import rhel-system-roles-1.16.2-1.el9_0.2
This commit is contained in:
parent
d5d834ba6a
commit
0440365642
2
.gitignore
vendored
2
.gitignore
vendored
@ -19,5 +19,5 @@ SOURCES/selinux-1.3.4.tar.gz
|
|||||||
SOURCES/ssh-1.1.4.tar.gz
|
SOURCES/ssh-1.1.4.tar.gz
|
||||||
SOURCES/storage-1.7.0.tar.gz
|
SOURCES/storage-1.7.0.tar.gz
|
||||||
SOURCES/timesync-1.6.6.tar.gz
|
SOURCES/timesync-1.6.6.tar.gz
|
||||||
SOURCES/tlog-1.2.5.tar.gz
|
SOURCES/tlog-1.2.6.tar.gz
|
||||||
SOURCES/vpn-1.3.2.tar.gz
|
SOURCES/vpn-1.3.2.tar.gz
|
||||||
|
@ -19,5 +19,5 @@ dcd2261fe6b6a998aca3eb6c968204152e2ffd51 SOURCES/network-1.7.1.tar.gz
|
|||||||
f38972c4b22a9f226b58725c7e9ba8fac692bba2 SOURCES/ssh-1.1.4.tar.gz
|
f38972c4b22a9f226b58725c7e9ba8fac692bba2 SOURCES/ssh-1.1.4.tar.gz
|
||||||
0728b4e01261f84ce470431a4ea21907db75f26a SOURCES/storage-1.7.0.tar.gz
|
0728b4e01261f84ce470431a4ea21907db75f26a SOURCES/storage-1.7.0.tar.gz
|
||||||
0bd118c9df9bf556a76d42c92bde11fde5553eba SOURCES/timesync-1.6.6.tar.gz
|
0bd118c9df9bf556a76d42c92bde11fde5553eba SOURCES/timesync-1.6.6.tar.gz
|
||||||
17e6f3d437d161143c87b6709a42a3eff6ef7df0 SOURCES/tlog-1.2.5.tar.gz
|
d10a0dd866c1ce982d2ba22500718df3fb2ab766 SOURCES/tlog-1.2.6.tar.gz
|
||||||
d1bb00636c04bc1b2d94ce0e491afe9ef921cd56 SOURCES/vpn-1.3.2.tar.gz
|
d1bb00636c04bc1b2d94ce0e491afe9ef921cd56 SOURCES/vpn-1.3.2.tar.gz
|
||||||
|
428
SOURCES/ansible-sshd.patch
Normal file
428
SOURCES/ansible-sshd.patch
Normal file
@ -0,0 +1,428 @@
|
|||||||
|
From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Wed, 6 Apr 2022 10:42:17 +0200
|
||||||
|
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
|
||||||
|
|
||||||
|
This fixes up the commit 7f69d1e6
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
templates/sshd_config.j2 | 6 +++++-
|
||||||
|
templates/sshd_config_snippet.j2 | 6 +++++-
|
||||||
|
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
|
||||||
|
index 15ee668..8c7f322 100644
|
||||||
|
--- a/templates/sshd_config.j2
|
||||||
|
+++ b/templates/sshd_config.j2
|
||||||
|
@@ -22,7 +22,11 @@
|
||||||
|
{% elif sshd[key] is defined %}
|
||||||
|
{% set value = sshd[key] %}
|
||||||
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
|
-{% set value = __sshd_defaults[key] %}
|
||||||
|
+{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
|
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||||
|
+{% else %}
|
||||||
|
+{% set value = __sshd_defaults[key] %}
|
||||||
|
+{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{{ render_option(key,value) -}}
|
||||||
|
{% endmacro %}
|
||||||
|
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
|
||||||
|
index 6766e09..6b23c76 100644
|
||||||
|
--- a/templates/sshd_config_snippet.j2
|
||||||
|
+++ b/templates/sshd_config_snippet.j2
|
||||||
|
@@ -21,7 +21,11 @@
|
||||||
|
{% elif sshd[key] is defined %}
|
||||||
|
{% set value = sshd[key] %}
|
||||||
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
|
-{% set value = __sshd_defaults[key] %}
|
||||||
|
+{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
|
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
|
||||||
|
+{% else %}
|
||||||
|
+{% set value = __sshd_defaults[key] %}
|
||||||
|
+{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{{ render_option(key,value) -}}
|
||||||
|
