From edebe86188fde56f7cd39d843fd32bab4bfc2cd9 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 10 Feb 2025 09:57:20 +0000 Subject: [PATCH 1/5] Support sshd password authentication on Rocky 8 Rocky 8 doesn't have an sshd_config.d directory, so we need to adjust the main configuration file. --- ansible/roles/sshd/tasks/configure.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml index 8aafb5c19..20ea18b58 100644 --- a/ansible/roles/sshd/tasks/configure.yml +++ b/ansible/roles/sshd/tasks/configure.yml @@ -1,3 +1,6 @@ +- name: Grab facts to determine distribution + setup: + - name: Template sshd configuration # NB: If parameters are defined multiple times the first value wins; # The default /etc/ssh/sshd_config has @@ -13,3 +16,17 @@ validate: sshd -t -f %s notify: - Restart sshd + when: ansible_facts.distribution_major_version == '9' + +- name: Disallow SSH password authentication + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}" + state: present + validate: sshd -t -f %s + notify: + - Restart sshd + become: true + when: ansible_facts.distribution_major_version == '8' + From e110157d8a949c6962a8ed2d992474eb7503565c Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 10 Feb 2025 11:47:00 +0000 Subject: [PATCH 2/5] Trailing whitespace --- ansible/roles/sshd/tasks/configure.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml index 20ea18b58..fbc1c23d5 100644 --- a/ansible/roles/sshd/tasks/configure.yml +++ b/ansible/roles/sshd/tasks/configure.yml @@ -29,4 +29,3 @@ - Restart sshd become: true when: ansible_facts.distribution_major_version == '8' - From ac4278abcc0ec1fab40c567efa48ccacb201bb09 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 11 Feb 2025 12:17:21 +0000 Subject: [PATCH 3/5] Use Include @sjpb had a preference for using the same drop in pattern as Rocky 9 so that people can customize the template file --- ansible/roles/sshd/tasks/configure.yml | 35 +++++++++++++++----------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml index fbc1c23d5..8bc422b13 100644 --- a/ansible/roles/sshd/tasks/configure.yml +++ b/ansible/roles/sshd/tasks/configure.yml @@ -1,5 +1,23 @@ -- name: Grab facts to determine distribution - setup: +- name: Ensure drop in directory exists + file: + path: /etc/ssh/sshd_config.d/*.conf + state: directory + owner: root + group: root + mode: 700 + become: true + +- name: Ensure drop in directory is included + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^Include /etc/ssh/sshd_config.d/*.conf" + line: "Include /etc/ssh/sshd_config.d/*.conf" + state: present + insertafter: EOF + validate: sshd -t -f %s + notify: + - Restart sshd + become: true - name: Template sshd configuration # NB: If parameters are defined multiple times the first value wins; @@ -16,16 +34,3 @@ validate: sshd -t -f %s notify: - Restart sshd - when: ansible_facts.distribution_major_version == '9' - -- name: Disallow SSH password authentication - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}" - state: present - validate: sshd -t -f %s - notify: - - Restart sshd - become: true - when: ansible_facts.distribution_major_version == '8' From 510b76eca837321ebf85e0bd4cbb0cbef7b5a146 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 11 Feb 2025 12:49:20 +0000 Subject: [PATCH 4/5] Include files as soon as possible --- ansible/roles/sshd/tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml index 8bc422b13..1203861a1 100644 --- a/ansible/roles/sshd/tasks/configure.yml +++ b/ansible/roles/sshd/tasks/configure.yml @@ -13,7 +13,7 @@ regexp: "^Include /etc/ssh/sshd_config.d/*.conf" line: "Include /etc/ssh/sshd_config.d/*.conf" state: present - insertafter: EOF + insertbefore: "BOF" validate: sshd -t -f %s notify: - Restart sshd From f026fa7a4159fde4813ee5b6637e471c38043178 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 11 Feb 2025 14:52:06 +0000 Subject: [PATCH 5/5] Use Block in file Try and match format of Rocky 9 --- ansible/roles/sshd/tasks/configure.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml index 1203861a1..377b3d745 100644 --- a/ansible/roles/sshd/tasks/configure.yml +++ b/ansible/roles/sshd/tasks/configure.yml @@ -1,3 +1,6 @@ +- name: Grab facts to determine distribution + setup: + - name: Ensure drop in directory exists file: path: /etc/ssh/sshd_config.d/*.conf @@ -8,16 +11,19 @@ become: true - name: Ensure drop in directory is included - lineinfile: + blockinfile: dest: /etc/ssh/sshd_config - regexp: "^Include /etc/ssh/sshd_config.d/*.conf" - line: "Include /etc/ssh/sshd_config.d/*.conf" + content: | + # To modify the system-wide sshd configuration, create a *.conf file under + # /etc/ssh/sshd_config.d/ which will be automatically included below + Include /etc/ssh/sshd_config.d/*.conf state: present - insertbefore: "BOF" + insertafter: "# default value." validate: sshd -t -f %s notify: - Restart sshd become: true + when: ansible_facts.distribution_major_version == '8' - name: Template sshd configuration # NB: If parameters are defined multiple times the first value wins;