Changeset - 7282cffb132f
Parent rev.
Child rev.
[Not reviewed]
1 6 2
Branko Majic (branko) - 6 years ago 2018-08-19 11:41:26
branko@majic.rs
MAR-132: Added support for Debian 9 (Stretch) to backup_server role:

- Deploy slightly different sshd_config file for Stretch (DSA key
unused).
- Updated Molecule tests to cover testing on Debian 9.
- Updated role reference documentation.
8 files changed with 130 insertions and 3 deletions:
docs/rolereference.rst
1
roles/backup_server/files/backup-sshd_config-jessie
rename
roles/backup_server/files/backup-sshd_config-stretch
81
roles/backup_server/molecule/default/molecule.yml
24
roles/backup_server/molecule/default/tests/data/ssh/known_hosts
11
roles/backup_server/molecule/default/tests/test_default.py
4
1
roles/backup_server/molecule/default/tests/test_parameters_optional.py
8
1
roles/backup_server/tasks/main.yml
1
1
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -2132,6 +2132,7 @@ Distribution compatibility
 
Role is compatible with the following distributions:
 

			




	
	
	
		
 
- Debian 8 (Jessie)

			




	
	
	
		
 
- Debian 9 (Stretch)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Examples

			




        

    


    
    

    

        

                

                    roles/backup_server/files/backup-sshd_config-jessie
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
file renamed from roles/backup_server/files/backup-sshd_config to roles/backup_server/files/backup-sshd_config-jessie

			




        

    


    
    

    

        

                

                    roles/backup_server/files/backup-sshd_config-stretch
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
new file 100644

			




	
	
	
		
 
# Listen on separate port for backup purposes.

			




	
	
	
		
 
Port 2222

			




	
	
	
		
 

			




	
	
	
		
 
# Use the SSH protocol version 2 (which is safer).

			




	
	
	
		
 
Protocol 2

			




	
	
	
		
 

			




	
	
	
		
 
# Define dedicated host keys for backup SSH server.

			




	
	
	
		
 
HostKey /etc/ssh-backup/ssh_host_rsa_key

			




	
	
	
		
 
HostKey /etc/ssh-backup/ssh_host_ecdsa_key

			




	
	
	
		
 
HostKey /etc/ssh-backup/ssh_host_ed25519_key

			




	
	
	
		
 

			




	
	
	
		
 
# Use privilege separation for increased security.

			




	
	
	
		
 
UsePrivilegeSeparation yes

			




	
	
	
		
 

			




	
	
	
		
 
# Configure logging.

			




	
	
	
		
 
SyslogFacility AUTH

			




	
	
	
		
 
LogLevel INFO

			




	
	
	
		
 

			




	
	
	
		
 
# Users logging-in have 10 seconds to login upon established connection.

			




	
	
	
		
 
LoginGraceTime 10

			




	
	
	
		
 

			




	
	
	
		
 
# Don't allow root accounts logins.

			




	
	
	
		
 
PermitRootLogin no

			




	
	
	
		
 

			




	
	
	
		
 
# Enforce strict checking of home directory mode. However, this is not used for

			




	
	
	
		
 
# the chroots (chroots must check mode).

			




	
	
	
		
 
StrictModes yes

			




	
	
	
		
 

			




	
	
	
		
 
# Allow public key authentication.

			




	
	
	
		
 
PubkeyAuthentication yes

			




	
	
	
		
 

			




	
	
	
		
 
# Don't read the user's ~/.rhosts and ~/.shosts files for eventual

			




	
	
	
		
 
# RhostsRSAAuthentication or HostbasedAuthentication.

			




	
	
	
		
 
IgnoreRhosts yes

			




	
	
	
		
 

			




	
	
	
		
 
# Disable host-based authentication.

			




	
	
	
		
 
HostbasedAuthentication no

			




	
	
	
		
 

			




	
	
	
		
 
# Do not allow logins with empty passwords.

			




	
	
	
		
 
PermitEmptyPasswords no

			




	
	
	
		
 

			




	
	
	
		
 
# Don't allow challenge-response authentication.

			




	
	
	
		
 
ChallengeResponseAuthentication no

			




	
	
	
		
 

			




	
	
	
		