{% endmacro %}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Wed, 6 Apr 2022 11:10:27 +0200
|
||||||
|
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
|
||||||
|
well with the drop-in directory
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/tests_alternative_file.yml | 2 ++
|
||||||
|
tests/tests_alternative_file_role.yml | 2 ++
|
||||||
|
2 files changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
|
||||||
|
index 0a8ccaf..215c726 100644
|
||||||
|
--- a/tests/tests_alternative_file.yml
|
||||||
|
+++ b/tests/tests_alternative_file.yml
|
||||||
|
@@ -6,6 +6,7 @@
|
||||||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
- /etc/ssh/sshd_config_custom
|
||||||
|
- /etc/ssh/sshd_config_custom_second
|
||||||
|
+ - /tmp/ssh_host_ecdsa_key
|
||||||
|
tasks:
|
||||||
|
- name: "Backup configuration files"
|
||||||
|
include_tasks: tasks/backup.yml
|
||||||
|
@@ -52,6 +53,7 @@
|
||||||
|
include_role:
|
||||||
|
name: ansible-sshd
|
||||||
|
vars:
|
||||||
|
+ sshd_config_file: /etc/ssh/sshd_config
|
||||||
|
sshd:
|
||||||
|
Banner: /etc/issue
|
||||||
|
Ciphers: aes192-ctr
|
||||||
|
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
|
||||||
|
index 9177709..3e7c7ea 100644
|
||||||
|
--- a/tests/tests_alternative_file_role.yml
|
||||||
|
+++ b/tests/tests_alternative_file_role.yml
|
||||||
|
@@ -6,6 +6,7 @@
|
||||||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
- /etc/ssh/sshd_config_custom
|
||||||
|
- /etc/ssh/sshd_config_custom_second
|
||||||
|
+ - /tmp/ssh_host_ecdsa_key
|
||||||
|
tasks:
|
||||||
|
- name: "Backup configuration files"
|
||||||
|
include_tasks: tasks/backup.yml
|
||||||
|
@@ -57,6 +58,7 @@
|
||||||
|
roles:
|
||||||
|
- ansible-sshd
|
||||||
|
vars:
|
||||||
|
+ sshd_config_file: /etc/ssh/sshd_config
|
||||||
|
sshd:
|
||||||
|
Banner: /etc/issue
|
||||||
|
Ciphers: aes192-ctr
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Wed, 6 Apr 2022 11:17:12 +0200
|
||||||
|
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/tasks/setup.yml | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
|
||||||
|
index 90a3f00..a0e9324 100644
|
||||||
|
--- a/tests/tasks/setup.yml
|
||||||
|
+++ b/tests/tasks/setup.yml
|
||||||
|
@@ -26,6 +26,5 @@
|
||||||
|
main_sshd_config_name: 00-ansible_system_role.conf
|
||||||
|
main_sshd_config_path: /etc/ssh/sshd_config.d/
|
||||||
|
when: >
|
||||||
|
- ansible_facts['distribution'] == 'Fedora' or
|
||||||
|
- (ansible_facts['distribution'] == 'RedHat' and
|
||||||
|
- ansible_facts['distribution_major_version']|int > 8)
|
||||||
|
+ ansible_facts['os_family'] == 'RedHat' and
|
||||||
|
+ ansible_facts['distribution_major_version']|int > 8
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Wed, 6 Apr 2022 11:20:34 +0200
|
||||||
|
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/tests_alternative_file.yml | 2 +-
|
||||||
|
tests/tests_alternative_file_role.yml | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
|
||||||
|
index 215c726..172c73a 100644
|
||||||
|
--- a/tests/tests_alternative_file.yml
|
||||||
|
+++ b/tests/tests_alternative_file.yml
|
||||||
|
@@ -82,7 +82,7 @@
|
||||||
|
|
||||||
|
- name: Print the main configuration file
|
||||||
|
slurp:
|
||||||
|
- src: "{{ main_sshd_config }}"
|
||||||
|
+ src: /etc/ssh/sshd_config
|
||||||
|
register: config3
|
||||||
|
|
||||||
|
- name: Check content of first configuration file
