feat: New options in OpenSSH + fixes for bugx in OpenSSH 9.9p1 (#304)

* Add new options from OpenSSH 9.9p1 Signed-off-by: Jakub Jelen <[email protected]> * ci: Add CentOS10 Signed-off-by: Jakub Jelen <[email protected]> * tests: Use LogLevel option for testing to avoid OpenSSH 9.9 bug The OpenSSH 9.9p1 has a bug in parsing/printing the Compression option so lets use different option for testing. https://bugzilla.mindrot.org/show_bug.cgi?id=3759 Signed-off-by: Jakub Jelen <[email protected]> --------- Signed-off-by: Jakub Jelen <[email protected]>
willshersystems · Dec 17, 2024 · 426469d · 426469d
1 parent da3e33e
commit 426469d
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 8 deletions.
diff --git a/.github/workflows/ansible-centos-check.yml b/.github/workflows/ansible-centos-check.yml
@@ -74,3 +74,17 @@ jobs:
           hosts: localhost
           targets: "tests/tests_*.yml"
           requirements: tests/requirements.yml
+
+  centos-10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v4
+
+      - name: ansible check with centos 10
+        uses: roles-ansible/check-ansible-centos-centos10-action@main
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+          requirements: tests/requirements.yml
diff --git a/meta/options_body b/meta/options_body
@@ -96,6 +96,7 @@ PubkeyAuthOptions
 PubkeyAuthentication
 RSAAuthentication
 RSAMinSize
+RefuseConnection
 RekeyLimit
 RequiredRSASize
 RevokedKeys

diff --git a/meta/options_match b/meta/options_match
@@ -50,6 +50,7 @@ PubkeyAcceptedAlgorithms
 PubkeyAuthentication
 PubkeyAuthOptions
 RDomain
+RefuseConnection
 RekeyLimit
 RevokedKeys
 RequiredRSASize

diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
@@ -96,6 +96,7 @@ Match {{ match["Condition"] }}
 {{       render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
 {{       render_option("PubkeyAuthOptions",match["PubkeyAuthOptions"],true) -}}
 {{       render_option("RDomain",match["RDomain"],true) -}}
+{{       render_option("RefuseConnection",match["RefuseConnection"],true) -}}
 {{       render_option("RekeyLimit",match["RekeyLimit"],true) -}}
 {{       render_option("RevokedKeys",match["RevokedKeys"],true) -}}
 {{       render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
@@ -221,6 +222,7 @@ Match {{ match["Condition"] }}
 {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
 {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
 {{ body_option("RSAMinSize",sshd_RSAMinSize) -}}
+{{ body_option("RefuseConnection",sshd_RefuseConnection) -}}
 {{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
 {{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}}
 {{ body_option("RevokedKeys",sshd_RevokedKeys) -}}

diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
@@ -94,6 +94,7 @@ Match {{ match["Condition"] }}
 {{       render_option("PubkeyAuthentication",match["PubkeyAuthentication"],true) -}}
 {{       render_option("PubkeyAuthOptions",match["PubkeyAuthOptions"],true) -}}
 {{       render_option("RDomain",match["RDomain"],true) -}}
+{{       render_option("RefuseConnection",match["RefuseConnection"],true) -}}
 {{       render_option("RekeyLimit",match["RekeyLimit"],true) -}}
 {{       render_option("RevokedKeys",match["RevokedKeys"],true) -}}
 {{       render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
@@ -219,6 +220,7 @@ Match {{ match["Condition"] }}
 {{ body_option("PubkeyAuthentication",sshd_PubkeyAuthentication) -}}
 {{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
 {{ body_option("RSAMinSize",sshd_RSAMinSize) -}}
+{{ body_option("RefuseConnection",sshd_RefuseConnection) -}}
 {{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
 {{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}}
 {{ body_option("RevokedKeys",sshd_RevokedKeys) -}}

diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
@@ -37,7 +37,7 @@
           AcceptEnv: LANG
           Banner: /etc/issue
           Ciphers: aes256-ctr
-        sshd_Compression: false  # noqa var-naming
+        sshd_LogLevel: DEBUG1  # noqa var-naming
 
     - name: Configure second alternative sshd_config file
       ansible.builtin.include_role:
@@ -95,7 +95,7 @@
               - "'AcceptEnv LANG' in config.content | b64decode"
               - "'Banner /etc/issue' in config.content | b64decode"
               - "'Ciphers aes256-ctr' in config.content | b64decode"
-              - "'Compression no' in config.content | b64decode"
+              - "'LogLevel DEBUG1' in config.content | b64decode"
 
         - name: Check Fedora/RHEL9+ defaults are present in the first configuration file
           ansible.builtin.assert:
@@ -159,7 +159,7 @@
               - "'Ciphers aes128-ctr' in config2.content | b64decode"
               - "'HostKey' not in config2.content | b64decode"
               - "'MaxStartups 100' in config2.content | b64decode"
-              - "'Compression no' not in config2.content | b64decode"
+              - "'LogLevel DEBUG1' not in config2.content | b64decode"
 
         - name: Check content of the main configuration file
           ansible.builtin.assert:
@@ -169,7 +169,7 @@
               - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode"
               - "'PasswordAuthentication no' in config3.content | b64decode"
               - "'MaxStartups 100' not in config3.content | b64decode"
-              - "'Compression no' not in config3.content | b64decode"
+              - "'LogLevel DEBUG1' not in config3.content | b64decode"
 
         - name: Check the main configuration file contains some default values for RHEL 9
           ansible.builtin.assert:

diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
@@ -39,7 +39,7 @@
       AcceptEnv: LANG
       Banner: /etc/issue
       Ciphers: aes256-ctr
-    sshd_Compression: false  # noqa var-naming
+    sshd_LogLevel: DEBUG1  # noqa var-naming
 
 # Configure second alternative sshd_config file
 - name: Test first alternative role file
@@ -113,7 +113,7 @@
               - "'AcceptEnv LANG' in config.content | b64decode"
               - "'Banner /etc/issue' in config.content | b64decode"
               - "'Ciphers aes256-ctr' in config.content | b64decode"
-              - "'Compression no' in config.content | b64decode"
+              - "'LogLevel DEBUG1' in config.content | b64decode"
 
         - name: Check Fedora/RHEL9+ defaults are present in the first configuration file
           ansible.builtin.assert:
@@ -177,7 +177,7 @@
               - "'Ciphers aes128-ctr' in config2.content | b64decode"
               - "'HostKey' not in config2.content | b64decode"
               - "'MaxStartups 100' in config2.content | b64decode"
-              - "'Compression no' not in config2.content | b64decode"
+              - "'LogLevel DEBUG1' not in config2.content | b64decode"
 
         - name: Check content of the main configuration file
           ansible.builtin.assert:
@@ -187,7 +187,7 @@
               - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode"
               - "'PasswordAuthentication no' in config3.content | b64decode"
               - "'MaxStartups 100' not in config3.content | b64decode"
-              - "'Compression no' not in config3.content | b64decode"
+              - "'LogLevel DEBUG1' not in config3.content | b64decode"
 
         - name: Check the main configuration file contains some default values for RHEL 9
           ansible.builtin.assert: