From: Andrew Schoen Date: Tue, 31 Mar 2015 16:48:24 +0000 (-0500) Subject: Add sshd_config for centos 6; make sshd_config major version specific. X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8442c32a0caa8b8fa4e05a19db0abc6d9b7fbb70;p=ceph-cm-ansible.git Add sshd_config for centos 6; make sshd_config major version specific. We used to store sshd_configs for each minor version of a distro, which was not necessary. This changes those to major version specific sshd_configs per distro. Signed-off-by: Andrew Schoen --- diff --git a/roles/testnode/tasks/ssh.yml b/roles/testnode/tasks/ssh.yml index f0fab8ea..3bf4cdd3 100644 --- a/roles/testnode/tasks/ssh.yml +++ b/roles/testnode/tasks/ssh.yml @@ -1,12 +1,11 @@ --- -- name: Upload rhel version specific sshd_config. +- name: Upload distro major version specific sshd_config. template: - src: "ssh/sshd_config_rhel_{{ ansible_distribution_version }}" + src: "ssh/sshd_config_{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version }}" dest: /etc/ssh/sshd_config owner: root group: root mode: 0755 - when: ansible_distribution == "RedHat" notify: - restart sshd tags: diff --git a/roles/testnode/templates/ssh/sshd_config_centos_6 b/roles/testnode/templates/ssh/sshd_config_centos_6 index a008adc6..80fb5193 100755 --- a/roles/testnode/templates/ssh/sshd_config_centos_6 +++ b/roles/testnode/templates/ssh/sshd_config_centos_6 @@ -1,3 +1,4 @@ +# {{ ansible_managed }} # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See @@ -5,95 +6,18 @@ # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 Protocol 2 -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys -#AuthorizedKeysCommand none -#AuthorizedKeysCommandRunAs nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no PasswordAuthentication yes -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no -#KerberosUseKuserok yes - # GSSAPI options -#GSSAPIAuthentication no GSSAPIAuthentication yes -#GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no UsePAM yes # Accept locale-related environment variables @@ -102,37 +26,9 @@ AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server +MaxSessions 1000 diff --git a/roles/testnode/templates/ssh/sshd_config_redhat_6 b/roles/testnode/templates/ssh/sshd_config_redhat_6 new file mode 100755 index 00000000..80c907ed --- /dev/null +++ b/roles/testnode/templates/ssh/sshd_config_redhat_6 @@ -0,0 +1,33 @@ +# {{ ansible_managed }} +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +Protocol 2 + +SyslogFacility AUTHPRIV +PasswordAuthentication yes + +ChallengeResponseAuthentication no + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes + +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +X11Forwarding yes + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +MaxSessions 1000 diff --git a/roles/testnode/templates/ssh/sshd_config_redhat_7 b/roles/testnode/templates/ssh/sshd_config_redhat_7 new file mode 100755 index 00000000..087d4c75 --- /dev/null +++ b/roles/testnode/templates/ssh/sshd_config_redhat_7 @@ -0,0 +1,38 @@ +# {{ ansible_managed }} +# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin + +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +SyslogFacility AUTHPRIV + +AuthorizedKeysFile .ssh/authorized_keys + +PasswordAuthentication yes + +ChallengeResponseAuthentication no + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes + +UsePAM yes + +X11Forwarding yes +UsePrivilegeSeparation sandbox # Default for new installations. + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +MaxSessions 1000 diff --git a/roles/testnode/templates/ssh/sshd_config_rhel_6.4 b/roles/testnode/templates/ssh/sshd_config_rhel_6.4 deleted file mode 100755 index 80c907ed..00000000 --- a/roles/testnode/templates/ssh/sshd_config_rhel_6.4 +++ /dev/null @@ -1,33 +0,0 @@ -# {{ ansible_managed }} -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -Protocol 2 - -SyslogFacility AUTHPRIV -PasswordAuthentication yes - -ChallengeResponseAuthentication no - -# GSSAPI options -GSSAPIAuthentication yes -GSSAPICleanupCredentials yes - -UsePAM yes - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -AcceptEnv XMODIFIERS - -X11Forwarding yes - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server - -MaxSessions 1000 diff --git a/roles/testnode/templates/ssh/sshd_config_rhel_6.5 b/roles/testnode/templates/ssh/sshd_config_rhel_6.5 deleted file mode 100755 index c4a0b70e..00000000 --- a/roles/testnode/templates/ssh/sshd_config_rhel_6.5 +++ /dev/null @@ -1,31 +0,0 @@ -# {{ ansible_managed }} -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -Protocol 2 - -SyslogFacility AUTHPRIV - -PasswordAuthentication yes - -ChallengeResponseAuthentication no - -# GSSAPI options -GSSAPIAuthentication yes -GSSAPICleanupCredentials yes - -UsePAM yes - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -AcceptEnv XMODIFIERS - -X11Forwarding yes - -Subsystem sftp /usr/libexec/openssh/sftp-server - -MaxSessions 1000 diff --git a/roles/testnode/templates/ssh/sshd_config_rhel_7.0 b/roles/testnode/templates/ssh/sshd_config_rhel_7.0 deleted file mode 100755 index 087d4c75..00000000 --- a/roles/testnode/templates/ssh/sshd_config_rhel_7.0 +++ /dev/null @@ -1,38 +0,0 @@ -# {{ ansible_managed }} -# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/usr/bin - -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key - -SyslogFacility AUTHPRIV - -AuthorizedKeysFile .ssh/authorized_keys - -PasswordAuthentication yes - -ChallengeResponseAuthentication no - -# GSSAPI options -GSSAPIAuthentication yes -GSSAPICleanupCredentials yes - -UsePAM yes - -X11Forwarding yes -UsePrivilegeSeparation sandbox # Default for new installations. - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -AcceptEnv XMODIFIERS - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server - -MaxSessions 1000