diff --git a/.travis.yml b/.travis.yml index 0b895ee6..3a85aed4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,11 +15,17 @@ install: - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg" script: - # Check the roles syntax - - "ansible-playbook -i tests/inventory tests/test.yml --syntax-check" + # Check the ansible version. + - > + ansible --version + | grep -q '^ansible 2' + && (echo 'Ansible 2.0+ test: pass' && exit 0) + || (echo 'Ansible 2.0+ test: fail' && exit 1) + # Check the roles syntax. + - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check" # Run the role - - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo" + - "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v" # Run the role/playbook again, checking to make sure it's idempotent. - > diff --git a/meta/30_bottom.j2 b/meta/30_bottom.j2 index d10b7d8a..252ed85e 100644 --- a/meta/30_bottom.j2 +++ b/meta/30_bottom.j2 @@ -5,29 +5,29 @@ {{ match_block(sshd_match) -}} {% endif %} {% if sshd_match_1 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_1) -}} {% endif %} {% if sshd_match_2 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_2) -}} {% endif %} {% if sshd_match_3 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_3) -}} {% endif %} {% if sshd_match_4 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_4) -}} {% endif %} {% if sshd_match_5 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_5) -}} {% endif %} {% if sshd_match_6 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_6) -}} {% endif %} {% if sshd_match_7 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_7) -}} {% endif %} {% if sshd_match_8 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_8) -}} {% endif %} {% if sshd_match_9 is defined %} -{{ match_block(sshd_match) -}} +{{ match_block(sshd_match_9) -}} {% endif %} diff --git a/meta/options_body b/meta/options_body index 2111fb43..6ab17526 100644 --- a/meta/options_body +++ b/meta/options_body @@ -6,12 +6,15 @@ HostKey AcceptEnv AllowAgentForwarding AllowGroups +AllowStreamLocalForwarding AllowTcpForwarding AllowUsers AuthenticationMethods AuthorizedKeysCommand AuthorizedKeysCommandUser AuthorizedKeysFile +AuthorizedPrincipalsCommand +AuthorizedPrincipalsCommandUser AuthorizedPrincipalsFile Banner ChallengeResponseAuthentication @@ -23,7 +26,11 @@ Compression DebianBanner DenyGroups DenyUsers +DisableForwarding +ExposeAuthInfo +FingerprintHash ForceCommand +GatewayPorts GSSAPIAuthentication GSSAPICleanupCredentials GSSAPIKeyExchange @@ -34,6 +41,8 @@ HPNBufferSize HPNDisabled HostCertificate HostKeyAgent +HostKeyAlgorithms +HostbasedAcceptedKeyTypes HostbasedAuthentication HostbasedUsesNameFromPacketOnly IPQoS @@ -60,15 +69,19 @@ PermitRootLogin PermitTTY PermitTunnel PermitUserEnvironment +PermitUserRC PidFile PrintLastLog PrintMotd +PubkeyAcceptedKeyTypes PubkeyAuthentication RSAAuthentication RekeyLimit RevokedKeys +RDomain RhostsRSAAuthentication ServerKeyBits +StreamLocalBindMask StreamLocalBindUnlink StrictModes Subsystem diff --git a/meta/options_match b/meta/options_match index e5099ce2..2ff6d67e 100644 --- a/meta/options_match +++ b/meta/options_match @@ -1,33 +1,51 @@ +AcceptEnv AllowAgentForwarding AllowGroups +AllowStreamLocalForwarding AllowTcpForwarding AllowUsers AuthenticationMethods AuthorizedKeysCommand AuthorizedKeysCommandUser AuthorizedKeysFile +AuthorizedPrincipalsCommand +AuthorizedPrincipalsCommandUser AuthorizedPrincipalsFile Banner ChrootDirectory +ClientAliveCountMax +ClientAliveInterval DenyGroups DenyUsers ForceCommand GatewayPorts GSSAPIAuthentication +HostbasedAcceptedKeyTypes HostbasedAuthentication HostbasedUsesNameFromPacketOnly +IPQoS KbdInteractiveAuthentication KerberosAuthentication +LogLevel MaxAuthTries MaxSessions PasswordAuthentication