|
||||||
|
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
|
||||||
|
index 3e7c7ea..09fbce4 100644
|
||||||
|
--- a/tests/tests_alternative_file_role.yml
|
||||||
|
+++ b/tests/tests_alternative_file_role.yml
|
||||||
|
@@ -98,7 +98,7 @@
|
||||||
|
|
||||||
|
- name: Print the main configuration file
|
||||||
|
slurp:
|
||||||
|
- src: "{{ main_sshd_config }}"
|
||||||
|
+ src: /etc/ssh/sshd_config
|
||||||
|
register: config3
|
||||||
|
|
||||||
|
- name: Check content of first configuration file
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Wed, 6 Apr 2022 20:28:32 +0200
|
||||||
|
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tasks/install.yml | 15 ++++++++-------
|
||||||
|
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tasks/install.yml b/tasks/install.yml
|
||||||
|
index f1d8455..571281c 100644
|
||||||
|
--- a/tasks/install.yml
|
||||||
|
+++ b/tasks/install.yml
|
||||||
|
@@ -40,10 +40,11 @@
|
||||||
|
|
||||||
|
- name: Make sure hostkeys are available and have expected permissions
|
||||||
|
vars: &share_vars
|
||||||
|
+ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
|
||||||
|
__sshd_fips_mode: >-
|
||||||
|
- - __sshd_hostkeys_nofips | d([])
|
||||||
|
- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
|
||||||
|
- __sshd_userspace_fips_mode.content | b64decode != "0" | bool
|
||||||
|
+ {{ __sshd_hostkeys_nofips | d([]) and
|
||||||
|
+ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
|
||||||
|
+ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
|
||||||
|
# This mimics the macro body_option() in sshd_config.j2
|
||||||
|
# The explicit to_json filter is needed for Python 2 compatibility
|
||||||
|
__sshd_hostkeys_from_config: >-
|
||||||
|
@@ -58,14 +59,14 @@
|
||||||
|
{{ __sshd_defaults['HostKey'] | to_json }}
|
||||||
|
{% endif %}
|
||||||
|
{% else %}
|
||||||
|
- []
|
||||||
|
+ {{ [] | to_json }}
|
||||||
|
{% endif %}
|
||||||
|
__sshd_verify_hostkeys: >-
|
||||||
|
{% if not sshd_verify_hostkeys %}
|
||||||
|
- []
|
||||||
|
+ {{ [] | to_json }}
|
||||||
|
{% elif sshd_verify_hostkeys == 'auto' %}
|
||||||
|
- {% if sshd_HostKey is string %}
|
||||||
|
- [ {{ __sshd_hostkeys_from_config }} ]
|
||||||
|
+ {% if __sshd_hostkeys_from_config | from_json is string %}
|
||||||
|
+ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
||||||
|
{% else %}
|
||||||
|
{{ __sshd_hostkeys_from_config }}
|
||||||
|
{% endif %}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Mon, 11 Apr 2022 13:06:24 +0200
|
||||||
|
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
|
||||||
|
|
||||||
|
This fixes also a typo that was overlooked previously
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
|
||||||
|
1 file changed, 46 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
|
||||||
|
index 65cc765..7cf3767 100644
|
||||||
|
--- a/tests/tests_hostkeys_fips.yml
|
||||||
|
+++ b/tests/tests_hostkeys_fips.yml
|
||||||
|
@@ -4,13 +4,52 @@
|
||||||
|
__sshd_test_backup_files:
|
||||||
|
- /etc/ssh/sshd_config
|
||||||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
- - /etc/ssh/ssh_host_ed255519_key
|
||||||
|
- - /etc/ssh/ssh_host_ed255519_key.pub
|
||||||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||||||
|
+ - /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
- /etc/system-fips
|