 
# Disable password-based authentication.

			




	
	
	
		
 
PasswordAuthentication no

			




	
	
	
		
 

			




	
	
	
		
 
# Disable X11 forwarding.

			




	
	
	
		
 
X11Forwarding no

			




	
	
	
		
 

			




	
	
	
		
 
# Do not print motd to avoid eventual issues for clients.

			




	
	
	
		
 
PrintMotd no

			




	
	
	
		
 

			




	
	
	
		
 
# Do not print the date and time of the last user login.

			




	
	
	
		
 
PrintLastLog no

			




	
	
	
		
 

			




	
	
	
		
 
# Use TPC keepalives for detecting dead connections.

			




	
	
	
		
 
TCPKeepAlive yes

			




	
	
	
		
 

			




	
	
	
		
 
# Use the internal SFTP so we can also easily utilise chroot.

			




	
	
	
		
 
Subsystem sftp internal-sftp

			




	
	
	
		
 

			




	
	
	
		
 
# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be

			




	
	
	
		
 
# used just for session stuff.

			




	
	
	
		
 
UsePAM yes

			




	
	
	
		
 

			




	
	
	
		
 
# Specify a dedicated PID file for the backup SSH.

			




	
	
	
		
 
PidFile /var/run/sshd-backup.pid

			




	
	
	
		
 

			




	
	
	
		
 
# Users logging-in are forced to use the SFTP server.

			




	
	
	
		
 
ForceCommand internal-sftp

			




	
	
	
		
 

			




	
	
	
		
 
# Chroot logged-in users to their home directories.

			




	
	
	
		
 
ChrootDirectory %h

			




	
	
	
		
 

			




	
	
	
		
 
# Do not allow any TCP forwarding.

			




	
	
	
		
 
AllowTCPForwarding no

			




	
	
	
		
 

			




	
	
	
		
 
# Only allow the members of this group to log-in into this instance of OpenSSH

			




	
	
	
		
 
# server.

			




	
	
	
		
 
AllowGroups backup

			




	
	
		
 
\ No newline at end of file

			




        

    


    
    

    

        

                

                    roles/backup_server/molecule/default/molecule.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -38,6 +38,30 @@ platforms:

			




	
	
	
		
 
        network_name: private_network

			




	
	
	
		
 
        type: static

			




	
	
	
		
 

			




	
	
	
		
 
  - name: parameters-mandatory-stretch64

			




	
	
	
		
 
    groups:

			




	
	
	
		
 
      - parameters-mandatory

			




	
	
	
		
 
    box: debian/contrib-stretch64

			




	
	
	
		
 
    memory: 256

			




	
	
	
		
 
    cpus: 1

			




	
	
	
		
 
    interfaces:

			




	
	
	
		
 
      - auto_config: true

			




	
	
	
		
 
        ip: 10.31.127.20

			




	
	
	
		
 
        network_name: private_network

			




	
	
	
		
 
        type: static

			




	
	
	
		
 

			




	
	
	
		
 
  - name: parameters-optional-stretch64

			




	
	
	
		
 
    groups:

			




	
	
	
		
 
      - parameters-optional

			




	
	
	
		
 
    box: debian/contrib-stretch64

			




	
	
	
		
 
    memory: 256

			




	
	
	
		
 
    cpus: 1

			




	
	
	
		
 
    interfaces:

			




	
	
	
		
 
      - auto_config: true

			




	
	
	
		
 
        ip: 10.31.127.21

			




	
	
	
		
 
        network_name: private_network

			




	
	
	
		
 
        type: static

			




	
	
	
		
 

			




	
	
	
		
 
provisioner:

			




	
	
	
		
 
  name: ansible

			




	
	
	
		
 
  config_options:

			




        

    


    
    

    

        

                

                    roles/backup_server/molecule/default/tests/data/ssh/known_hosts
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
	
		
 
# Jessie.

			




	
	
	
		
 
[10.31.127.10]:2222 ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg==

			




	
	
	
		
 
[10.31.127.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ

			




	
	
	
		
 
[10.31.127.10]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

			




	
	
		
 
@@ -6,3 +7,13 @@

			




	
	
	
		
 
[10.31.127.11]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ

			




	
	
