- feat: Add new configuration options from OpenSSH 9.8
- fix: add support for EL10 (#293)
- feat: Ubuntu Noble support (#290)
- fix: Ubuntu 22.04 PrintMotd set default to false (#290)
- build(deps): bump mathieudutour/github-tag-action from 6.1 to 6.2 (#283)
- test: ensure that sshd2 is completely stopped and removed
- fix: Document and streamline the sshd_main_config_file (#281)
- build(deps): bump ansible/ansible-lint from 6 to 24 (#279)
- fix: Fix service files generated on EL7 and workaround the tests for containers (#276)
- docs: Fix spelling issues + fix reported issues (#274)
- build(deps): bump actions/checkout from 3 to 4 (#275)
- README.md typo in config word (#277)
- fix: Review and update service units and socket unit to include distribution defaults
- ci: fix ansible-lint 2.16 issues; use ansible-lint 2.16
- feat: support for ostree systems (#270)
- fix: Avoid creation of runtime directories in home (#265)
- tests: Ensure backup/restore preserves file attributes (#269)
-
fix: Symlink sub-directories under tests/roles/ansible-sshd to avoid recursive loop (#262)
Enhancement: Moved symlinking a level down in test/roles to avoid a recursive look via the test directory.
Reason: Ansible Core >= 2.15.5 does not allow recursive directory trees.
Result: CI should still run correctly, the problem with the recursive symlinks with Ansible Core 2.15.5 should be fixed.
Issue Tracker Tickets (Jira or BZ if any): #259 #260 #261
-
feat: manage ssh certificates (#252)
Enhancement:
- Deploy User CA on the system
- Configure principals (optional)
Reason: This allows you to configure and manage the SSH server to authenticate via certificates. Improves SSH authentication security: certificates have a validity period, unlike SSH keys.
More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.
Result: All tests passed. The related documentation is available and an example can be found in
examples/example-use-certificates.yml.Issue Tracker Tickets (Jira or BZ if any): -
-
fix: Support inject_facts_as_vars = false (#244)
Enhancement:
Support
inject_facts_as_vars = falsein ansible.cfg.The setting is considered safer because a compromised host cannot inject facts into variables.
Reason:
Minor security enhancement.
This setting is also recommended in some tuning guides like https://docs.openstack.org/kolla-ansible/wallaby/user/ansible-tuning.html#fact-variable-injection and issue mitigation guides: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#when-is-it-unsafe-to-bulk-set-task-arguments-from-a-variable
ansible_factsare used only with one name. Previously for exampleansible_facts['os_family']was also used asansible_os_family. This helps maintainability.Result:
Support
inject_facts_as_vars = false. If setting istrue, situation still works as expected.Also drop
ansibleprefix from local variables to avoid possible conflicts in namespace and avoid possible confusion.Issue Tracker Tickets (Jira or BZ if any): -
-
fix: Makes runtime dir relative (#249)
Enhancement: Makes systemd RuntimeDirectory service file directive relative (
sshdinstead of/run/sshd).Reason: The docs say it has to be relative.
Result: The following error is gone from the journal:
/etc/systemd/system/backdoor-ssh.service:14: RuntimeDirectory= path is not valid, ignoring assignment: /run/custom-sshWaiting for the tests.
Issue Tracker Tickets (Jira or BZ if any): none
-
chore: fix markdown for heading in CHANGELOG (#242)
chore: add missing h2 heading for the 0.19.0 release
There was no markdown h2 heading for the 0.19.0 release which broke the changelog parser in the collection release, causing the changelog to look like https://github.com/linux-system-roles/auto-maintenance/commit/0eade02032c55ffc008240ce44cfbee25276b51c#diff-ddbe2c1474f5ea331aef8eedcd595299f771578e4416a5f112ae69ed5a934bc0R4 Add the correct markdown
Signed-off-by: Rich Megginson [email protected]
-
chore: drop support of Fedora 31, EOL 2020-11-24 (#243)
Enhancement:
Reason:
Fedora 31 is EOL.
Result:
Drop explicit support of EOL distro version. Less code to maintain.
-
ci: Add markdownlint, test_converting_readme, and build_docs workflows (#247)
Enhancement: Add markdownlint, test_converting_readme, and build_docs GitHub workflows
Reason:
- markdownlint runs against markdown files to ensure correct syntax and avoid any issues with converting README.md to HTML
- test_converting_readme converts README.md > HTML and uploads this test artifact to ensure that conversion works fine
- build_docs converts README.md > HTML and pushes the result to the docs branch to publish dosc to GitHub pages site
- Rename commitlint.yml workflow into pr-title-lint for clarity
-
ci: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly (#248)
Enhancement: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly
Reason: ansible-lint recently added a rule
var-naming[no-role-prefix]that fails expectedly, this role generally usessshdinstead ofansible_sshd, and also vars from other roles e.g.firewall_.Result: ansible-lint ignores this rule and passes.
