Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use proper booleans for sshd role #344

Merged
merged 1 commit into from
Sep 9, 2015
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
### HEAD
* Convert sshd role variables to booleans ([#344](https://github.com/roots/trellis/pull/344))
* Add check to validate `subtree_path` during deploy ([#334](https://github.com/roots/trellis/pull/334))
* Rename WP site variable `subtree` to `subtree_path` ([#329](https://github.com/roots/trellis/pull/329))
* Add extra HTTP security headers ([#322](https://github.com/roots/trellis/pull/322))
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@ For remote servers, you'll need to have a base Ubuntu 14.04 server already creat
1. Configure your [WordPress sites](#wordpress-sites) in `group_vars/<environment>/wordpress_sites.yml`. Also see the [Passwords docs](https://roots.io/trellis/docs/passwords/).
2. Add your server IP/hostnames to `hosts/<environment>`.
3. Specify public SSH keys for `users` in `group_vars/all/users.yml`. See the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/).
4. Consider setting `sshd_permit_root_login: "no"` in `group_vars/all/security.yml`. See the [Security docs](https://roots.io/trellis/docs/security/).
5. Run `ansible-playbook -i hosts/<environment> server.yml`
4. Consider setting `sshd_permit_root_login: false` in `group_vars/all/security.yml`. See the [Security docs](https://roots.io/trellis/docs/security/).
5. Run `ansible-playbook -i hosts/<environment> server.yml`.

## Deploying to remote servers

Expand Down
4 changes: 2 additions & 2 deletions group_vars/all/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ ferm_input_list:
hits: 20

