Merge pull request #18 from arillso/support/windows

add Windows support

CHANGELOG.md

@@ -3,6 +3,12 @@
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
 and [human-readable changelog](https://keepachangelog.com/en/1.0.0/).
 
+## 2.2.0
+
+### Added
+
+- Add Windows Support
+
 ## 2.1.0
 
 ### Added

defaults/main.yml

@@ -65,7 +65,7 @@ ssh_gateway_ports: false # sshd
 ssh_allow_agent_forwarding: false # sshd
 
 # true if SSH has PAM support
-ssh_pam_support: true
+ssh_pam_support: "{{ true if not 'Windows' in ansible_distribution else false }}"
 
 # false to disable pam authentication.
 ssh_use_pam: false # sshd
@@ -80,7 +80,7 @@ ssh_pam_device: false # sshd
 ssh_gssapi_support: false
 
 # true if SSH support Kerberos
-ssh_kerberos_support: true
+ssh_kerberos_support: "{{ true if not 'Windows' in ansible_distribution else false }}"
 
 # if specified, login is disallowed for user names that match one of the patterns.
 ssh_deny_users: '' # sshd

handlers/main.yml

@@ -1,8 +1,13 @@
 ---
 # handlers file for arillso.sshd
 
-- name: restart sshd
+- name: restart linux sshd
   become: true
   service:
-    name: "{{ sshd_service_name }}"
+    name: '{{ sshd_service_name }}'
+    state: restarted
+
+- name: restart windows sshd
+  win_service:
+    name: '{{ sshd_service_name }}'
     state: restarted

meta/main.yml

@@ -19,4 +19,3 @@ galaxy_info:
       versions:
         - 6
         - 7
-        - 8

molecule/default/molecule.yml

@@ -5,9 +5,7 @@ driver:
   name: docker
 lint: |
   set -e
-  yamllint -s -c  molecule/default/yamllint.yml .
-  ansible-lint
-  flake8
+  yamllint . -c molecule/default/yamllint.yml
 platforms:
   - name: instance
     image: 'geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest'
@@ -17,9 +15,13 @@ platforms:
     pre_build_image: true
 provisioner:
   name: ansible
+  lint:
+    name: ansible-lint
   playbooks:
     converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
 scenario:
   name: default
 verifier:
   name: testinfra
+  lint:
+    name: flake8

molecule/default/playbook.yml

@@ -7,7 +7,7 @@
         name:
           - openssh-clients
           - openssh-server
-      when: ansible_os_family == "RedHat"
+      when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
     - name: Install openssh on Debian/Ubuntu
       apt:
         name:
@@ -19,13 +19,6 @@
       file:
         path: '/var/run/sshd'
         state: directory
-    - name: create ssh host keys on systemd controlled RedHat systems
-      command: /usr/bin/ssh-keygen -A
-      when:
-        - ansible_os_family == "RedHat"
-        - ansible_distribution_major_version > "6"
 
   roles:
     - role: arillso.sshd
-      vars:
-        ssh_use_pam: '{{ (ansible_os_family == "RedHat" and ansible_distribution_major_version > "6") | bool }}'

tasks/distribution/Linux.yml

@@ -0,0 +1,74 @@
+---
+# tasks file for arillso.sshd
+
+- name: 'Linux : get openssh-version'
+  shell: set -o pipefail && ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
+  args:
+    executable: /bin/bash
+  changed_when: false
+  register: sshd_version
+  check_mode: false
+
+- name: 'Linux : include tasks to create crypo-vars'
+  include_tasks: subtasks/crypto.yml
+
+- name: 'LInux : create revoked_keys and set permissions to root/600'
+  become: true
+  template:
+    src: 'revoked_keys.j2'
+    dest: '/etc/ssh/revoked_keys'
+    mode: '0600'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
+  notify: restart linux sshd
+  when: ssh_server_hardening | bool
+
+- name: 'Linux : create sshd_config and set permissions to root/600'
+  become: true
+  template:
+    src: 'opensshd.conf.j2'
+    dest: '/etc/ssh/sshd_config'
+    mode: '0600'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
+    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
+  notify: restart linux sshd
+  when: ssh_server_hardening | bool
+
+- name: 'Linux : create ssh_config and set permissions to root/644'
+  become: true
+  template:
+    src: 'openssh.conf.j2'
+    dest: '/etc/ssh/ssh_config'
+    mode: '0644'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
+  when: ssh_client_hardening | bool
+
+- name: 'Linux : Check if {{ sshd_moduli_file }} contains weak DH parameters'
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
+  register: sshd_register_moduli
+  changed_when: false
+  check_mode: false
+
+- name: 'Linux : Remove all small primes'
+  shell:
+    awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
+    [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
+  notify: restart linux sshd
+  when: sshd_register_moduli.stdout
+
+- name: 'Linux : Include tasks to setup ca keys and principals'
+  include_tasks: subtasks/ca_keys_and_principals.yml
+  when: ssh_trusted_user_ca_keys_file | length > 0
+
+- name: 'Linux : include tasks to setup 2FA'
+  include_tasks: subtasks/2fa.yml
+  when:
+    - ssh_use_pam | bool
+    - ssh_challengeresponseauthentication | bool
+    - ssh_google_auth | bool
+
+- name: 'Linux : include selinux specific tasks'
+  include_tasks: subtasks/selinux.yml
+  when: ansible_selinux and ansible_selinux.status == "enabled"