||||||
|
tasks:
|
||||||
|
- name: "Backup configuration files"
|
||||||
|
include_tasks: tasks/backup.yml
|
||||||
|
|
||||||
|
+ - name: Run the role with default parameters without FIPS mode
|
||||||
|
+ include_role:
|
||||||
|
+ name: ansible-sshd
|
||||||
|
+
|
||||||
|
+ - name: Verify the options are correctly set
|
||||||
|
+ block:
|
||||||
|
+ - meta: flush_handlers
|
||||||
|
+
|
||||||
|
+ - name: Print current configuration file
|
||||||
|
+ slurp:
|
||||||
|
+ src: "{{ main_sshd_config }}"
|
||||||
|
+ register: config
|
||||||
|
+
|
||||||
|
+ - name: Get stat of private key
|
||||||
|
+ stat:
|
||||||
|
+ path: /etc/ssh/ssh_host_ed25519_key
|
||||||
|
+ register: privkey
|
||||||
|
+
|
||||||
|
+ - name: Get stat of public key
|
||||||
|
+ stat:
|
||||||
|
+ path: /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
+ register: pubkey
|
||||||
|
+
|
||||||
|
+ - name: Check the key is in configuration file (without include)
|
||||||
|
+ assert:
|
||||||
|
+ that:
|
||||||
|
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
|
||||||
|
+ when:
|
||||||
|
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
|
||||||
|
+
|
||||||
|
+ - name: Check host key was generated
|
||||||
|
+ assert:
|
||||||
|
+ that:
|
||||||
|
+ - privkey.stat.exists
|
||||||
|
+ - pubkey.stat.exists
|
||||||
|
+ when:
|
||||||
|
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
|
||||||
|
+ tags: tests::verify
|
||||||
|
+
|
||||||
|
- name: Fake FIPS mode
|
||||||
|
block:
|
||||||
|
- name: Create temporary directory
|
||||||
|
@@ -40,13 +79,13 @@
|
||||||
|
- name: Remove the Ed25519 hostkey
|
||||||
|
file:
|
||||||
|
path:
|
||||||
|
- /etc/ssh/ssh_host_ed255519_key
|
||||||
|
+ /etc/ssh/ssh_host_ed25519_key
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Remove the Ed25519 pubkey
|
||||||
|
file:
|
||||||
|
path:
|
||||||
|
- /etc/ssh/ssh_host_ed255519_key.pub
|
||||||
|
+ /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Run the role with default parameters
|
||||||
|
@@ -64,18 +103,18 @@
|
||||||
|
|
||||||
|
- name: Get stat of private key
|
||||||
|
stat:
|
||||||
|
- path: /etc/ssh/ssh_host_ed255519_key
|
||||||
|
+ path: /etc/ssh/ssh_host_ed25519_key
|
||||||
|
register: privkey
|
||||||
|
|
||||||
|
- name: Get stat of public key
|
||||||
|
stat:
|
||||||
|
- path: /etc/ssh/ssh_host_ed255519_key.pub
|
||||||
|
+ path: /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
register: pubkey
|
||||||
|
|
||||||
|
- name: Check the key is not in configuration file
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
|
||||||
|
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
|
||||||
|
|
||||||
|
- name: Check no host key was generated
|
||||||
|
assert:
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Mon, 11 Apr 2022 13:07:44 +0200
|
||||||
|
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
|
||||||
|
directory
|
||||||
|
|
||||||
|
Previously no hostkeys were checked if they were not present
|
||||||
|
in the generated configuration file. When the drop-in directory is
|
||||||
|
used, usually, there are no hostkeys in that file and no sanity
|
||||||
|
check for hostkeys was executed.
|
||||||
|
|
||||||
|
This amends the "auto" value for the hostkeys check to allow checking
|
||||||
|
for default hostkeys that are read by OpenSSH by default.