-
build(deps): bump actions/checkout from 3 to 4 (#254)
Bumps actions/checkout from 3 to 4.
-
feat: debian 12 support and small config fixes for debian (#238)
This PR adds Debian 12 (aka bookworm) support to the role. The workflow fails at the moment because there is no roles-ansible/check-ansible-debian-bookworm-action repo yet. As soon as @DO1JLR has created the repo it should pass all checks.
Furthermore i fixed some small oversights in older debian defaults.
-
feat: Fix alpine tests by adding a new configuration options (#240)
-
proper Subsystem sftp default for RHEL9 (#220)
Basically the same as for RHEL6/7/8
-
ci: Add pull request template and run commitlint on PR title only (#237)
We now ensure the conventional commits format only on PR titles and not on commits to let developers keep commit messages targeted for other developers i.e. describe actual changes to code that users should not care about. And PR titles, on the contrary, must be aimed at end users.
For more info, see https://linux-system-roles.github.io/contribute.html#write-a-good-pr-title-and-description
-
chore: moved debian 7 (wheezy) config to explicit file (#239)
This removes the
defaults/Debian.ymlfile and moves it to thedefaults/Debian_7.ymlfile. This prohibits rolling out ancient config on new Debian-Systems which aren't supported by this role.
- feat: add support for FreeBSD, OpenBSD
- none
- test: skip selinux or firewall role test where not supported
- test: check generated files for ansible_managed, fingerprint
- ci: Add commitlint GitHub action to ensure conventional commits
- ci: Drop testing on Debian stretch (9)
- ci: add dependabot check for github action updates
- style: ansible-lint - align with current Ansible recommendations
- none
- Fedora 38 has no longer non-standard hostkey permissions
- Fingerprint ansible-sshd managed config files
- Add support for Alpine OS (#212)
- Add support for managing selinux and firewall on RHEL-based systems (#211)
- Update tests to not use configuration options available in system defaults (#213)
- Improve manual pages processing in tests to accommodate Alpine's busybox man (#213)
- Add a Github action to check for non-inclusive language (#215)
-
Adding support for OpenWrt 21.03
-
Add final version of RequiredRSASize
Keep the old version for backward compatibility
Upstream commit: https://github.com/openssh/openssh-portable/commit/1875042c
- Update source template to match generated files
-
Remove legacy files
-
Update pre-commit plugins to latest
-
Linting fixes
-
keep v prefix in version/tag
Keep the v prefix in the version/tag
- Make drop-in config file functionality configurable by user
This PR simplifies the logic behind the drop-in config files and also allows the user to use drop-in configs even if the distribution does not support it out of the box.
- Allow user to override variables
A previous commit hardcoded many variables to the values under vars/, making it impossible for the user to parameterize things like the systemd service name. The assumption was that the _sshd* variables were useless in an effort to blindly adhere to best practices, but they were crucial in allowing flexibility to the user.
- none
- add parameter RSAMinSize
Add support for the new RSAMinSize parameter.
- Ensure values are cast to correct type
#188 This shouldn't be necessary, but there seems no way to guarantee using a version of Jinja which doesn't have this problem.
In addition - it is not good practice to compare values to
true or false - instead, just ensure the value is a bool
type and evaluate in a boolean context.
- Addition notes about secondary variables
- Fix various linting issues
- Revert incorrect module name
- tests: Do not be picky about spaces/tabs
When testing with cloud-init, it modifies the sshd_configuration and can replace some tabs with whitespaces. This happens frequently around the subsystem keyword. There are no functional changes, but the matching did not work as expected.
Signed-off-by: Jakub Jelen [email protected]
-
the role still supports ansible 2.9
-
Add CHANGELOG.md
-
Add changelog_to_tag.yml to .github/workflows
Description: When a new changelog section is added to CHANGELOG.md and pushed, changelog_to_tag.yml is triggered, which generates a new tag and a new release.
