From fc8fa90735c280e085dd401b234f71fb0ff90f52 Mon Sep 17 00:00:00 2001 From: Corbin Bartsch Date: Sun, 29 Oct 2023 12:54:47 -0400 Subject: [PATCH] Update variable names to match role name --- defaults/main.yaml | 68 ++++++++++++++++----------------- tasks/main.yaml | 2 +- tasks/template_config.yaml | 6 +-- templates/sshd_config.j2 | 78 +++++++++++++++++++------------------- 4 files changed, 77 insertions(+), 77 deletions(-) diff --git a/defaults/main.yaml b/defaults/main.yaml index 2334c61..6790a5a 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1,33 +1,33 @@ --- -sshd_config_path: /etc/ssh +openssh_sshd_config_path: /etc/ssh -ssh_port: 22 -ssh_address_family: any -ssh_listen_addresses: +openssh_port: 22 +openssh_address_family: any +openssh_listen_addresses: - 0.0.0.0 -ssh_allow_groups: ssh -ssh_login_grace_time: 20 -ssh_permit_root_login: 'no' -ssh_strict_modes: 'yes' -ssh_max_auth_tries: 3 -ssh_max_sessions: 2 +openssh_allow_groups: ssh +openssh_login_grace_time: 20 +openssh_permit_root_login: 'no' +openssh_strict_modes: 'yes' +openssh_max_auth_tries: 3 +openssh_max_sessions: 2 -ssh_pubkey_authentication: 'yes' +openssh_pubkey_authentication: 'yes' -ssh_authorized_keys_file: .ssh/authorized_keys +openssh_authorized_keys_file: .ssh/authorized_keys -ssh_kexalgorithms: - # Mozilla Modern +openssh_kexalgorithms: + # Compliant with Mozilla Modern - curve25519-sha256@libssh.org - ecdh-sha2-nistp521 - ecdh-sha2-nistp384 - ecdh-sha2-nistp256 - diffie-hellman-group-exchange-sha256 -ssh_ciphers: - # Mozilla Modern +openssh_ciphers: + # Compliant with Mozilla Modern - chacha20-poly1305@openssh.com - aes256-gcm@openssh.com - aes128-gcm@openssh.com @@ -35,8 +35,8 @@ ssh_ciphers: - aes192-ctr - aes128-ctr -ssh_macs: - # Mozilla Modern +openssh_macs: + # Compliant with Mozilla Modern - hmac-sha2-512-etm@openssh.com - hmac-sha2-256-etm@openssh.com - umac-128-etm@openssh.com @@ -44,27 +44,27 @@ ssh_macs: - hmac-sha2-256 - umac-128@openssh.com -ssh_hostbased_authentication: 'no' -ssh_password_authentication: 'no' -ssh_permit_empty_passwords: 'no' -ssh_challenge_response_authentication: 'no' -ssh_kerberos_authentication: 'no' -ssh_gssapi_authentication: 'no' -ssh_use_pam: 'yes' +openssh_hostbased_authentication: 'no' +openssh_password_authentication: 'no' +openssh_permit_empty_passwords: 'no' +openssh_challenge_response_authentication: 'no' +openssh_kerberos_authentication: 'no' +openssh_gssapi_authentication: 'no' +openssh_use_pam: 'yes' -ssh_allow_agent_forwarding: 'no' -ssh_permit_tunnel: 'no' +openssh_allow_agent_forwarding: 'no' +openssh_permit_tunnel: 'no' -ssh_x11_forwarding: 'no' +openssh_x11_forwarding: 'no' -ssh_print_motd: 'no' +openssh_print_motd: 'no' -ssh_permit_user_env: false -ssh_accept_env: +openssh_permit_user_env: false +openssh_accept_env: - LANG - 'LC_*' -ssh_banner: true -ssh_banner_file: /etc/issue.net +openssh_banner: true +openssh_banner_file: /etc/issue.net -ssh_loglevel: "VERBOSE" +openssh_loglevel: "VERBOSE" diff --git a/tasks/main.yaml b/tasks/main.yaml index 5b37698..45aaca1 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -6,4 +6,4 @@ state: present - name: Create sshd_config file - include_tasks: template_config.yaml + ansible.builtin.include_tasks: template_config.yaml diff --git a/tasks/template_config.yaml b/tasks/template_config.yaml index 4921b92..0f4d404 100644 --- a/tasks/template_config.yaml +++ b/tasks/template_config.yaml @@ -2,14 +2,14 @@ - name: Ensure destination for sshd_config exists ansible.builtin.file: - path: "{{ sshd_config_path }}" + path: "{{ openssh_sshd_config_path }}" mode: '0644' state: directory - name: Write sshd_config file ansible.builtin.template: src: sshd_config.j2 - dest: "{{ sshd_config_path }}/sshd_config" + dest: "{{ openssh_sshd_config_path }}/sshd_config" mode: '0644' become: true notify: Restart sshd @@ -17,6 +17,6 @@ - name: Write banner file ansible.builtin.template: src: issue.net.j2 - dest: "{{ ssh_banner_file }}" + dest: "{{ openssh_banner_file }}" mode: '0644' when: ssh_banner diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index b54b391..e2e0116 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -1,72 +1,72 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} -Port {{ ssh_port }} -AddressFamily {{ ssh_address_family }} -{% for a in ssh_listen_addresses %} +Port {{ openssh_port }} +AddressFamily {{ openssh_address_family }} +{% for a in openssh_listen_addresses %} ListenAddress {{ a }} {% endfor %} -{% if ssh_hostkey_file is defined %} -HostKey {{ ssh_hostkey_file }} +{% if openssh_hostkey_file is defined %} +HostKey {{ openssh_hostkey_file }} {% else %} -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/openssh_host_ecdsa_key +HostKey /etc/ssh/openssh_host_ed25519_key +HostKey /etc/ssh/openssh_host_rsa_key {% endif %} -{% if ssh_kexalgorithms is defined %} -KexAlgorithms {% for alg in ssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %} +{% if openssh_kexalgorithms is defined %} +KexAlgorithms {% for alg in openssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %} {% endif %} -{% if ssh_ciphers is defined %} -Ciphers {% for alg in ssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %} +{% if openssh_ciphers is defined %} +Ciphers {% for alg in openssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %} {% endif %} -{% if ssh_macs is defined %} -MACs {% for alg in ssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %} +{% if openssh_macs is defined %} +MACs {% for alg in openssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %} {% endif %} -AllowGroups {{ ssh_allow_groups }} -LoginGraceTime {{ ssh_login_grace_time }} -PermitRootLogin {{ ssh_permit_root_login }} -StrictModes {{ ssh_strict_modes }} -MaxAuthTries {{ ssh_max_auth_tries }} -MaxSessions {{ ssh_max_sessions }} +AllowGroups {{ openssh_allow_groups }} +LoginGraceTime {{ openssh_login_grace_time }} +PermitRootLogin {{ openssh_permit_root_login }} +StrictModes {{ openssh_strict_modes }} +MaxAuthTries {{ openssh_max_auth_tries }} +MaxSessions {{ openssh_max_sessions }} -PubkeyAuthentication {{ ssh_pubkey_authentication }} -AuthorizedKeysFile {{ ssh_authorized_keys_file }} +PubkeyAuthentication {{ openssh_pubkey_authentication }} +AuthorizedKeysFile {{ openssh_authorized_keys_file }} -HostbasedAuthentication {{ ssh_hostbased_authentication }} +HostbasedAuthentication {{ openssh_hostbased_authentication }} -PasswordAuthentication {{ ssh_password_authentication }} -PermitEmptyPasswords {{ ssh_permit_empty_passwords }} -ChallengeResponseAuthentication {{ ssh_challenge_response_authentication }} -KerberosAuthentication {{ ssh_kerberos_authentication }} -GSSAPIAuthentication {{ ssh_gssapi_authentication }} -UsePAM {{ ssh_use_pam }} +PasswordAuthentication {{ openssh_password_authentication }} +PermitEmptyPasswords {{ openssh_permit_empty_passwords }} +ChallengeResponseAuthentication {{ openssh_challenge_response_authentication }} +KerberosAuthentication {{ openssh_kerberos_authentication }} +GSSAPIAuthentication {{ openssh_gssapi_authentication }} +UsePAM {{ openssh_use_pam }} -AllowAgentForwarding {{ ssh_allow_agent_forwarding }} -PermitTunnel {{ ssh_permit_tunnel }} +AllowAgentForwarding {{ openssh_allow_agent_forwarding }} +PermitTunnel {{ openssh_permit_tunnel }} -X11Forwarding {{ ssh_x11_forwarding }} -PrintMotd {{ ssh_print_motd }} +X11Forwarding {{ openssh_x11_forwarding }} +PrintMotd {{ openssh_print_motd }} -{% if ssh_banner == true %} -Banner {{ ssh_banner_file }} +{% if openssh_banner == true %} +Banner {{ openssh_banner_file }} {% endif %} -{% if ssh_permit_user_env == true %} +{% if openssh_permit_user_env == true %} PermitUserEnvironment yes -{% for e in ssh_accept_env %} +{% for e in openssh_accept_env %} AcceptEnv {{ e }} {% endfor %} {% else %} PermitUserEnvironment no {% endif %} -LogLevel {{ ssh_loglevel }} +LogLevel {{ openssh_loglevel }} {% if ansible_facts['os_family'] == 'RedHat' %} Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO