Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.
Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.
It enables both authentication and credential delegation.
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
* make wrong password fail task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add name to fail task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add restart handler variable for mysql role
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add prettierignore file to ignore CHANGELOG
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add ansible to requirements
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* trigger run
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* update noqa for ansible-lint 5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
tihis fixes a problem with Ansible 2.9 where the default openssh_keypair
is not supporting every option we need
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* regenerate RSA key with size 4096 bits
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed lint problem
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed E301 lint error
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* added host keys related vars
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* used openssh_keypair module
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* changed RSA private key mode to 0640
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* specified condition to prevent wrong file mode on debian-based OS
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* Enabled SYN cookie sysctl.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed SYN cookies from here since it's a default now.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* make auditd 'max_log_file' configurable
Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
* fix documentation for os_auditd_max_log_file
Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
* change inclusion of os specific defaults
we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* simplify check for os specific variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add test for variable override
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move tests to verify stage
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct grep
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix typo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Revert "Merge pull request #351 from sprat/fix-umask"
This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move immutable ssh vars to internal vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move vars to OS files
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* change default handling for all roles
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix issues
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Update main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Prettified the generated ssh_config. No functional changes, removed spaces and orphan comments.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed blank lines and prettified ssh_config.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Added note about setting sshd_authenticationmethods if ssh_server_password_login.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Backticked true.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
Due to the new kitchen-ansible version it is now
possible to install ansible on all major OS's via a
ansible omnibus script which is provided by
kitchen ansible. There's no more need to separate
the debian tests.
Also removed whitespace.
This change add the following:
- it checks wether selinux is in "Enforcing" mode
- when selinux is enforcing, it copies a new selinux-policy to the host
- this policy allows sshd to read the shadow-file directly, which is forbidden by selinux otherwise
- the policy is then compiled, a package is created and the policy is installed
- when selinux is enforcing, pam is used and the policy is not disabled, it gets removed,
because its considered a security risk. see here: http://danwalsh.livejournal.com/12333.html
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