	
		
 
[10.31.127.11]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

			




	
	
	
		
 
[10.31.127.11]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6

			




	
	
	
		
 

			




	
	
	
		
 
# Stretch

			




	
	
	
		
 
[10.31.127.20]:2222 ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg==

			




	
	
	
		
 
[10.31.127.20]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ

			




	
	
	
		
 
[10.31.127.20]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

			




	
	
	
		
 
[10.31.127.20]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6

			




	
	
	
		
 
[10.31.127.21]:2222 ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg==

			




	
	
	
		
 
[10.31.127.21]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ

			




	
	
	
		
 
[10.31.127.21]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

			




	
	
	
		
 
[10.31.127.21]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6

			




        

    


    
    

    

        

                

                    roles/backup_server/molecule/default/tests/test_default.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -80,6 +80,8 @@ def test_backup_ssh_server_configuration(host):

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 

			




	
	
	
		
 
        ansible_facts = host.ansible("setup")["ansible_facts"]

			




	
	
	
		
 

			




	
	
	
		
 
        config_file = host.file('/etc/ssh-backup/sshd_config')

			




	
	
	
		
 

			




	
	
	
		
 
        assert config_file.is_file

			




	
	
		
 
@@ -94,9 +96,10 @@ def test_backup_ssh_server_configuration(host):

			




	
	
	
		
 
        assert "PubkeyAuthentication yes" in config_file.content

			




	
	
	
		
 
        assert "PermitRootLogin no" in config_file.content

			




	
	
	
		
 
        assert "HostKey /etc/ssh-backup/ssh_host_rsa_key" in config_file.content

			




	
	
	
		
 
        assert "HostKey /etc/ssh-backup/ssh_host_dsa_key" in config_file.content

			




	
	
	
		
 
        assert "HostKey /etc/ssh-backup/ssh_host_ecdsa_key" in config_file.content

			




	
	
	
		
 
        assert "HostKey /etc/ssh-backup/ssh_host_ed25519_key" in config_file.content

			




	
	
	
		
 
        if ansible_facts['ansible_distribution_release'] == 'jessie':

			




	
	
	
		
 
            assert "HostKey /etc/ssh-backup/ssh_host_dsa_key" in config_file.content

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_backup_ssh_server_keys(host):

			




        

    


    
    

    

        

                

                    roles/backup_server/molecule/default/tests/test_parameters_optional.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -207,12 +207,19 @@ def test_backup_ssh_service_key_fingerprints(host):

			




	
	
	
		
 
    in use.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    ansible_facts = host.ansible("setup")["ansible_facts"]

			




	
	
	
		
 

			




	
	
	
		
 
    if ansible_facts['ansible_distribution_release'] == 'jessie':

			




	
	
	
		
 
        key_types = ['ssh-dss', 'ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256']

			




	
	
	
		
 
    elif ansible_facts['ansible_distribution_release'] == 'stretch':

			




	
	
	
		
 
        key_types = ['ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256']

			




	
	
	
		
 

			




	
	
	
		
 
    # Extract first non-IPv6 IP. Crude test, but it should work.

			




	
	
	
		
 
    remote_ip = next(a for a in host.interface("eth1").addresses if ":" not in a)

			




	
	
	
		
 

			




	
	
	
		
 
    local = host.get_host("local://")

			




	
	
	
		
 

			




	
	
	
		
 
    for key_type in ['ssh-dss', 'ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256']:

			




	
	
	
		
 
    for key_type in key_types:

			




	
	
	
		
 

			




	
	
	
		
 
        login_attempt = local.run("ssh -p 2222 "

			




	
	
	
		
 
                                  "-o PasswordAuthentication=no "

			




        

    


    
    

    

        

                

                    roles/backup_server/tasks/main.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -117,7 +117,7 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy configuration file for the backup OpenSSH server instance

			




	
	
	
		
 
  copy:

			




	
	
	
		
 
    src: "backup-sshd_config"

			




	
	
	
		
 
    src: "backup-sshd_config-{{ ansible_distribution_release }}"

			




	
	
	
		
 
    dest: "/etc/ssh-backup/sshd_config"

			




	
	
	
		
 
    owner: root

			




	
	
	
		
 
    group: root

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.