Merge branch 'master' into systemd

.travis.yml

@@ -15,11 +15,17 @@ install:
   - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
 
 script:
-  # Check the roles syntax
-  - "ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
+  # Check the ansible version.
+  - >
+    ansible --version
+    | grep -q '^ansible 2'
+    && (echo 'Ansible 2.0+ test: pass' && exit 0)
+    || (echo 'Ansible 2.0+ test: fail' && exit 1)
+  # Check the roles syntax.
+  - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
 
   # Run the role
-  - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo"
+  - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v"
 
   # Run the role/playbook again, checking to make sure it's idempotent.
   - >

defaults/main.yml

@@ -17,6 +17,9 @@ sshd_service_template_socket: sshd.socket.j2
 # If the below is false, don't reload the ssh daemon on change
 sshd_allow_reload: true
 
+# If the below is true, create a backup of the config file when the template is copied
+sshd_backup: false
+
 # Empty dicts to avoid errors
 sshd: {}
 

meta/30_bottom.j2

@@ -5,29 +5,29 @@
 {{ match_block(sshd_match) -}}
 {% endif %}
 {% if sshd_match_1 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_1) -}}
 {% endif %}
 {% if sshd_match_2 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_2) -}}
 {% endif %}
 {% if sshd_match_3 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_3) -}}
 {% endif %}
 {% if sshd_match_4 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_4) -}}
 {% endif %}
 {% if sshd_match_5 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_5) -}}
 {% endif %}
 {% if sshd_match_6 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_6) -}}
 {% endif %}
 {% if sshd_match_7 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_7) -}}
 {% endif %}
 {% if sshd_match_8 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_8) -}}
 {% endif %}
 {% if sshd_match_9 is defined %}
-{{ match_block(sshd_match) -}}
+{{ match_block(sshd_match_9) -}}
 {% endif %}

meta/options_body

@@ -6,12 +6,15 @@ HostKey
 AcceptEnv
 AllowAgentForwarding
 AllowGroups
+AllowStreamLocalForwarding
 AllowTcpForwarding
 AllowUsers
 AuthenticationMethods
 AuthorizedKeysCommand
 AuthorizedKeysCommandUser
 AuthorizedKeysFile
+AuthorizedPrincipalsCommand
+AuthorizedPrincipalsCommandUser
 AuthorizedPrincipalsFile
 Banner
 ChallengeResponseAuthentication
@@ -23,7 +26,11 @@ Compression
 DebianBanner
 DenyGroups
 DenyUsers
+DisableForwarding
+ExposeAuthInfo
+FingerprintHash
 ForceCommand
+GatewayPorts
 GSSAPIAuthentication
 GSSAPICleanupCredentials
 GSSAPIKeyExchange
@@ -34,6 +41,8 @@ HPNBufferSize
 HPNDisabled
 HostCertificate
 HostKeyAgent
+HostKeyAlgorithms
+HostbasedAcceptedKeyTypes
 HostbasedAuthentication
 HostbasedUsesNameFromPacketOnly
 IPQoS
@@ -60,15 +69,19 @@ PermitRootLogin
 PermitTTY
 PermitTunnel
 PermitUserEnvironment
+PermitUserRC
 PidFile
 PrintLastLog
 PrintMotd
+PubkeyAcceptedKeyTypes
 PubkeyAuthentication
 RSAAuthentication
 RekeyLimit
 RevokedKeys
+RDomain
 RhostsRSAAuthentication
 ServerKeyBits
+StreamLocalBindMask
 StreamLocalBindUnlink
 StrictModes
 Subsystem

meta/options_match

@@ -1,33 +1,51 @@
+AcceptEnv
 AllowAgentForwarding
 AllowGroups
+AllowStreamLocalForwarding
 AllowTcpForwarding
 AllowUsers
 AuthenticationMethods
 AuthorizedKeysCommand
 AuthorizedKeysCommandUser
 AuthorizedKeysFile
+AuthorizedPrincipalsCommand
+AuthorizedPrincipalsCommandUser
 AuthorizedPrincipalsFile
 Banner
 ChrootDirectory
+ClientAliveCountMax
+ClientAliveInterval
 DenyGroups
 DenyUsers
 ForceCommand
 GatewayPorts
 GSSAPIAuthentication
+HostbasedAcceptedKeyTypes
 HostbasedAuthentication
 HostbasedUsesNameFromPacketOnly
+IPQoS
 KbdInteractiveAuthentication
 KerberosAuthentication
+LogLevel
 MaxAuthTries
 MaxSessions
 PasswordAuthentication
 PermitEmptyPasswords
 PermitOpen
 PermitRootLogin
+PermitTTY
 PermitTunnel
+PermitUserRC
+PubkeyAcceptedKeyTypes
 PubkeyAuthentication
+RDomain
+RekeyLimit
+RevokedKeys
 RhostsRSAAuthentication
 RSAAuthentication
+StreamLocalBindMask
+StreamLocalBindUnlink
+TrustedUserCAKeys
 X11DisplayOffset
 X11Forwarding
 X11UseLocalHost