tasks/distribution/Windows.yml

@@ -0,0 +1,44 @@
+---
+# tasks file for arillso.sshd
+
+- name: 'Windows : Install OpenSSH'
+  become_method: runas
+  become_user: System
+  become: yes
+  sbaerlocher.windows.win_capability:
+    name: 'OpenSSH.Server~~~~0.0.1.0'
+
+- name: 'Windows : Get openssh-version'
+  win_shell: ssh -V
+  changed_when: false
+  register: sshd_verstion_string
+  check_mode: false
+
+- name: 'Windows : Set openssh-version'
+  set_fact:
+    sshd_version:
+      stdout: '{{ sshd_verstion_string.stderr | regex_search("(\d{1,2}\.\d{1,2})(?!\.)") }}'
+
+- name: 'Windows : Include tasks to create crypo-vars'
+  include_tasks: subtasks/crypto.yml
+
+- name: 'Windows : Set the default shell to PowerShell'
+  win_regedit:
+    path: HKLM:\SOFTWARE\OpenSSH
+    name: DefaultShell
+    data: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+    type: string
+    state: present
+
+- name: 'Windows : Create sshd_config'
+  win_template:
+    src: 'opensshd.conf.j2'
+    dest: 'C:\ProgramData\ssh\sshd_config'
+  notify: restart windows sshd
+
+- name: 'Windows : Create revoked_keys and set permissions to root/600'
+  become: true
+  template:
+    src: 'revoked_keys.j2'
+    dest: 'C:\ProgramData\ssh\revoked_keys'
+  notify: restart windows sshd

tasks/subtasks/ca_keys_and_principals.yml → tasks/distribution/subtasks/ca_keys_and_principals.yml

@@ -9,7 +9,7 @@
     mode: '0644'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
-  notify: restart sshd
+  notify: restart linux sshd
 
 - name: Create ssh authorized principals directories
   become: true

tasks/main.yml

@@ -5,9 +5,9 @@
   include_vars: '{{ loop_vars }}'
   with_first_found:
     - files:
-        - '{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml'
-        - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
-        - '{{ ansible_distribution }}.yml'
+        - '{{ distribution }}-{{ distribution_version }}.yml'
+        - '{{ distribution }}-{{ distribution_major_version }}.yml'
+        - '{{ distribution }}.yml'
         - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
         - '{{ ansible_os_family }}.yml'
         - '{{ ansible_system }}.yml'
@@ -16,77 +16,32 @@
         - 'vars'
   loop_control:
     loop_var: loop_vars
+  vars:
+    distribution: '{{ ansible_distribution }}'
+    distribution_version: '{{ ansible_distribution_version }}'
+    distribution_major_version: '{{ ansible_distribution_major_version }}'
   tags:
     - configuration
+    - packages
 
