Releases: willshersystems/ansible-sshd
Version v0.21.0
[v0.21.0] - 2023-09-12
New Features
- feat: manage ssh certificates (#252)
Enhancement:
- Deploy User CA on the system
- Configure principals (optional)
Reason:
This allows you to configure and manage the SSH server to authenticate via certificates.
Improves SSH authentication security: certificates have a validity period, unlike SSH keys.
More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.
Result:
All tests passed.
The related documentation is available and an example can be found in examples/example-use-certificates.yml
.
Issue Tracker Tickets (Jira or BZ if any): -
Bug Fixes
- fix: Support inject_facts_as_vars = false (#244)
Enhancement:
Support inject_facts_as_vars = false
in ansible.cfg.
The setting is considered safer because a compromised host cannot inject facts into variables.
Reason:
Minor security enhancement.
This setting is also recommended in some tuning guides like
https://docs.openstack.org/kolla-ansible/wallaby/user/ansible-tuning.html#fact-variable-injection
and issue mitigation guides:
https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#when-is-it-unsafe-to-bulk-set-task-arguments-from-a-variable
ansible_facts
are used only with one name. Previously for example ansible_facts['os_family']
was also used as ansible_os_family
. This helps maintainability.
Result:
Support inject_facts_as_vars = false
. If setting is true
, situation still works as expected.
Also drop ansible
prefix from local variables to avoid possible conflicts in namespace and avoid possible confusion.
Issue Tracker Tickets (Jira or BZ if any): -
- fix: Makes runtime dir relative (#249)
Enhancement:
Makes systemd RuntimeDirectory service file directive relative (sshd
instead of /run/sshd
).
Reason:
The docs say it has to be relative.
Result:
The following error is gone from the journal:
/etc/systemd/system/backdoor-ssh.service:14: RuntimeDirectory= path is not valid, ignoring assignment: /run/custom-ssh
Waiting for the tests.
Issue Tracker Tickets (Jira or BZ if any): none
Other Changes
- chore: fix markdown for heading in CHANGELOG (#242)
chore: add missing h2 heading for the 0.19.0 release
There was no markdown h2 heading for the 0.19.0 release which
broke the changelog parser in the collection release, causing
the changelog to look like
linux-system-roles/auto-maintenance@0eade02#diff-ddbe2c1474f5ea331aef8eedcd595299f771578e4416a5f112ae69ed5a934bc0R4
Add the correct markdown
Signed-off-by: Rich Megginson [email protected]
- chore: drop support of Fedora 31, EOL 2020-11-24 (#243)
Enhancement:
Reason:
Fedora 31 is EOL.
Result:
Drop explicit support of EOL distro version. Less code to maintain.
- ci: Add markdownlint, test_converting_readme, and build_docs workflows (#247)
Enhancement: Add markdownlint, test_converting_readme, and build_docs GitHub workflows
Reason:
- markdownlint runs against markdown files to ensure correct syntax and avoid any issues with converting README.md to HTML
- test_converting_readme converts README.md > HTML and uploads this test artifact to ensure that conversion works fine
- build_docs converts README.md > HTML and pushes the result to the docs branch to publish dosc to GitHub pages site
- Rename commitlint.yml workflow into pr-title-lint for clarity
- ci: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly (#248)
Enhancement: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly
Reason: ansible-lint recently added a rule var-naming[no-role-prefix]
that fails expectedly, this role generally uses sshd
instead of ansible_sshd
, and also vars from other roles e.g. firewall_
.
Result: ansible-lint ignores this rule and passes.
- build(deps): bump actions/checkout from 3 to 4 (#254)
Bumps actions/checkout from 3 to 4.
Version v0.20.0
[v0.20.0] - 2023-06-19
New Features
- feat: debian 12 support and small config fixes for debian (#238)
This PR adds Debian 12 (aka bookworm) support to the role.
The workflow fails at the moment because there is no roles-ansible/check-ansible-debian-bookworm-action repo yet. As soon as @DO1JLR has created the repo it should pass all checks.
Furthermore i fixed some small oversights in older debian defaults.
- feat: Fix alpine tests by adding a new configuration options (#240)
Other Changes
- proper Subsystem sftp default for RHEL9 (#220)
Basically the same as for RHEL6/7/8
- ci: Add pull request template and run commitlint on PR title only (#237)
We now ensure the conventional commits format only on PR titles and not on
commits to let developers keep commit messages targeted for other developers
i.e. describe actual changes to code that users should not care about.
And PR titles, on the contrary, must be aimed at end users.
For more info, see
https://linux-system-roles.github.io/contribute.html#write-a-good-pr-title-and-description
- chore: moved debian 7 (wheezy) config to explicit file (#239)
This removes the defaults/Debian.yml
file and moves it to the defaults/Debian_7.yml
file. This prohibits rolling out ancient config on new Debian-Systems which aren't supported by this role.
Version v0.19.0
[v0.19.0] - 2023-04-27
New Features
- feat: add support for FreeBSD, OpenBSD
Bug Fixes
- none
Other Changes
- test: skip selinux or firewall role test where not supported
- test: check generated files for ansible_managed, fingerprint
- ci: Add commitlint GitHub action to ensure conventional commits
- ci: Drop testing on Debian stretch (9)
- ci: add dependabot check for github action updates
- style: ansible-lint - align with current Ansible recommendations
Version v0.18.2
[v0.18.2] - 2023-04-06
New Features
- none
Bug Fixes
- Fedora 38 has no longer non-standard hostkey permissions
Other Changes
- Fingerprint ansible-sshd managed config files
Version v0.18.1
[v0.18.1] - 2023-01-17
New Features
- Add support for Alpine OS (#212)
- Add support for managing selinux and firewall on RHEL-based systems (#211)
Bug Fixes
- Update tests to not use configuration options available in system defaults (#213)
- Improve manual pages processing in tests to accommodate Alpine's busybox man (#213)
Other Changes
- Add a Github action to check for non-inclusive language (#215)
Version v0.18.0
[v0.18.0] - 2022-09-27
New Features
-
Adding support for OpenWrt 21.03
-
Add final version of RequiredRSASize
Keep the old version for backward compatibility
Upstream commit:
openssh/openssh-portable@1875042c
Bug Fixes
- Update source template to match generated files
Other Changes
-
Remove legacy files
-
Update pre-commit plugins to latest
-
Linting fixes
-
keep v prefix in version/tag
Keep the v
prefix in the version/tag
v0.17.0
New Features
- Make drop-in config file functionality configurable by user
This PR simplifies the logic behind the drop-in config files and also
allows the user to use drop-in configs even if the distribution does not
support it out of the box.
Bug Fixes
- Allow user to override variables
A previous commit hardcoded many variables to the values under vars/,
making it impossible for the user to parameterize things like the systemd
service name. The assumption was that the _sshd* variables were useless
in an effort to blindly adhere to best practices, but they were crucial in
allowing flexibility to the user.
Other Changes
- none
What's Changed
- Fix ansible-lint warnings and work-around false positive by @Jakuje in #198
- Version v0.16.1 - CHANGELOG.md [citest skip] by @richm in #195
- parse [vX.Y.Z] correctly from CHANGELOG.md by @richm in #201
- Fixes un-overrideable public api variables by @nkakouros in #199
- Makes drop-in functionality configurable by the user by @nkakouros in #200
- Version v0.17.0 - CHANGELOG.md [citest skip] by @richm in #202
Full Changelog: v0.16.1...v0.17.0
v0.16.1
- add parameter RSAMinSize
Add support for the new RSAMinSize parameter.
-
Ensure values are cast to correct type
-
Addition notes about secondary variables
-
Fix various linting issues
-
Revert incorrect module name
-
tests: Do not be picky about spaces/tabs
When testing with cloud-init, it modifies the sshd_configuration and can
replace some tabs with whitespaces. This happens frequently around the
subsystem keyword. There are no functional changes, but the matching
did not work as expected.
-
the role still supports ansible 2.9
-
Add CHANGELOG.md
-
Add changelog_to_tag.yml to .github/workflows
Description:
When a new changelog section is added to CHANGELOG.md and pushed,
changelog_to_tag.yml is triggered, which generates a new tag and
a new release.
v0.15.1
What's Changed
Full Changelog: v0.15.0...v0.15.1
v0.15.0
What's Changed
- README: fix meta/make_option_lists link by @ColdPain in #172
- Make the role FIPS-aware by @Jakuje in #173
- Fix runtime directory check condition by @Jakuje in #175
- Unbreak FIPS detection and stabilize failing tests and GH actions by @Jakuje in #179
- Make sure Include is in the main configuration file when drop-in directory is used by @Jakuje in #178
New Contributors
Full Changelog: v0.14.1...v0.15.0