templates/sshd_config.j2

@@ -33,36 +33,54 @@
 {%   if match_list is iterable %}
 {%     for match in match_list %}
 Match {{ match["Condition"] }}
+{{       render_option("AcceptEnv",match["AcceptEnv"],true) -}}
 {{       render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
 {{       render_option("AllowGroups",match["AllowGroups"],true) -}}
+{{       render_option("AllowStreamLocalForwarding",match["AllowStreamLocalForwarding"],true) -}}
 {{       render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}}
 {{       render_option("AllowUsers",match["AllowUsers"],true) -}}
 {{       render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}}
 {{       render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}}
 {{       render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}}
 {{       render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}}
+{{       render_option("AuthorizedPrincipalsCommand",match["AuthorizedPrincipalsCommand"],true) -}}
+{{       render_option("AuthorizedPrincipalsCommandUser",match["AuthorizedPrincipalsCommandUser"],true) -}}
 {{       render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}}
 {{       render_option("Banner",match["Banner"],true) -}}
 {{       render_option("ChrootDirectory",match["ChrootDirectory"],true) -}}
+{{       render_option("ClientAliveCountMax",match["ClientAliveCountMax"],true) -}}
+{{       render_option("ClientAliveInterval",match["ClientAliveInterval"],true) -}}
 {{       render_option("DenyGroups",match["DenyGroups"],true) -}}
 {{       render_option("DenyUsers",match["DenyUsers"],true) -}}
 {{       render_option("ForceCommand",match["ForceCommand"],true) -}}
 {{       render_option("GatewayPorts",match["GatewayPorts"],true) -}}
 {{       render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}}
+{{       render_option("HostbasedAcceptedKeyTypes",match["HostbasedAcceptedKeyTypes"],true) -}}
 {{       render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
 {{       render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
+{{       render_option("IPQoS",match["IPQoS"],true) -}}
 {{       render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
 {{       render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
+{{       render_option("LogLevel",match["LogLevel"],true) -}}
 {{       render_option("MaxAuthTries",match["MaxAuthTries"],true) -}}
 {{       render_option("MaxSessions",match["MaxSessions"],true) -}}
 {{       render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}}
 {{       render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}}
 {{       render_option("PermitOpen",match["PermitOpen"],true) -}}
 {{       render_option("PermitRootLogin",match["PermitRootLogin"],true) -}}
+{{       render_option("PermitTTY",match["PermitTTY"],true) -}}
 {{       render_option("PermitTunnel",match["PermitTunnel"],true) -}}
+{{       render_option("PermitUserRC",match["PermitUserRC"],true) -}}
+{{       render_option("PubkeyAcceptedKeyTypes",match["PubkeyAcceptedKeyTypes"],true) -}}
 {{       render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
+{{       render_option("RDomain",match["RDomain"],true) -}}
+{{       render_option("RekeyLimit",match["RekeyLimit"],true) -}}
+{{       render_option("RevokedKeys",match["RevokedKeys"],true) -}}
 {{       render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
 {{       render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
+{{       render_option("StreamLocalBindMask",match["StreamLocalBindMask"],true) -}}
+{{       render_option("StreamLocalBindUnlink",match["StreamLocalBindUnlink"],true) -}}
+{{       render_option("TrustedUserCAKeys",match["TrustedUserCAKeys"],true) -}}
 {{       render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}}
 {{       render_option("X11Forwarding",match["X11Forwarding"],true) -}}
 {{       render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}}
@@ -77,12 +95,15 @@ Match {{ match["Condition"] }}
 {{ body_option("AcceptEnv",sshd_AcceptEnv) -}}
 {{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}}
 {{ body_option("AllowGroups",sshd_AllowGroups) -}}
+{{ body_option("AllowStreamLocalForwarding",sshd_AllowStreamLocalForwarding) -}}
 {{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}}
 {{ body_option("AllowUsers",sshd_AllowUsers) -}}
 {{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}}
 {{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}}
 {{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}}
 {{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}}
+{{ body_option("AuthorizedPrincipalsCommand",sshd_AuthorizedPrincipalsCommand) -}}
+{{ body_option("AuthorizedPrincipalsCommandUser",sshd_AuthorizedPrincipalsCommandUser) -}}
 {{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}}
 {{ body_option("Banner",sshd_Banner) -}}
 {{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}}
@@ -94,7 +115,11 @@ Match {{ match["Condition"] }}
 {{ body_option("DebianBanner",sshd_DebianBanner) -}}
 {{ body_option("DenyGroups",sshd_DenyGroups) -}}
 {{ body_option("DenyUsers",sshd_DenyUsers) -}}
+{{ body_option("DisableForwarding",sshd_DisableForwarding) -}}
+{{ body_option("ExposeAuthInfo",sshd_ExposeAuthInfo) -}}
+{{ body_option("FingerprintHash",sshd_FingerprintHash) -}}
 {{ body_option("ForceCommand",sshd_ForceCommand) -}}
+{{ body_option("GatewayPorts",sshd_GatewayPorts) -}}
 {{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}}
 {{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}}
 {{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}}
@@ -105,6 +130,8 @@ Match {{ match["Condition"] }}
 {{ body_option("HPNDisabled",sshd_HPNDisabled) -}}
 {{ body_option("HostCertificate",sshd_HostCertificate) -}}
 {{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}}
+{{ body_option("HostKeyAlgorithms",sshd_HostKeyAlgorithms) -}}
+{{ body_option("HostbasedAcceptedKeyTypes",sshd_HostbasedAcceptedKeyTypes) -}}
 {{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
 {{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
 {{ body_option("IPQoS",sshd_IPQoS) -}}
@@ -131,15 +158,19 @@ Match {{ match["Condition"] }}
 {{ body_option("PermitTTY",sshd_PermitTTY) -}}
 {{ body_option("PermitTunnel",sshd_PermitTunnel) -}}
 {{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}}
+{{ body_option("PermitUserRC",sshd_PermitUserRC) -}}
 {{ body_option("PidFile",sshd_PidFile) -}}
 {{ body_option("PrintLastLog",sshd_PrintLastLog) -}}
 {{ body_option("PrintMotd",sshd_PrintMotd) -}}
+{{ body_option("PubkeyAcceptedKeyTypes",sshd_PubkeyAcceptedKeyTypes) -}}
 {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
 {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
 {{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
 {{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
+{{ body_option("RDomain",sshd_RDomain) -}}
 {{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
 {{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}}
+{{ body_option("StreamLocalBindMask",sshd_StreamLocalBindMask) -}}
 {{ body_option("StreamLocalBindUnlink",sshd_StreamLocalBindUnlink) -}}
 {{ body_option("StrictModes",sshd_StrictModes) -}}
 {{ body_option("Subsystem",sshd_Subsystem) -}}