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
defaults/main.yml | 1 +
|
||||||
|
tasks/install.yml | 8 +++++++-
|
||||||
|
vars/Fedora.yml | 6 ++++++
|
||||||
|
vars/RedHat_9.yml | 6 ++++++
|
||||||
|
4 files changed, 20 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/defaults/main.yml b/defaults/main.yml
|
||||||
|
index 18d6114..7e40e51 100644
|
||||||
|
--- a/defaults/main.yml
|
||||||
|
+++ b/defaults/main.yml
|
||||||
|
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
|
||||||
|
# configuration or restarting), we make sure the keys exist and have correct
|
||||||
|
# permissions. To disable this check, set sshd_verify_hostkeys to false
|
||||||
|
sshd_verify_hostkeys: "auto"
|
||||||
|
+__sshd_verify_hostkeys_default: []
|
||||||
|
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
|
||||||
|
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
|
||||||
|
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
|
||||||
|
diff --git a/tasks/install.yml b/tasks/install.yml
|
||||||
|
index 571281c..fa7d3c3 100644
|
||||||
|
--- a/tasks/install.yml
|
||||||
|
+++ b/tasks/install.yml
|
||||||
|
@@ -65,7 +65,13 @@
|
||||||
|
{% if not sshd_verify_hostkeys %}
|
||||||
|
{{ [] | to_json }}
|
||||||
|
{% elif sshd_verify_hostkeys == 'auto' %}
|
||||||
|
- {% if __sshd_hostkeys_from_config | from_json is string %}
|
||||||
|
+ {% if not __sshd_hostkeys_from_config | from_json %}
|
||||||
|
+ {% if __sshd_fips_mode %}
|
||||||
|
+ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
|
||||||
|
+ {% else %}
|
||||||
|
+ {{ __sshd_verify_hostkeys_default | to_json }}
|
||||||
|
+ {% endif %}
|
||||||
|
+ {% elif __sshd_hostkeys_from_config | from_json is string %}
|
||||||
|
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
|
||||||
|
{% else %}
|
||||||
|
{{ __sshd_hostkeys_from_config }}
|
||||||
|
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
|
||||||
|
index 77bf172..cf2b081 100644
|
||||||
|
--- a/vars/Fedora.yml
|
||||||
|
+++ b/vars/Fedora.yml
|
||||||
|
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
__sshd_defaults:
|
||||||
|
__sshd_os_supported: yes
|
||||||
|
+__sshd_verify_hostkeys_default:
|
||||||
|
+ - /etc/ssh/ssh_host_rsa_key
|
||||||
|
+ - /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||||||
|
+__sshd_hostkeys_nofips:
|
||||||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||||||
|
__sshd_hostkey_group: ssh_keys
|
||||||
|
__sshd_hostkey_mode: "0640"
|
||||||
|
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
|
||||||
|
index 33df26a..55239f4 100644
|
||||||
|
--- a/vars/RedHat_9.yml
|
||||||
|
+++ b/vars/RedHat_9.yml
|
||||||
|
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
|
||||||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
__sshd_defaults:
|
||||||
|
__sshd_os_supported: yes
|
||||||
|
+__sshd_verify_hostkeys_default:
|
||||||
|
+ - /etc/ssh/ssh_host_rsa_key
|
||||||
|
+ - /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||||||
|
+__sshd_hostkeys_nofips:
|
||||||
|
+ - /etc/ssh/ssh_host_ed25519_key
|
||||||
|
__sshd_hostkey_group: ssh_keys
|
||||||
|
