/sshd_config.j2 | 6 +++++-
templates/sshd_config_snippet.j2 | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index 15ee668..8c7f322 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -22,7 +22,11 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{% set value = __sshd_defaults[key] %}
+{% if key == 'HostKey' and __sshd_fips_mode %}
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{% else %}
+{% set value = __sshd_defaults[key] %}
+{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
index 6766e09..6b23c76 100644
--- a/templates/sshd_config_snippet.j2
+++ b/templates/sshd_config_snippet.j2
@@ -21,7 +21,11 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{% set value = __sshd_defaults[key] %}
+{% if key == 'HostKey' and __sshd_fips_mode %}
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{% else %}
+{% set value = __sshd_defaults[key] %}
+{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
--
2.34.1
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:10:27 +0200
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
well with the drop-in directory
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_alternative_file.yml | 2 ++
tests/tests_alternative_file_role.yml | 2 ++
2 files changed, 4 insertions(+)
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
index 0a8ccaf..215c726 100644
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@@ -6,6 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second
+ - /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
@@ -52,6 +53,7 @@
include_role:
name: ansible-sshd
vars:
+ sshd_config_file: /etc/ssh/sshd_config
sshd:
Banner: /etc/issue
Ciphers: aes192-ctr
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
index 9177709..3e7c7ea 100644
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@@ -6,6 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second
+ - /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
@@ -57,6 +58,7 @@
roles:
- ansible-sshd
vars:
+ sshd_config_file: /etc/ssh/sshd_config
sshd:
Banner: /etc/issue
Ciphers: aes192-ctr
--
2.34.1
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:17:12 +0200
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tasks/setup.yml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
index 90a3f00..a0e9324 100644
--- a/tests/tasks/setup.yml
+++ b/tests/tasks/setup.yml
@@ -26,6 +26,5 @@
main_sshd_config_name: 00-ansible_system_role.conf
main_sshd_config_path: /etc/ssh/sshd_config.d/
when: >
- ansible_facts['distribution'] == 'Fedora' or
- (ansible_facts['distribution'] == 'RedHat' and
- ansible_facts['distribution_major_version']|int > 8)
+ ansible_facts['os_family'] == 'RedHat' and
+ ansible_facts['distribution_major_version']|int > 8
--
2.34.1
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:20:34 +0200
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_alternative_file.yml | 2 +-
tests/tests_alternative_file_role.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
index 215c726..172c73a 100644
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@@ -82,7 +82,7 @@
- name: Print the main configuration file
slurp:
- src: "{{ main_sshd_config }}"
+ src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
index 3e7c7ea..09fbce4 100644
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@@ -98,7 +98,7 @@
- name: Print the main configuration file
slurp:
- src: "{{ main_sshd_config }}"
+ src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
--
2.34.1
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 20:28:32 +0200
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tasks/install.yml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/tasks/install.yml b/tasks/install.yml
index f1d8455..571281c 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -40,10 +40,11 @@
- name: Make sure hostkeys are available and have expected permissions
vars: &share_vars
+ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
__sshd_fips_mode: >-
- - __sshd_hostkeys_nofips | d([])
- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
- __sshd_userspace_fips_mode.content | b64decode != "0" | bool
+ {{ __sshd_hostkeys_nofips | d([]) and
+ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
+ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
# This mimics the macro body_option() in sshd_config.j2
# The explicit to_json filter is needed for Python 2 compatibility
__sshd_hostkeys_from_config: >-
@@ -58,14 +59,14 @@
{{ __sshd_defaults['HostKey'] | to_json }}
{% endif %}
{% else %}
- []
+ {{ [] | to_json }}
{% endif %}
__sshd_verify_hostkeys: >-
{% if not sshd_verify_hostkeys %}
- []
+ {{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
- {% if sshd_HostKey is string %}
- [ {{ __sshd_hostkeys_from_config }} ]
+ {% if __sshd_hostkeys_from_config | from_json is string %}
+ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}
{% endif %}
--
2.34.1
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Apr 2022 13:06:24 +0200
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
This fixes also a typo that was overlooked previously
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
index 65cc765..7cf3767 100644
--- a/tests/tests_hostkeys_fips.yml
+++ b/tests/tests_hostkeys_fips.yml
@@ -4,13 +4,52 @@
__sshd_test_backup_files:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- - /etc/ssh/ssh_host_ed255519_key
- - /etc/ssh/ssh_host_ed255519_key.pub
+ - /etc/ssh/ssh_host_ed25519_key
+ - /etc/ssh/ssh_host_ed25519_key.pub
- /etc/system-fips
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
+ - name: Run the role with default parameters without FIPS mode
+ include_role:
+ name: ansible-sshd
+
+ - name: Verify the options are correctly set
+ block:
+ - meta: flush_handlers
+
+ - name: Print current configuration file
+ slurp:
+ src: "{{ main_sshd_config }}"
+ register: config
+
+ - name: Get stat of private key
+ stat:
+ path: /etc/ssh/ssh_host_ed25519_key
+ register: privkey
+
+ - name: Get stat of public key
+ stat:
+ path: /etc/ssh/ssh_host_ed25519_key.pub
+ register: pubkey
+
+ - name: Check the key is in configuration file (without include)
+ assert:
+ that:
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
+ when:
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
+
+ - name: Check host key was generated
+ assert:
+ that:
+ - privkey.stat.exists
+ - pubkey.stat.exists
+ when:
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
+ tags: tests::verify
+
- name: Fake FIPS mode
block:
- name: Create temporary directory
@@ -40,13 +79,13 @@
- name: Remove the Ed25519 hostkey
file:
path:
- /etc/ssh/ssh_host_ed255519_key
+ /etc/ssh/ssh_host_ed25519_key
state: absent
- name: Remove the Ed25519 pubkey
file:
path:
- /etc/ssh/ssh_host_ed255519_key.pub
+ /etc/ssh/ssh_host_ed25519_key.pub
state: absent
- name: Run the role with default parameters
@@ -64,18 +103,18 @@
- name: Get stat of private key
stat:
- path: /etc/ssh/ssh_host_ed255519_key
+ path: /etc/ssh/ssh_host_ed25519_key
register: privkey
- name: Get stat of public key
stat:
- path: /etc/ssh/ssh_host_ed255519_key.pub
+ path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey
- name: Check the key is not in configuration file
assert:
that:
- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
- name: Check no host key was generated
assert:
--
2.34.1
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Apr 2022 13:07:44 +0200
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.
