* add VM tests for ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove VM tests from ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* run ssh_hardening test as unprivileged user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add link for documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move become into role
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* indentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* try args apply
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix filter error in ansible.builtin.file mode parameter
* Change cinc supermarket
* fix link to baseline
* fix typo
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* ssh: Client HostKeyAlgorithms configuration variable
Introduce a new variable ssh_client_host_key_algorithms to be able to configure
it for the client like for the server.
This fixes#441
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
* sshd: Adapt the ssh_host_key_algorithms description
Linking to the latest version may lead to a broken config so be a bit more
dynamic
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.
Verified with Ansible 2.10.5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.
Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.
It enables both authentication and credential delegation.
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
tihis fixes a problem with Ansible 2.9 where the default openssh_keypair
is not supporting every option we need
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* regenerate RSA key with size 4096 bits
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed lint problem
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed E301 lint error
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* added host keys related vars
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* used openssh_keypair module
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* changed RSA private key mode to 0640
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* specified condition to prevent wrong file mode on debian-based OS
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* change inclusion of os specific defaults
we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* simplify check for os specific variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add test for variable override
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move tests to verify stage
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct grep
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix typo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Revert "Merge pull request #351 from sprat/fix-umask"
This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move immutable ssh vars to internal vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move vars to OS files
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* change default handling for all roles
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix issues
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Update main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Prettified the generated ssh_config. No functional changes, removed spaces and orphan comments.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed blank lines and prettified ssh_config.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Added note about setting sshd_authenticationmethods if ssh_server_password_login.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Backticked true.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