PermitEmptyPasswords PermitOpen PermitRootLogin +PermitTTY PermitTunnel +PermitUserRC +PubkeyAcceptedKeyTypes PubkeyAuthentication +RDomain +RekeyLimit +RevokedKeys RhostsRSAAuthentication RSAAuthentication +StreamLocalBindMask +StreamLocalBindUnlink +TrustedUserCAKeys X11DisplayOffset X11Forwarding X11UseLocalHost diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index a9915e7a..bc92316d 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -33,36 +33,54 @@ {% if match_list is iterable %} {% for match in match_list %} Match {{ match["Condition"] }} +{{ render_option("AcceptEnv",match["AcceptEnv"],true) -}} {{ render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}} {{ render_option("AllowGroups",match["AllowGroups"],true) -}} +{{ render_option("AllowStreamLocalForwarding",match["AllowStreamLocalForwarding"],true) -}} {{ render_option("AllowTcpForwarding",match["AllowTcpForwarding"],true) -}} {{ render_option("AllowUsers",match["AllowUsers"],true) -}} {{ render_option("AuthenticationMethods",match["AuthenticationMethods"],true) -}} {{ render_option("AuthorizedKeysCommand",match["AuthorizedKeysCommand"],true) -}} {{ render_option("AuthorizedKeysCommandUser",match["AuthorizedKeysCommandUser"],true) -}} {{ render_option("AuthorizedKeysFile",match["AuthorizedKeysFile"],true) -}} +{{ render_option("AuthorizedPrincipalsCommand",match["AuthorizedPrincipalsCommand"],true) -}} +{{ render_option("AuthorizedPrincipalsCommandUser",match["AuthorizedPrincipalsCommandUser"],true) -}} {{ render_option("AuthorizedPrincipalsFile",match["AuthorizedPrincipalsFile"],true) -}} {{ render_option("Banner",match["Banner"],true) -}} {{ render_option("ChrootDirectory",match["ChrootDirectory"],true) -}} +{{ render_option("ClientAliveCountMax",match["ClientAliveCountMax"],true) -}} +{{ render_option("ClientAliveInterval",match["ClientAliveInterval"],true) -}} {{ render_option("DenyGroups",match["DenyGroups"],true) -}} {{ render_option("DenyUsers",match["DenyUsers"],true) -}} {{ render_option("ForceCommand",match["ForceCommand"],true) -}} {{ render_option("GatewayPorts",match["GatewayPorts"],true) -}} {{ render_option("GSSAPIAuthentication",match["GSSAPIAuthentication"],true) -}} +{{ render_option("HostbasedAcceptedKeyTypes",match["HostbasedAcceptedKeyTypes"],true) -}} {{ render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}} {{ render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}} +{{ render_option("IPQoS",match["IPQoS"],true) -}} {{ render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}} {{ render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}} +{{ render_option("LogLevel",match["LogLevel"],true) -}} {{ render_option("MaxAuthTries",match["MaxAuthTries"],true) -}} {{ render_option("MaxSessions",match["MaxSessions"],true) -}} {{ render_option("PasswordAuthentication",match["PasswordAuthentication"],true) -}} {{ render_option("PermitEmptyPasswords",match["PermitEmptyPasswords"],true) -}} {{ render_option("PermitOpen",match["PermitOpen"],true) -}} {{ render_option("PermitRootLogin",match["PermitRootLogin"],true) -}} +{{ render_option("PermitTTY",match["PermitTTY"],true) -}} {{ render_option("PermitTunnel",match["PermitTunnel"],true) -}} +{{ render_option("PermitUserRC",match["PermitUserRC"],true) -}} +{{ render_option("PubkeyAcceptedKeyTypes",match["PubkeyAcceptedKeyTypes"],true) -}} {{ render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}} +{{ render_option("RDomain",match["RDomain"],true) -}} +{{ render_option("RekeyLimit",match["RekeyLimit"],true) -}} +{{ render_option("RevokedKeys",match["RevokedKeys"],true) -}} {{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}} {{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}} +{{ render_option("StreamLocalBindMask",match["StreamLocalBindMask"],true) -}} +{{ render_option("StreamLocalBindUnlink",match["StreamLocalBindUnlink"],true) -}} +{{ render_option("TrustedUserCAKeys",match["TrustedUserCAKeys"],true) -}} {{ render_option("X11DisplayOffset",match["X11DisplayOffset"],true) -}} {{ render_option("X11Forwarding",match["X11Forwarding"],true) -}} {{ render_option("X11UseLocalHost",match["X11UseLocalHost"],true) -}} @@ -77,12 +95,15 @@ Match {{ match["Condition"] }} {{ body_option("AcceptEnv",sshd_AcceptEnv) -}} {{ body_option("AllowAgentForwarding",sshd_AllowAgentForwarding) -}} {{ body_option("AllowGroups",sshd_AllowGroups) -}} +{{ body_option("AllowStreamLocalForwarding",sshd_AllowStreamLocalForwarding) -}} {{ body_option("AllowTcpForwarding",sshd_AllowTcpForwarding) -}} {{ body_option("AllowUsers",sshd_AllowUsers) -}} {{ body_option("AuthenticationMethods",sshd_AuthenticationMethods) -}} {{ body_option("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) -}} {{ body_option("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) -}} {{ body_option("AuthorizedKeysFile",sshd_AuthorizedKeysFile) -}} +{{ body_option("AuthorizedPrincipalsCommand",sshd_AuthorizedPrincipalsCommand) -}} +{{ body_option("AuthorizedPrincipalsCommandUser",sshd_AuthorizedPrincipalsCommandUser) -}} {{ body_option("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) -}} {{ body_option("Banner",sshd_Banner) -}} {{ body_option("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) -}} @@ -94,7 +115,11 @@ Match {{ match["Condition"] }} {{ body_option("DebianBanner",sshd_DebianBanner) -}} {{ body_option("DenyGroups",sshd_DenyGroups) -}} {{ body_option("DenyUsers",sshd_DenyUsers) -}} +{{ body_option("DisableForwarding",sshd_DisableForwarding) -}} +{{ body_option("ExposeAuthInfo",sshd_ExposeAuthInfo) -}} +{{ body_option("FingerprintHash",sshd_FingerprintHash) -}} {{ body_option("ForceCommand",sshd_ForceCommand) -}} +{{ body_option("GatewayPorts",sshd_GatewayPorts) -}} {{ body_option("GSSAPIAuthentication",sshd_GSSAPIAuthentication) -}} {{ body_option("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) -}} {{ body_option("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) -}} @@ -105,6 +130,8 @@ Match {{ match["Condition"] }} {{ body_option("HPNDisabled",sshd_HPNDisabled) -}} {{ body_option("HostCertificate",sshd_HostCertificate) -}} {{ body_option("HostKeyAgent",sshd_HostKeyAgent) -}} +{{ body_option("HostKeyAlgorithms",sshd_HostKeyAlgorithms) -}} +{{ body_option("HostbasedAcceptedKeyTypes",sshd_HostbasedAcceptedKeyTypes) -}} {{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}} {{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}} {{ body_option("IPQoS",sshd_IPQoS) -}} @@ -131,15 +158,19 @@ Match {{ match["Condition"] }} {{ body_option("PermitTTY",sshd_PermitTTY) -}} {{ body_option("PermitTunnel",sshd_PermitTunnel) -}} {{ body_option("PermitUserEnvironment",sshd_PermitUserEnvironment) -}} +{{ body_option("PermitUserRC",sshd_PermitUserRC) -}} {{ body_option("PidFile",sshd_PidFile) -}} {{ body_option("PrintLastLog",sshd_PrintLastLog) -}} {{ body_option("PrintMotd",sshd_PrintMotd) -}} +{{ body_option("PubkeyAcceptedKeyTypes",sshd_PubkeyAcceptedKeyTypes) -}} {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}} {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}} {{ body_option("RekeyLimit",sshd_RekeyLimit) -}} {{ body_option("RevokedKeys",sshd_RevokedKeys) -}} +{{ body_option("RDomain",sshd_RDomain) -}} {{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}} {{ body_option("ServerKeyBits",sshd_ServerKeyBits) -}} +{{ body_option("StreamLocalBindMask",sshd_StreamLocalBindMask) -}} {{ body_option("StreamLocalBindUnlink",sshd_StreamLocalBindUnlink) -}} {{ body_option("StrictModes",sshd_StrictModes) -}} {{ body_option("Subsystem",sshd_Subsystem) -}}