# Documentation: https://roots.io/trellis/docs/security/
sshd_permit_root_login: "yes" # If "no", admin_user must be in 'users' (`users.yml`) with sudo group and in `sudoer_passwords`
sshd_password_authentication: "no"
sshd_permit_root_login: true # If `false`, `admin_user` must be in 'users' (`users.yml`) with sudo group and in `sudoer_passwords`
sshd_password_authentication: false
38 changes: 19 additions & 19 deletions roles/sshd/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,36 +20,36 @@ sshd_protocol: 2
sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key
sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key
sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key
sshd_use_privilege_separation: "yes"
sshd_use_privilege_separation: true
sshd_key_regeneration_interval: 3600
sshd_server_key_bits: 768
sshd_syslog_facility: AUTH
sshd_log_level: INFO
sshd_login_grace_time: 120
sshd_permit_root_login: "yes"
sshd_strict_modes: "yes"
sshd_rsa_authentication: "yes"
sshd_pubkey_authentication: "yes"
sshd_permit_root_login: true
sshd_strict_modes: true
sshd_rsa_authentication: true
sshd_pubkey_authentication: true
sshd_authorized_keys_file: "%h/.ssh/authorized_keys"
sshd_ignore_rhosts: "yes"
sshd_rhosts_rsa_authentication: "no"
sshd_host_based_authentication: "no"
sshd_ignore_user_known_hosts: "no"
sshd_permit_empty_passwords: "no"
sshd_challenge_response_authentication: "no"
sshd_password_authentication: "no"
sshd_gss_api_authentication: "no"
sshd_gss_api_cleanup_credentials: "yes"
sshd_x11_forwarding: "yes"
sshd_ignore_rhosts: true
sshd_rhosts_rsa_authentication: false
sshd_host_based_authentication: false
sshd_ignore_user_known_hosts: false
sshd_permit_empty_passwords: false
sshd_challenge_response_authentication: false
sshd_password_authentication: false
sshd_gss_api_authentication: false
sshd_gss_api_cleanup_credentials: true
sshd_x11_forwarding: true
sshd_x11_display_offset: 10
sshd_print_motd: "no"
sshd_print_last_log: "yes"
sshd_tcp_keep_alive: "yes"
sshd_print_motd: false
sshd_print_last_log: true
sshd_tcp_keep_alive: true
sshd_max_startups: 10:30:100
sshd_banner: none
sshd_accept_env: LANG LC_*
sshd_subsystem: sftp /usr/lib/openssh/sftp-server
sshd_use_pam: "yes"
sshd_use_pam: true
```

## Attribution
Expand Down
38 changes: 19 additions & 19 deletions roles/sshd/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,33 @@ sshd_protocol: 2
sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key
sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key
sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key
sshd_use_privilege_separation: "yes"
sshd_use_privilege_separation: true
sshd_key_regeneration_interval: 3600
sshd_server_key_bits: 768
sshd_syslog_facility: AUTH
sshd_log_level: INFO
sshd_login_grace_time: 120
sshd_permit_root_login: "yes"
sshd_strict_modes: "yes"
sshd_rsa_authentication: "yes"
sshd_pubkey_authentication: "yes"
sshd_permit_root_login: true
sshd_strict_modes: true
sshd_rsa_authentication: true
sshd_pubkey_authentication: true
sshd_authorized_keys_file: "%h/.ssh/authorized_keys"
sshd_ignore_rhosts: "yes"
sshd_rhosts_rsa_authentication: "no"
sshd_host_based_authentication: "no"
sshd_ignore_user_known_hosts: "no"
sshd_permit_empty_passwords: "no"
sshd_challenge_response_authentication: "no"
sshd_password_authentication: "no"
sshd_gss_api_authentication: "no"
sshd_gss_api_cleanup_credentials: "yes"
sshd_x11_forwarding: "yes"
sshd_ignore_rhosts: true
sshd_rhosts_rsa_authentication: false
sshd_host_based_authentication: false
sshd_ignore_user_known_hosts: false
sshd_permit_empty_passwords: false
sshd_challenge_response_authentication: false
sshd_password_authentication: false
sshd_gss_api_authentication: false
sshd_gss_api_cleanup_credentials: true
sshd_x11_forwarding: true
sshd_x11_display_offset: 10
sshd_print_motd: "no"
sshd_print_last_log: "yes"
sshd_tcp_keep_alive: "yes"
sshd_print_motd: false
sshd_print_last_log: true
sshd_tcp_keep_alive: true
sshd_max_startups: 10:30:100
sshd_banner: none
sshd_accept_env: LANG LC_*
sshd_subsystem: sftp /usr/lib/openssh/sftp-server
sshd_use_pam: "yes"
sshd_use_pam: true
39 changes: 19 additions & 20 deletions roles/sshd/templates/sshd_config.j2
Original file line number Diff line number Diff line change
@@ -1,39 +1,38 @@
# {{ ansible_managed }}
# manual customization of this file is not recommended

Port {{ sshd_port }}
ListenAddress {{ sshd_listen_address }}
Protocol {{ sshd_protocol }}
HostKey {{ sshd_host_rsa_key }}
HostKey {{ sshd_host_dsa_key }}
HostKey {{ sshd_host_ecdsa_key }}
UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
UsePrivilegeSeparation {{ sshd_use_privilege_separation | ternary('yes', 'no') }}
KeyRegenerationInterval {{ sshd_key_regeneration_interval }}
ServerKeyBits {{ sshd_server_key_bits }}
SyslogFacility {{ sshd_syslog_facility }}
LogLevel {{ sshd_log_level }}
LoginGraceTime {{ sshd_login_grace_time }}
PermitRootLogin {{ sshd_permit_root_login }}
StrictModes {{ sshd_strict_modes }}
RSAAuthentication {{ sshd_rsa_authentication }}
PubkeyAuthentication {{ sshd_pubkey_authentication }}
PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }}
StrictModes {{ sshd_strict_modes | ternary('yes', 'no') }}
RSAAuthentication {{ sshd_rsa_authentication | ternary('yes', 'no') }}
PubkeyAuthentication {{ sshd_pubkey_authentication | ternary('yes', 'no') }}
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
IgnoreRhosts {{ sshd_ignore_rhosts }}
RhostsRSAAuthentication {{ sshd_rhosts_rsa_authentication }}
HostbasedAuthentication {{ sshd_host_based_authentication }}
IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts }}
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }}
PasswordAuthentication {{ sshd_password_authentication }}
GSSAPIAuthentication {{ sshd_gss_api_authentication }}
GSSAPICleanupCredentials {{ sshd_gss_api_cleanup_credentials }}
X11Forwarding {{ sshd_x11_forwarding }}
IgnoreRhosts {{ sshd_ignore_rhosts | ternary('yes', 'no') }}
RhostsRSAAuthentication {{ sshd_rhosts_rsa_authentication | ternary('yes', 'no') }}
HostbasedAuthentication {{ sshd_host_based_authentication | ternary('yes', 'no') }}
IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts | ternary('yes', 'no') }}
PermitEmptyPasswords {{ sshd_permit_empty_passwords | ternary('yes', 'no') }}
ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }}
PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }}
GSSAPIAuthentication {{ sshd_gss_api_authentication | ternary('yes', 'no') }}
GSSAPICleanupCredentials {{ sshd_gss_api_cleanup_credentials | ternary('yes', 'no') }}
X11Forwarding {{ sshd_x11_forwarding | ternary('yes', 'no') }}
X11DisplayOffset {{ sshd_x11_display_offset }}
PrintMotd {{ sshd_print_motd }}
PrintLastLog {{ sshd_print_last_log }}
TCPKeepAlive {{ sshd_tcp_keep_alive }}
PrintMotd {{ sshd_print_motd | ternary('yes', 'no') }}
PrintLastLog {{ sshd_print_last_log | ternary('yes', 'no') }}
TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }}
MaxStartups {{ sshd_max_startups }}
Banner {{ sshd_banner }}
AcceptEnv {{ sshd_accept_env }}
Subsystem {{ sshd_subsystem }}
UsePAM {{ sshd_use_pam }}
UsePAM {{ sshd_use_pam | ternary('yes', 'no') }}