Ansible Sshd Versions Save

Ansible role to configure the OpenSSH server daemon

v0.23.5

3 weeks ago

[v0.23.5] - 2024-04-09

Other Changes

  • test: ensure that sshd2 is completely stopped and removed

v0.23.4

1 month ago

[v0.23.4] - 2024-04-05

Bug Fixes

  • fix: Document and streamline the sshd_main_config_file (#281)

v0.23.3

1 month ago

[v0.23.3] - 2024-04-03

Other Changes

  • build(deps): bump ansible/ansible-lint from 6 to 24 (#279)

v0.23.2

2 months ago

[v0.23.2] - 2024-02-19

Bug Fixes

  • fix: Fix service files generated on EL7 and workaround the tests for containers (#276)

Other Changes

  • docs: Fix spelling issues + fix reported issues (#274)
  • build(deps): bump actions/checkout from 3 to 4 (#275)
  • README.md typo in config word (#277)

v0.23.1

3 months ago

[v0.23.1] - 2024-01-25

Bug Fixes

  • fix: Review and update service units and socket unit to include distribution defaults

Other Changes

  • ci: fix ansible-lint 2.16 issues; use ansible-lint 2.16

v0.23.0

5 months ago

[v0.23.0] - 2023-11-29

New Features

  • feat: support for ostree systems (#270)

Bug Fixes

  • fix: Avoid creation of runtime directories in home (#265)

Other Changes

  • tests: Ensure backup/restore preserves file attributes (#269)

v0.22.0

6 months ago

[v0.22.0] - 2023-10-18

Bug Fixes

  • fix: Symlink sub-directories under tests/roles/ansible-sshd to avoid recursive loop (#262)

Enhancement: Moved symlinking a level down in test/roles to avoid a recursive look via the test directory.

Reason: Ansible Core >= 2.15.5 does not allow recursive directory trees.

Result: CI should still run correctly, the problem with the recursive symlinks with Ansible Core 2.15.5 should be fixed.

Issue Tracker Tickets (Jira or BZ if any): #259 #260 #261

v0.21.0

7 months ago

[v0.21.0] - 2023-09-12

New Features

  • feat: manage ssh certificates (#252)

Enhancement:

  • Deploy User CA on the system
  • Configure principals (optional)

Reason: This allows you to configure and manage the SSH server to authenticate via certificates. Improves SSH authentication security: certificates have a validity period, unlike SSH keys.

More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.

Result: All tests passed. The related documentation is available and an example can be found in examples/example-use-certificates.yml.

Issue Tracker Tickets (Jira or BZ if any): -

Bug Fixes

  • fix: Support inject_facts_as_vars = false (#244)

Enhancement:

Support inject_facts_as_vars = false in ansible.cfg.

The setting is considered safer because a compromised host cannot inject facts into variables.

Reason:

Minor security enhancement.

This setting is also recommended in some tuning guides like https://docs.openstack.org/kolla-ansible/wallaby/user/ansible-tuning.html#fact-variable-injection and issue mitigation guides: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#when-is-it-unsafe-to-bulk-set-task-arguments-from-a-variable

ansible_facts are used only with one name. Previously for example ansible_facts['os_family'] was also used as ansible_os_family. This helps maintainability.

Result:

Support inject_facts_as_vars = false. If setting is true, situation still works as expected.

Also drop ansible prefix from local variables to avoid possible conflicts in namespace and avoid possible confusion.

Issue Tracker Tickets (Jira or BZ if any): -

  • fix: Makes runtime dir relative (#249)

Enhancement: Makes systemd RuntimeDirectory service file directive relative (sshd instead of /run/sshd).

Reason: The docs say it has to be relative.

Result: The following error is gone from the journal:

/etc/systemd/system/backdoor-ssh.service:14: RuntimeDirectory= path is not valid, ignoring assignment: /run/custom-ssh

Waiting for the tests.

Issue Tracker Tickets (Jira or BZ if any): none

Other Changes

  • chore: fix markdown for heading in CHANGELOG (#242)

chore: add missing h2 heading for the 0.19.0 release

There was no markdown h2 heading for the 0.19.0 release which broke the changelog parser in the collection release, causing the changelog to look like https://github.com/linux-system-roles/auto-maintenance/commit/0eade02032c55ffc008240ce44cfbee25276b51c#diff-ddbe2c1474f5ea331aef8eedcd595299f771578e4416a5f112ae69ed5a934bc0R4 Add the correct markdown

Signed-off-by: Rich Megginson [email protected]

  • chore: drop support of Fedora 31, EOL 2020-11-24 (#243)

Enhancement:

Reason:

Fedora 31 is EOL.

Result:

Drop explicit support of EOL distro version. Less code to maintain.

  • ci: Add markdownlint, test_converting_readme, and build_docs workflows (#247)

Enhancement: Add markdownlint, test_converting_readme, and build_docs GitHub workflows

Reason:

  • markdownlint runs against markdown files to ensure correct syntax and avoid any issues with converting README.md to HTML
  • test_converting_readme converts README.md > HTML and uploads this test artifact to ensure that conversion works fine
  • build_docs converts README.md > HTML and pushes the result to the docs branch to publish dosc to GitHub pages site
  • Rename commitlint.yml workflow into pr-title-lint for clarity
  • ci: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly (#248)

Enhancement: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly

Reason: ansible-lint recently added a rule var-naming[no-role-prefix] that fails expectedly, this role generally uses sshd instead of ansible_sshd, and also vars from other roles e.g. firewall_.

Result: ansible-lint ignores this rule and passes.

  • build(deps): bump actions/checkout from 3 to 4 (#254)

Bumps actions/checkout from 3 to 4.

v0.20.0

10 months ago

[v0.20.0] - 2023-06-19

New Features

  • feat: debian 12 support and small config fixes for debian (#238)

This PR adds Debian 12 (aka bookworm) support to the role. The workflow fails at the moment because there is no roles-ansible/check-ansible-debian-bookworm-action repo yet. As soon as @DO1JLR has created the repo it should pass all checks.

Furthermore i fixed some small oversights in older debian defaults.

  • feat: Fix alpine tests by adding a new configuration options (#240)

Other Changes

  • proper Subsystem sftp default for RHEL9 (#220)

Basically the same as for RHEL6/7/8

  • ci: Add pull request template and run commitlint on PR title only (#237)

We now ensure the conventional commits format only on PR titles and not on commits to let developers keep commit messages targeted for other developers i.e. describe actual changes to code that users should not care about. And PR titles, on the contrary, must be aimed at end users.

For more info, see https://linux-system-roles.github.io/contribute.html#write-a-good-pr-title-and-description

  • chore: moved debian 7 (wheezy) config to explicit file (#239)

This removes the defaults/Debian.yml file and moves it to the defaults/Debian_7.yml file. This prohibits rolling out ancient config on new Debian-Systems which aren't supported by this role.

v0.19.0

1 year ago

[v0.19.0] - 2023-04-27

New Features

  • feat: add support for FreeBSD, OpenBSD

Bug Fixes

  • none

Other Changes

  • test: skip selinux or firewall role test where not supported
  • test: check generated files for ansible_managed, fingerprint
  • ci: Add commitlint GitHub action to ensure conventional commits
  • ci: Drop testing on Debian stretch (9)
  • ci: add dependabot check for github action updates
  • style: ansible-lint - align with current Ansible recommendations