Role - tripleo-sshd

Role Documentation

Welcome to the “tripleo_sshd” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tripleo_sshd” role.

# All variables intended for modification should be placed in this file.

# All variables within this role should have a prefix of "tripleo_sshd"
# Mapping of sshd_config values

# Package state for ssh
tripleo_sshd_package_state: present

tripleo_sshd_motd_enabled: false
tripleo_sshd_message_of_the_day: ''
tripleo_sshd_banner_enabled: false
tripleo_sshd_banner_text: ''

# SSH configuration options
tripleo_sshd_password_authentication: no
tripleo_sshd_gssapi_authentication: no

tripleo_sshd_server_options:
  HostKey:
  - /etc/ssh/ssh_host_rsa_key
  - /etc/ssh/ssh_host_ecdsa_key
  - /etc/ssh/ssh_host_ed25519_key
  SyslogFacility: AUTHPRIV
  AuthorizedKeysFile: .ssh/authorized_keys
  ChallengeResponseAuthentication: no
  GSSAPIAuthentication: '{{ tripleo_sshd_gssapi_authentication }}'
  GSSAPICleanupCredentials: no
  UsePAM: yes
  UseDNS: no
  X11Forwarding: yes
  AcceptEnv:
  - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  - LC_IDENTIFICATION LC_ALL LANGUAGE
  - XMODIFIERS
  Subsystem: sftp /usr/libexec/openssh/sftp-server

Role Variables: redhat.yml

tripleo_sshd_packages:
- openssh-server

Role Variables: main.yml

tripleo_sshd_banner_text: |
  ******************************************************************
  * This system is for the use of authorized users only. Usage of  *
  * this system may be monitored and recorded by system personnel. *
  * Anyone using this system expressly consents to such monitoring *
  * and is advised that if such monitoring reveals possible        *
  * evidence of criminal activity, system personnel may provide    *
  * the evidence from such monitoring to law enforcement officials.*
  ******************************************************************

tripleo_sshd_message_of_the_day: |
  ALERT! You are entering into a secured area!
  This service is restricted to authorized users only.

Molecule Scenarios

Molecule is being used to test the “tripleo_sshd” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: banners

Driver: podman
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example banners playbook
- name: Converge
  hosts: all
  roles:
  - name: tripleo_sshd
    tripleo_sshd_motd_enabled: true
    tripleo_sshd_banner_enabled: true

Scenario: gssapi

Driver: podman
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example gssapi playbook
- name: Converge
  hosts: all
  roles:
  - name: tripleo_sshd
    tripleo_sshd_gssapi_authentication: yes

Scenario: default

Driver: podman
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example default playbook
- name: Converge
  hosts: all
  roles:
  - name: tripleo_sshd