__sshd_hostkey_mode: "0640"
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -31,7 +31,7 @@ Name: linux-system-roles
|
|||||||
Url: https://github.com/linux-system-roles
|
Url: https://github.com/linux-system-roles
|
||||||
Summary: Set of interfaces for unified system management
|
Summary: Set of interfaces for unified system management
|
||||||
Version: 1.16.2
|
Version: 1.16.2
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}.2
|
||||||
|
|
||||||
#Group: Development/Libraries
|
#Group: Development/Libraries
|
||||||
License: GPLv3+ and MIT and BSD and Python
|
License: GPLv3+ and MIT and BSD and Python
|
||||||
@ -155,7 +155,7 @@ BuildRequires: %{ansible_build_dep}
|
|||||||
|
|
||||||
#%%defcommit 8 2b9e53233ee3a68bdb532e62f289733e436a6106
|
#%%defcommit 8 2b9e53233ee3a68bdb532e62f289733e436a6106
|
||||||
%global rolename8 tlog
|
%global rolename8 tlog
|
||||||
%deftag 8 1.2.5
|
%deftag 8 1.2.6
|
||||||
|
|
||||||
#%%defcommit 9 9373303b98e09ef38df7afc8d06e5e55812096c7
|
#%%defcommit 9 9373303b98e09ef38df7afc8d06e5e55812096c7
|
||||||
%global rolename9 kernel_settings
|
%global rolename9 kernel_settings
|
||||||
@ -242,6 +242,8 @@ Source998: collection_readme.sh
|
|||||||
|
|
||||||
Patch51: network-disable-bondtests.diff
|
Patch51: network-disable-bondtests.diff
|
||||||
|
|
||||||
|
Patch1501: ansible-sshd.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
%if %{with html}
|
%if %{with html}
|
||||||
@ -334,6 +336,7 @@ cd %{rolename5}
|
|||||||
%patch51 -p1
|
%patch51 -p1
|
||||||
cd ..
|
cd ..
|
||||||
cd %{rolename15}
|
cd %{rolename15}
|
||||||
|
%patch1501 -p1
|
||||||
sed -r -i -e "s/ansible-sshd/linux-system-roles.sshd/" tests/*.yml examples/*.yml
|
sed -r -i -e "s/ansible-sshd/linux-system-roles.sshd/" tests/*.yml examples/*.yml
|
||||||
sed -r -i -e "s/ willshersystems.sshd/ linux-system-roles.sshd/" tests/*.yml examples/*.yml README.md
|
sed -r -i -e "s/ willshersystems.sshd/ linux-system-roles.sshd/" tests/*.yml examples/*.yml README.md
|
||||||
sed -r -i -e "s/min_ansible_version: 2.8/min_ansible_version: 2.9/" meta/main.yml
|
sed -r -i -e "s/min_ansible_version: 2.8/min_ansible_version: 2.9/" meta/main.yml
|
||||||
@ -710,6 +713,14 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 21 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1.2
|
||||||
|
- sshd - FIPS mode detection in SSHD role is wrong
|
||||||
|
Resolves rhbz#2077475 (EL9)
|
||||||
|
|
||||||
|
* Wed Apr 20 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1.1
|
||||||
|
- Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default
|
||||||
|
Resolves rhbz#2075545 (EL9)
|
||||||
|
|
||||||
* Tue Mar 29 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1
|
* Tue Mar 29 2022 Rich Megginson <rmeggins@redhat.com> - 1.16.2-1
|
||||||
- nbde_client - NBDE client system role does not support servers with static IP addresses
|
- nbde_client - NBDE client system role does not support servers with static IP addresses
|
||||||
previous fix did not handle some cases
|
previous fix did not handle some cases
|
||||||
|
Loading…
Reference in New Issue
Block a user