Skip to content

Releases: willshersystems/ansible-sshd

Version v0.21.0

13 Sep 13:42
9a3aa1a
Compare
Choose a tag to compare

[v0.21.0] - 2023-09-12

New Features

  • feat: manage ssh certificates (#252)

Enhancement:

  • Deploy User CA on the system
  • Configure principals (optional)

Reason:
This allows you to configure and manage the SSH server to authenticate via certificates.
Improves SSH authentication security: certificates have a validity period, unlike SSH keys.

More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.

Result:
All tests passed.
The related documentation is available and an example can be found in examples/example-use-certificates.yml.

Issue Tracker Tickets (Jira or BZ if any): -

Bug Fixes

  • fix: Support inject_facts_as_vars = false (#244)

Enhancement:

Support inject_facts_as_vars = false in ansible.cfg.

The setting is considered safer because a compromised host cannot inject facts into variables.

Reason:

Minor security enhancement.

This setting is also recommended in some tuning guides like
https://docs.openstack.org/kolla-ansible/wallaby/user/ansible-tuning.html#fact-variable-injection
and issue mitigation guides:
https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#when-is-it-unsafe-to-bulk-set-task-arguments-from-a-variable

ansible_facts are used only with one name. Previously for example ansible_facts['os_family'] was also used as ansible_os_family. This helps maintainability.

Result:

Support inject_facts_as_vars = false. If setting is true, situation still works as expected.

Also drop ansible prefix from local variables to avoid possible conflicts in namespace and avoid possible confusion.

Issue Tracker Tickets (Jira or BZ if any): -

  • fix: Makes runtime dir relative (#249)

Enhancement:
Makes systemd RuntimeDirectory service file directive relative (sshd instead of /run/sshd).

Reason:
The docs say it has to be relative.

Result:
The following error is gone from the journal:

/etc/systemd/system/backdoor-ssh.service:14: RuntimeDirectory= path is not valid, ignoring assignment: /run/custom-ssh

Waiting for the tests.

Issue Tracker Tickets (Jira or BZ if any): none

Other Changes

  • chore: fix markdown for heading in CHANGELOG (#242)

chore: add missing h2 heading for the 0.19.0 release

There was no markdown h2 heading for the 0.19.0 release which
broke the changelog parser in the collection release, causing
the changelog to look like
linux-system-roles/auto-maintenance@0eade02#diff-ddbe2c1474f5ea331aef8eedcd595299f771578e4416a5f112ae69ed5a934bc0R4
Add the correct markdown

Signed-off-by: Rich Megginson [email protected]

  • chore: drop support of Fedora 31, EOL 2020-11-24 (#243)

Enhancement:

Reason:

Fedora 31 is EOL.

Result:

Drop explicit support of EOL distro version. Less code to maintain.

  • ci: Add markdownlint, test_converting_readme, and build_docs workflows (#247)

Enhancement: Add markdownlint, test_converting_readme, and build_docs GitHub workflows

Reason:

  • markdownlint runs against markdown files to ensure correct syntax and avoid any issues with converting README.md to HTML
  • test_converting_readme converts README.md > HTML and uploads this test artifact to ensure that conversion works fine
  • build_docs converts README.md > HTML and pushes the result to the docs branch to publish dosc to GitHub pages site
  • Rename commitlint.yml workflow into pr-title-lint for clarity
  • ci: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly (#248)

Enhancement: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly

Reason: ansible-lint recently added a rule var-naming[no-role-prefix] that fails expectedly, this role generally uses sshd instead of ansible_sshd, and also vars from other roles e.g. firewall_.

Result: ansible-lint ignores this rule and passes.

  • build(deps): bump actions/checkout from 3 to 4 (#254)

Bumps actions/checkout from 3 to 4.

Version v0.20.0

19 Jun 15:23
7203f77
Compare
Choose a tag to compare

[v0.20.0] - 2023-06-19

New Features

  • feat: debian 12 support and small config fixes for debian (#238)

This PR adds Debian 12 (aka bookworm) support to the role.
The workflow fails at the moment because there is no roles-ansible/check-ansible-debian-bookworm-action repo yet. As soon as @DO1JLR has created the repo it should pass all checks.

Furthermore i fixed some small oversights in older debian defaults.

  • feat: Fix alpine tests by adding a new configuration options (#240)

Other Changes

  • proper Subsystem sftp default for RHEL9 (#220)

Basically the same as for RHEL6/7/8

  • ci: Add pull request template and run commitlint on PR title only (#237)

We now ensure the conventional commits format only on PR titles and not on
commits to let developers keep commit messages targeted for other developers
i.e. describe actual changes to code that users should not care about.
And PR titles, on the contrary, must be aimed at end users.