vars/Ubuntu_18.yml

@@ -0,0 +1,40 @@
+---
+sshd_service: ssh
+sshd_packages:
+  - openssh-server
+  - openssh-sftp-server
+sshd_config_mode: "0644"
+sshd_defaults:
+  Port: 22
+  Protocol: 2
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  UsePrivilegeSeparation: yes
+  KeyRegenerationInterval: 3600
+  ServerKeyBits: 1024
+  SyslogFacility: AUTH
+  LogLevel: INFO
+  LoginGraceTime: 120
+  PermitRootLogin: prohibit-password
+  StrictModes: yes
+  RSAAuthentication: yes
+  PubkeyAuthentication: yes
+  AuthorizedKeysFile: "%h/.ssh/authorized_keys"
+  IgnoreRhosts: yes
+  RhostsRSAAuthentication: no
+  HostbasedAuthentication: no
+  PermitEmptyPasswords: no
+  ChallengeResponseAuthentication: no
+  X11Forwarding: yes
+  X11DisplayOffset: 10
+  PrintMotd: no
+  PrintLastLog: yes
+  TCPKeepAlive: yes
+  AcceptEnv: LANG LC_*
+  Subsystem: "sftp {{ sshd_sftp_server }}"
+  UsePAM: yes
+  UseDNS: no
+sshd_os_supported: yes