From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 6 Apr 2022 10:42:17 +0200 Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter This fixes up the commit 7f69d1e6 Signed-off-by: Jakub Jelen --- templates/sshd_config.j2 | 6 +++++- templates/sshd_config_snippet.j2 | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 15ee668..8c7f322 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -22,7 +22,11 @@ {% elif sshd[key] is defined %} {% set value = sshd[key] %} {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} -{% set value = __sshd_defaults[key] %} +{% if key == 'HostKey' and __sshd_fips_mode %} +{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} +{% else %} +{% set value = __sshd_defaults[key] %} +{% endif %} {% endif %} {{ render_option(key,value) -}} {% endmacro %} diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2 index 6766e09..6b23c76 100644 --- a/templates/sshd_config_snippet.j2 +++ b/templates/sshd_config_snippet.j2 @@ -21,7 +21,11 @@ {% elif sshd[key] is defined %} {% set value = sshd[key] %} {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} -{% set value = __sshd_defaults[key] %} +{% if key == 'HostKey' and __sshd_fips_mode %} +{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} +{% else %} +{% set value = __sshd_defaults[key] %} +{% endif %} {% endif %} {{ render_option(key,value) -}} {% endmacro %} -- 2.34.1 From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 6 Apr 2022 11:10:27 +0200 Subject: [PATCH 2/7] Set explicit path to the main configuration file to work well with the drop-in directory Signed-off-by: Jakub Jelen --- tests/tests_alternative_file.yml | 2 ++ tests/tests_alternative_file_role.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index 0a8ccaf..215c726 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -6,6 +6,7 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config_custom - /etc/ssh/sshd_config_custom_second + - /tmp/ssh_host_ecdsa_key tasks: - name: "Backup configuration files" include_tasks: tasks/backup.yml @@ -52,6 +53,7 @@ include_role: name: ansible-sshd vars: + sshd_config_file: /etc/ssh/sshd_config sshd: Banner: /etc/issue Ciphers: aes192-ctr diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index 9177709..3e7c7ea 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -6,6 +6,7 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config_custom - /etc/ssh/sshd_config_custom_second + - /tmp/ssh_host_ecdsa_key tasks: - name: "Backup configuration files" include_tasks: tasks/backup.yml @@ -57,6 +58,7 @@ roles: - ansible-sshd vars: + sshd_config_file: /etc/ssh/sshd_config sshd: Banner: /etc/issue Ciphers: aes192-ctr -- 2.34.1 From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 6 Apr 2022 11:17:12 +0200 Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9 Signed-off-by: Jakub Jelen --- tests/tasks/setup.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index 90a3f00..a0e9324 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -26,6 +26,5 @@ main_sshd_config_name: 00-ansible_system_role.conf main_sshd_config_path: /etc/ssh/sshd_config.d/ when: > - ansible_facts['distribution'] == 'Fedora' or - (ansible_facts['distribution'] == 'RedHat' and - ansible_facts['distribution_major_version']|int > 8) + ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version']|int > 8 -- 2.34.1 From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 6 Apr 2022 11:20:34 +0200 Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config Signed-off-by: Jakub Jelen --- tests/tests_alternative_file.yml | 2 +- tests/tests_alternative_file_role.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index 215c726..172c73a 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -82,7 +82,7 @@ - name: Print the main configuration file slurp: - src: "{{ main_sshd_config }}" + src: /etc/ssh/sshd_config register: config3 - name: Check content of first configuration file diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index 3e7c7ea..09fbce4 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -98,7 +98,7 @@ - name: Print the main configuration file slurp: - src: "{{ main_sshd_config }}" + src: /etc/ssh/sshd_config register: config3 - name: Check content of first configuration file -- 2.34.1 From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 6 Apr 2022 20:28:32 +0200 Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering Signed-off-by: Jakub Jelen --- tasks/install.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tasks/install.yml b/tasks/install.yml index f1d8455..571281c 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -40,10 +40,11 @@ - name: Make sure hostkeys are available and have expected permissions vars: &share_vars + # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default __sshd_fips_mode: >- - - __sshd_hostkeys_nofips | d([]) - - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \ - __sshd_userspace_fips_mode.content | b64decode != "0" | bool + {{ __sshd_hostkeys_nofips | d([]) and + (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or + __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }} # This mimics the macro body_option() in sshd_config.j2 # The explicit to_json filter is needed for Python 2 compatibility __sshd_hostkeys_from_config: >- @@ -58,14 +59,14 @@ {{ __sshd_defaults['HostKey'] | to_json }} {% endif %} {% else %} - [] + {{ [] | to_json }} {% endif %} __sshd_verify_hostkeys: >- {% if not sshd_verify_hostkeys %} - [] + {{ [] | to_json }} {% elif sshd_verify_hostkeys == 'auto' %} - {% if sshd_HostKey is string %} - [ {{ __sshd_hostkeys_from_config }} ] + {% if __sshd_hostkeys_from_config | from_json is string %} + {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} {% else %} {{ __sshd_hostkeys_from_config }} {% endif %} -- 2.34.1 From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 11 Apr 2022 13:06:24 +0200 Subject: [PATCH 6/7] tests: Add negative test for FIPS mode This fixes also a typo that was overlooked previously Signed-off-by: Jakub Jelen --- tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 7 deletions(-) diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml index 65cc765..7cf3767 100644 --- a/tests/tests_hostkeys_fips.yml +++ b/tests/tests_hostkeys_fips.yml @@ -4,13 +4,52 @@ __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - - /etc/ssh/ssh_host_ed255519_key - - /etc/ssh/ssh_host_ed255519_key.pub + - /etc/ssh/ssh_host_ed25519_key + - /etc/ssh/ssh_host_ed25519_key.pub - /etc/system-fips tasks: - name: "Backup configuration files" include_tasks: tasks/backup.yml + - name: Run the role with default parameters without FIPS mode + include_role: + name: ansible-sshd + + - name: Verify the options are correctly set + block: + - meta: flush_handlers + + - name: Print current configuration file + slurp: + src: "{{ main_sshd_config }}" + register: config + + - name: Get stat of private key + stat: + path: /etc/ssh/ssh_host_ed25519_key + register: privkey + + - name: Get stat of public key + stat: + path: /etc/ssh/ssh_host_ed25519_key.pub + register: pubkey + + - name: Check the key is in configuration file (without include) + assert: + that: + - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode" + when: + - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9 + + - name: Check host key was generated + assert: + that: + - privkey.stat.exists + - pubkey.stat.exists + when: + - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6 + tags: tests::verify + - name: Fake FIPS mode block: - name: Create temporary directory @@ -40,13 +79,13 @@ - name: Remove the Ed25519 hostkey file: path: - /etc/ssh/ssh_host_ed255519_key + /etc/ssh/ssh_host_ed25519_key state: absent - name: Remove the Ed25519 pubkey file: path: - /etc/ssh/ssh_host_ed255519_key.pub + /etc/ssh/ssh_host_ed25519_key.pub state: absent - name: Run the role with default parameters @@ -64,18 +103,18 @@ - name: Get stat of private key stat: - path: /etc/ssh/ssh_host_ed255519_key + path: /etc/ssh/ssh_host_ed25519_key register: privkey - name: Get stat of public key stat: - path: /etc/ssh/ssh_host_ed255519_key.pub + path: /etc/ssh/ssh_host_ed25519_key.pub register: pubkey - name: Check the key is not in configuration file assert: that: - - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode" + - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode" - name: Check no host key was generated assert: -- 2.34.1 From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 11 Apr 2022 13:07:44 +0200 Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in directory Previously no hostkeys were checked if they were not present in the generated configuration file. When the drop-in directory is used, usually, there are no hostkeys in that file and no sanity check for hostkeys was executed. This amends the "auto" value for the hostkeys check to allow checking for default hostkeys that are read by OpenSSH by default. Signed-off-by: Jakub Jelen --- defaults/main.yml | 1 + tasks/install.yml | 8 +++++++- vars/Fedora.yml | 6 ++++++ vars/RedHat_9.yml | 6 ++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 18d6114..7e40e51 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server # configuration or restarting), we make sure the keys exist and have correct # permissions. To disable this check, set sshd_verify_hostkeys to false sshd_verify_hostkeys: "auto" +__sshd_verify_hostkeys_default: [] sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" sshd_hostkey_group: "{{ __sshd_hostkey_group }}" sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}" diff --git a/tasks/install.yml b/tasks/install.yml index 571281c..fa7d3c3 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -65,7 +65,13 @@ {% if not sshd_verify_hostkeys %} {{ [] | to_json }} {% elif sshd_verify_hostkeys == 'auto' %} - {% if __sshd_hostkeys_from_config | from_json is string %} + {% if not __sshd_hostkeys_from_config | from_json %} + {% if __sshd_fips_mode %} + {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }} + {% else %} + {{ __sshd_verify_hostkeys_default | to_json }} + {% endif %} + {% elif __sshd_hostkeys_from_config | from_json is string %} {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} {% else %} {{ __sshd_hostkeys_from_config }} diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 77bf172..cf2b081 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_defaults: __sshd_os_supported: yes +__sshd_verify_hostkeys_default: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key +__sshd_hostkeys_nofips: + - /etc/ssh/ssh_host_ed25519_key __sshd_hostkey_group: ssh_keys __sshd_hostkey_mode: "0640" diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml index 33df26a..55239f4 100644 --- a/vars/RedHat_9.yml +++ b/vars/RedHat_9.yml @@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf __sshd_defaults: __sshd_os_supported: yes +__sshd_verify_hostkeys_default: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key +__sshd_hostkeys_nofips: + - /etc/ssh/ssh_host_ed25519_key __sshd_hostkey_group: ssh_keys __sshd_hostkey_mode: "0640" -- 2.34.1