- none
- Remove kvm from virtualization platforms
- none
- Unbreak FIPS detection and stabilize failing tests and GH actions
- Make sure Include is in the main configuration file when drop-in directory is used
- Make the role FIPS-aware
- Fix runtime directory check condition
- README: fix meta/make_option_lists link
- none
- none
- Use {{ ansible_managed | comment }} to fix multi-line ansible_managed
- none
- Drop support for Ansible 2.8 by bumping the Ansible version to 2.9
- none
- none
- Add Debian 11 (bullseye) support
- Fix wrong template file
- Remove travis configuration and update readme with new badges
- Add CentOS 6 to CI
- Add support for RHEL 9 and adjust tests for it
- none
- none
- Add configuration options from OpenSSH 8.6p1
- Rename sshd_namespace_append to sshd_config_namespace
- Support for appending a snippet to configuration file
- Update meta data and README
- use state: absent instead of state: missing
- [FreeBSD] Add Subsystem to _sshd_defaults
- UsePrivilegeSeparation is deprecated since 2017/OpenSSH 7.5 - https://www.openssh.com/txt/release-7.5
- examples: Provide simple example playbook
- Fix variable precedence when invoked through legacy "roles:"
- Fix issues found by linters - enable all tests on all repos - remove suppressions
- README: Document missing exported variable
- Improve test coverage with new test cases and new distros, fixing minor issues on the way
- none
- none
- Run tests with Github Actions and fix things on the way
- none
- none
- Rename tests to follow best practices and make galaxy linters happy
- Implement more natural match blocks and test them
- Support /etc/sysconfig/sshd to override crypto policies and handle more advanced use cases
- README: Fix missing code block termination
- subsystem appears to be ignored
- none
- none
- Remove extra blank line
- Disable broken ansible-lint-actions
- Cleanup lint issues, update documentation, fix typos
- Implement more coherence check tests
- Use ansible_distribution_major_version in variables
- Create CODE_OF_CONDUCT.md
- none
- none
- Minimum version is now Ansible 2.8
- exit_host on ansible >= 2.8
- OpenBSD and ansible_distribution_major_version
- none
- none
- none
- none
- Ubuntu focal, CI updates, code quality improvements
- Add new options from OpenSSH 8.3p1 (including CASignatureAlgorithms)
- none
- none
- Add Gentoo support (with secure sshd defaults)
- none
- none
- add debian 10 (buster) support
- Add vars for openSUSE Leap 15 and CentOS 8
- none
- none
- Remove duplicate GatewayPorts
- AIX support (including new AIX handler)
- Updates syntax to Ansible 2.7 era
- none
- none
- none
- Travis fixes
- Resolve lint errors
- none
- Remove 'UsePrivilegeSeparation' from Fedora defaults
- Backup of sshd_config dependent on variable
- none
- none
- none
- Fix variable loading.
- none
- Make role work with chroot connections on EL 7.
- Remove deprecated options
- none
- none
- Fixes bad option in systemd service file
- none
- Adds on/off toggle
- none
- none
- Adds ability to install a systemd service
- Add Ubuntu_18.yml
- Add missing options
- expose sshd_config template backup option with sshd_backup variable
- none
- none
- Add CoreOS support
- none
- none
- none
- Amazon var name should be sshd_defaults
- none
- Remove Deprecated options in default SSH config
- Add StreamLocalBindUnlink option
- Makes handler use listen: option
- Removes tags
- change
ansible_pkg_mgrfor package
- Fix for ansible_virtualization_type not being defined in Ansible > 2.5
- Fix Arch Linux var file
- none
- Add Debian 9 (stretch) vars
- none
- none
- Add note about UsePAM on RHEL 7
- Ansible23 fixes
- Remove circular symlink in tests dir
- none
- none
- Fixed sshd_match blocks
- none
- none
- Fix sshd service state
- none
- clean Archlinux support to match the current package (openssh-7.4p1-2)
- vars: SUSE: Add default variables for SUSE based distributions
- none
- none
- Don't fail without package manager
- none
- none
- Support for OpenBSD
- none
- none
- show xenial support on galaxy
- none
- none
- Added ubuntu 16.04 config
- none
- none
- none
- fix deprecation warning for sshd_packages
- Housekeeping
- none
- Fix for CentOS 6 l_value issue
- Update example so not to break old SSH versions and add a warning
- none
- Fedora HostKey(s)
- none
- none
- none
- Do not manage /var/run/sshd on CentOS7 fixes #27
- none
- DebianBanner support
- none
- none
- Verify SSHd config early
- Add Fedora support
- fix type in AcceptEnv for RedHat7
- Fix issues - not reloading with default sshd_allow_reload value
- none
- Make the role more container friendly
- Remove apt role dependency
- fix type in AcceptEnv
- none
- none
- Don't install openssh-sftp-server on Debian
- none
- none
- none
- Add precise, move 14.04 to specific configuration
- Feature/debian defaults
- Minor typo fixes and add Archlinux support