For more info, see
https://linux-system-roles.github.io/contribute.html#write-a-good-pr-title-and-description

  • chore: moved debian 7 (wheezy) config to explicit file (#239)

This removes the defaults/Debian.yml file and moves it to the defaults/Debian_7.yml file. This prohibits rolling out ancient config on new Debian-Systems which aren't supported by this role.

Version v0.19.0

28 Apr 13:49
9a6ad4e
Compare
Choose a tag to compare

[v0.19.0] - 2023-04-27

New Features

  • feat: add support for FreeBSD, OpenBSD

Bug Fixes

  • none

Other Changes

  • test: skip selinux or firewall role test where not supported
  • test: check generated files for ansible_managed, fingerprint
  • ci: Add commitlint GitHub action to ensure conventional commits
  • ci: Drop testing on Debian stretch (9)
  • ci: add dependabot check for github action updates
  • style: ansible-lint - align with current Ansible recommendations

Version v0.18.2

07 Apr 09:00
11eb759
Compare
Choose a tag to compare

[v0.18.2] - 2023-04-06

New Features

  • none

Bug Fixes

  • Fedora 38 has no longer non-standard hostkey permissions

Other Changes

  • Fingerprint ansible-sshd managed config files

Version v0.18.1

18 Jan 12:22
Compare
Choose a tag to compare

[v0.18.1] - 2023-01-17

New Features

  • Add support for Alpine OS (#212)
  • Add support for managing selinux and firewall on RHEL-based systems (#211)

Bug Fixes

  • Update tests to not use configuration options available in system defaults (#213)
  • Improve manual pages processing in tests to accommodate Alpine's busybox man (#213)

Other Changes

  • Add a Github action to check for non-inclusive language (#215)

Version v0.18.0

10 Oct 06:23
43aac1b
Compare
Choose a tag to compare

[v0.18.0] - 2022-09-27

New Features

  • Adding support for OpenWrt 21.03

  • Add final version of RequiredRSASize

Keep the old version for backward compatibility

Upstream commit:
openssh/openssh-portable@1875042c

Bug Fixes

  • Update source template to match generated files

Other Changes

  • Remove legacy files

  • Update pre-commit plugins to latest

  • Linting fixes

  • keep v prefix in version/tag

Keep the v prefix in the version/tag

v0.17.0

07 Sep 07:31
e5df814
Compare
Choose a tag to compare

New Features

  • Make drop-in config file functionality configurable by user

This PR simplifies the logic behind the drop-in config files and also
allows the user to use drop-in configs even if the distribution does not
support it out of the box.

Bug Fixes

  • Allow user to override variables

A previous commit hardcoded many variables to the values under vars/,
making it impossible for the user to parameterize things like the systemd
service name. The assumption was that the _sshd* variables were useless
in an effort to blindly adhere to best practices, but they were crucial in
allowing flexibility to the user.

Other Changes

  • none

What's Changed

  • Fix ansible-lint warnings and work-around false positive by @Jakuje in #198
  • Version v0.16.1 - CHANGELOG.md [citest skip] by @richm in #195
  • parse [vX.Y.Z] correctly from CHANGELOG.md by @richm in #201
  • Fixes un-overrideable public api variables by @nkakouros in #199
  • Makes drop-in functionality configurable by the user by @nkakouros in #200
  • Version v0.17.0 - CHANGELOG.md [citest skip] by @richm in #202

Full Changelog: v0.16.1...v0.17.0

v0.16.1

07 Sep 07:46
Compare
Choose a tag to compare
  • add parameter RSAMinSize

Add support for the new RSAMinSize parameter.

  • Ensure values are cast to correct type

  • Addition notes about secondary variables

  • Fix various linting issues

  • Revert incorrect module name

  • tests: Do not be picky about spaces/tabs

When testing with cloud-init, it modifies the sshd_configuration and can
replace some tabs with whitespaces. This happens frequently around the
subsystem keyword. There are no functional changes, but the matching
did not work as expected.

  • the role still supports ansible 2.9

  • Add CHANGELOG.md

  • Add changelog_to_tag.yml to .github/workflows

Description:
When a new changelog section is added to CHANGELOG.md and pushed,
changelog_to_tag.yml is triggered, which generates a new tag and
a new release.

v0.15.1

02 Jun 11:27
0f7b222
Compare
Choose a tag to compare

What's Changed

  • Remove kvm from virtualization platforms by @Jakuje in #187

Full Changelog: v0.15.0...v0.15.1

v0.15.0

12 May 07:21
Compare
Choose a tag to compare

What's Changed

  • README: fix meta/make_option_lists link by @ColdPain in #172
  • Make the role FIPS-aware by @Jakuje in #173
  • Fix runtime directory check condition by @Jakuje in #175
  • Unbreak FIPS detection and stabilize failing tests and GH actions by @Jakuje in #179
  • Make sure Include is in the main configuration file when drop-in directory is used by @Jakuje in #178

New Contributors

Full Changelog: v0.14.1...v0.15.0