-- name: get openssh-version
-  shell: set -o pipefail && ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
-  args:
-    executable: /bin/bash
-  changed_when: false
-  register: sshd_version
-  check_mode: false
-
-- name: include tasks to create crypo-vars
-  include_tasks: subtasks/crypto.yml
-
-- name: create revoked_keys and set permissions to root/600
-  become: true
-  template:
-    src: 'revoked_keys.j2'
-    dest: '/etc/ssh/revoked_keys'
-    mode: '0600'
-    owner: '{{ ssh_owner }}'
-    group: '{{ ssh_group }}'
-  notify: restart sshd
-  when: ssh_server_hardening | bool
-
-- name: create sshd_config and set permissions to root/600
-  become: true
-  template:
-    src: 'opensshd.conf.j2'
-    dest: '/etc/ssh/sshd_config'
-    mode: '0600'
-    owner: '{{ ssh_owner }}'
-    group: '{{ ssh_group }}'
-    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
-  notify: restart sshd
-  when: ssh_server_hardening | bool
-
-- name: create ssh_config and set permissions to root/644
-  become: true
-  template:
-    src: 'openssh.conf.j2'
-    dest: '/etc/ssh/ssh_config'
-    mode: '0644'
-    owner: '{{ ssh_owner }}'
-    group: '{{ ssh_group }}'
-  when: ssh_client_hardening | bool
-
-- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
-  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
-  register: sshd_register_moduli
-  changed_when: false
-  check_mode: false
-
-- name: remove all small primes
-  shell:
-    awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
-    [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
-  notify: restart sshd
-  when: sshd_register_moduli.stdout
-
-- name: include tasks to setup ca keys and principals
-  include_tasks: subtasks/ca_keys_and_principals.yml
-  when: ssh_trusted_user_ca_keys_file | length > 0
-
-- name: include tasks to setup 2FA
-  include_tasks: subtasks/2fa.yml
-  when:
-    - ssh_use_pam | bool
-    - ssh_challengeresponseauthentication | bool
-    - ssh_google_auth | bool
-
-- name: include selinux specific tasks
-  include_tasks: subtasks/selinux.yml
-  when: ansible_selinux and ansible_selinux.status == "enabled"
+- name: include distribution tasks
+  include_tasks: '{{ loop_distribution }}'
+  with_first_found:
+    - files:
+        - '{{ distribution }}-{{ distribution_version }}.yml'
+        - '{{ distribution }}-{{ distribution_major_version }}.yml'
+        - '{{ distribution }}.yml'
+        - '{{ ansible_os_family }}.yml'
+        - '{{ ansible_system }}.yml'
+        - 'defaults.yml'
+      paths:
+        - 'distribution'
+  loop_control:
+    loop_var: loop_distribution
+  vars:
+    distribution: '{{ ansible_distribution }}'
+    distribution_version: '{{ ansible_distribution_version }}'
+    distribution_major_version: '{{ ansible_distribution_major_version }}'
+  tags:
+    - configuration
+    - packages

templates/opensshd.conf.j2

@@ -230,7 +230,7 @@ DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
 {% endif %}
 
 # Reject keys that are explicitly blacklisted
-RevokedKeys /etc/ssh/revoked_keys
+RevokedKeys {{ sshd_config_path }}/revoked_keys
 
 {% if ssh_sftp_enabled -%}
 # SFTP matching configuration
@@ -239,7 +239,7 @@ RevokedKeys /etc/ssh/revoked_keys
 # override default of no subsystems
 # Subsystem sftp /opt/app/openssh5/libexec/sftp-server
 
-Subsystem sftp internal-sftp -l INFO -f LOCAL6
+Subsystem	{{ sshd_sftp_subsystem }}
 
 # These lines must appear at the *end* of sshd_config
 Match Group sftponly

vars/Debian.yml

@@ -2,6 +2,8 @@
 # vars file for arillso.sshd
 
 sshd_service_name: ssh
+sshd_config_path: /etc/ssh
+sshd_sftp_subsystem: 'sftp internal-sftp -l INFO -f LOCAL6'
 ssh_owner: root
 ssh_group: root
 ssh_selinux_dependency_packages:

vars/FreeBSD.yml

@@ -2,5 +2,7 @@
 # vars file for arillso.sshd
 
 sshd_service_name: sshd
+sshd_config_path: /etc/ssh
+sshd_sftp_subsystem: 'sftp internal-sftp -l INFO -f LOCAL6'
 ssh_owner: root
 ssh_group: wheel

vars/Oracle Linux.yml

@@ -2,6 +2,8 @@
 # vars file for arillso.sshd
 
 sshd_service_name: sshd
+sshd_config_path: /etc/ssh
+sshd_sftp_subsystem: 'sftp internal-sftp -l INFO -f LOCAL6'
 ssh_owner: root
 ssh_group: root
 ssh_selinux_dependency_packages:

vars/RedHat.yml

@@ -2,6 +2,8 @@
 # vars file for arillso.sshd
 
 sshd_service_name: sshd
+sshd_config_path: /etc/ssh
+sshd_sftp_subsystem: 'sftp internal-sftp -l INFO -f LOCAL6'
 ssh_owner: root
 ssh_group: root
 ssh_selinux_dependency_packages: