ansible-sshd icon indicating copy to clipboard operation
ansible-sshd copied to clipboard

Published 20 hours ago verified publisher icon willshersystems

Failure on RHEL8 due to non existing sshd_config.d

Open skwde opened this issue 1 year ago • 8 comments

When running the role like

- name: Handle default sshd_config for RHEL8
  ansible.builtin.include_role:
    name: fedora.linux_system_roles.sshd
  vars:
    sshd_skip_defaults: false # noqa var-naming[no-role-prefix]
    sshd_config_file: "/etc/ssh/sshd_config"
    # sshd: {}

on a fresh install of RHEL8 without an existing /etc/sshd_config.d execution fails with the message

Destination directory /etc/ssh/sshd_config.d does not exist

skwde avatar Mar 27 '24 15:03 skwde

@Jakuje is this issue fixed by https://github.com/willshersystems/ansible-sshd/pull/281 ?

richm avatar Mar 27 '24 15:03 richm

@Jakuje is this issue fixed by #281 ?

I think so. I just installed the RHEL8 VM and the above task no longer throws this error with the changes.

@skwde can you double-check with the changes proposed in #281?

Jakuje avatar Mar 27 '24 16:03 Jakuje

I installed the role from https://github.com/Jakuje/ansible-sshd.git,main_config_file and ran

---
- name: Handle default sshd_config for RHEL8
  ansible.builtin.include_role:
    name: ansible-sshd
  vars:
    sshd_skip_defaults: false # noqa var-naming[no-role-prefix]
    sshd_config_file: "/etc/ssh/sshd_config"
    # sshd: {}

which failed with the same error.

I also tried running

---
- name: Handle default sshd_config for RHEL8
  ansible.builtin.include_role:
    name: ansible-sshd
  vars:
    sshd_skip_defaults: false # noqa var-naming[no-role-prefix]
    sshd_config_file: "/etc/ssh/sshd_config"
    sshd_main_config_file: None
    # sshd: {}

but got the same error.

Of course a workaround might look like running

- name: Ensure required directores exist
  become: true
  ansible.builtin.file:
    path: "{{ dir }}"
    state: directory
    owner: root
    group: root
    mode: "0o0700"
  loop_control:
    loop_var: dir
  with_items:
    # ## workaround: https://github.com/willshersystems/ansible-sshd/issues/282
    - "/etc/ssh/sshd_config.d"

before the call to the role.

skwde avatar Mar 28 '24 06:03 skwde

Can you paste the whole error message you are getting, ideally with the -vv added to the ansible-playbook when executed and with the task name failing? I believe it should be from the task Create a directory for drop-in configuration snippets, but in the #281, it should not be executed when sshd_main_config_file is none and RHEL8 should have this variable set to none as it does not have the drop-in directory by default.

Jakuje avatar Mar 28 '24 09:03 Jakuje

From the shell history I was able to dig up the task:

TASK [fedora.linux_system_roles.sshd : Create the complete configuration file]

I can however no longer test it easily because I already deployed the workaround to the production systems.

skwde avatar Mar 28 '24 10:03 skwde

Yes, this is the task name in install.yml that includes more tasks in install_config.yml running the task I mentioned. But it is not clear to me why it is not skipping it when sshd_main_config_file should be None on RHEL8 (unless overridden somewhere). Aren't there some other sshd_ variables lurking around the playbook?

Jakuje avatar Mar 28 '24 12:03 Jakuje

Here is the vars/sshd.yml

---
# ## sshd variables, see
# ##   https://github.com/willshersystems/ansible-sshd
# ## for a description

# sshd_manage_service: true
# sshd_allow_reload: true

sshd_install_service: false

sshd_manage_firewall: false
sshd_manage_selinux: false

sshd_backup: false

sshd_sysconfig: false
sshd_sysconfig_override_crypto_policy: false
sshd_sysconfig_use_strong_rng: 0
# sshd_main_config_file: /etc/ssh/sshd_config
# sshd_config_file: /etc/ssh/sshd_config.d/<include snippet>.conf

# sshd_config_namespace: null

# sshd_config_owner:
# sshd_config_group:
# sshd_config_mode:

# sshd_verify_hostkeys: auto

# sshd_hostkey_owner:
# sshd_hostkey_group:
# sshd_hostkey_mode:

which is included before following tasks run.

- name: Handle default sshd_config for RHEL8
  ansible.builtin.include_role:
    name: fedora.linux_system_roles.sshd
  vars:
    sshd_skip_defaults: false # noqa var-naming[no-role-prefix]
    sshd_config_file: "/etc/ssh/sshd_config"
    # sshd: {}

- name: IPA
  ansible.builtin.include_role:
    name: fedora.linux_system_roles.sshd
  vars:
    sshd_skip_defaults: true # noqa var-naming[no-role-prefix]
    sshd_config_file: "/etc/ssh/sshd_config.d/04-ipa.conf"
    sshd:
      PubkeyAuthentication: "yes"
      KerberosAuthentication: "no"
      GSSAPIAuthentication: "yes"
      UsePAM: "yes"
      ChallengeResponseAuthentication: "yes"
      AuthorizedKeysCommand: /usr/bin/sss_ssh_authorizedkeys
      AuthorizedKeysCommandUser: nobody

No other sshd related variables are set.

skwde avatar Mar 28 '24 13:03 skwde

And isn't the error coming from the second invocation? I think the first one does not have any link to the sshd_config.d, while the second indeed has and the second should have sshd_main_config_file: /etc/ssh/sshd_config (while I agree that the current version does not have this documented anywhere).

Jakuje avatar Mar 28 '24 13:03 Jakuje

Closing as there seems to be nothing to do here.

mattwillsher avatar Sep 04 '24 20:09 mattwillsher