This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
defaults/main.yml | 1 +
tasks/install.yml | 8 +++++++-
vars/Fedora.yml | 6 ++++++
vars/RedHat_9.yml | 6 ++++++
4 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index 18d6114..7e40e51 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
# configuration or restarting), we make sure the keys exist and have correct
# permissions. To disable this check, set sshd_verify_hostkeys to false
sshd_verify_hostkeys: "auto"
+__sshd_verify_hostkeys_default: []
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
diff --git a/tasks/install.yml b/tasks/install.yml
index 571281c..fa7d3c3 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -65,7 +65,13 @@
{% if not sshd_verify_hostkeys %}
{{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
- {% if __sshd_hostkeys_from_config | from_json is string %}
+ {% if not __sshd_hostkeys_from_config | from_json %}
+ {% if __sshd_fips_mode %}
+ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
+ {% else %}
+ {{ __sshd_verify_hostkeys_default | to_json }}
+ {% endif %}
+ {% elif __sshd_hostkeys_from_config | from_json is string %}
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
index 77bf172..cf2b081 100644
--- a/vars/Fedora.yml
+++ b/vars/Fedora.yml
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
+__sshd_verify_hostkeys_default:
+ - /etc/ssh/ssh_host_rsa_key
+ - /etc/ssh/ssh_host_ecdsa_key
+ - /etc/ssh/ssh_host_ed25519_key
+__sshd_hostkeys_nofips:
+ - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
index 33df26a..55239f4 100644
--- a/vars/RedHat_9.yml
+++ b/vars/RedHat_9.yml
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
+__sshd_verify_hostkeys_default:
+ - /etc/ssh/ssh_host_rsa_key
+ - /etc/ssh/ssh_host_ecdsa_key
+ - /etc/ssh/ssh_host_ed25519_key
+__sshd_hostkeys_nofips:
+ - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
--
2.34.1

View File

@ -31,7 +31,7 @@ Name: linux-system-roles
Url: https://github.com/linux-system-roles
Summary: Set of interfaces for unified system management
Version: 1.16.2
Release: 1%{?dist}
Release: 1%{?dist}.2
#Group: Development/Libraries
License: GPLv3+ and MIT and BSD and Python
@ -155,7 +155,7 @@ BuildRequires: %{ansible_build_dep}
#%%defcommit 8 2b9e53233ee3a68bdb532e62f289733e436a6106
%global rolename8 tlog
%deftag 8 1.2.5
%deftag 8 1.2.6
#%%defcommit 9 9373303b98e09ef38df7afc8d06e5e55812096c7
%global rolename9 kernel_settings
@ -242,6 +242,8 @@ Source998: collection_readme.sh
Patch51: network-disable-bondtests.diff
Patch1501: ansible-sshd.patch
BuildArch: noarch
%if %{with html}
@ -334,6 +336,7 @@ cd %{rolename5}
%patch51 -p1
cd ..
cd %{rolename15}
%patch1501 -p1
sed -r -i -e "s/ansible-sshd/linux-system-roles.sshd/" tests/*.yml examples/*.yml
sed -r -i -e "s/ willshersystems.sshd/ linux-system-roles.sshd/" tests/*.yml examples/*.yml README.md
sed -r -i -e "s/min_ansible_version: 2.8/min_ansible_version: 2.9/" meta/main.yml
@ -710,6 +713,14 @@ fi
%endif
%changelog
* Thu Apr 21 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1.2
- sshd - FIPS mode detection in SSHD role is wrong
Resolves rhbz#2077475 (EL9)
* Wed Apr 20 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1.1
- Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default
Resolves rhbz#2075545 (EL9)
* Tue Mar 29 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1
- nbde_client - NBDE client system role does not support servers with static IP addresses
previous fix did not handle some cases