Provide granular noop for shh configuration #789
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
seven-beep
force-pushed
the
master
branch
2 times, most recently
from
a5d7464
to
c55f95b
Compare
|
The pgp signing should be ok now. |
seven-beep
force-pushed
the
master
branch
2 times, most recently
from
776189a
to
ea9cdd7
Compare
|
Well I guess it is more valid to use new variables to implement this behavior. |
We would like to have more fine grained options on applying or not specific configurations. This commit let the user choose to noop some configuration with a few new boolean variables. Motivation for theses options are we may configure ourselves some (ssh host key regeneration in a templating system) or we are not ready for others (ssh_kex will break dist-upgrades, letting the operator without ssh). Signed-off-by: seven beep <[email protected]>
|
I corrected a few mispellings that was caught by codespell. |
rndmh3ro
reviewed
Sep 15, 2024
| @@ -73,14 +73,14 @@ LogLevel {{ sshd_log_level }} | |||
| # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) | |||
| # | |||
| {# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined -#} | |||
| {{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }} | |||
| {{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers and ssh_ciphers_config else 'Ciphers'|comment }} | |||
There was a problem hiding this comment.
This and the changes for MACs and Kex shouldn't be needed since ssh_ciphers can only be set in two ways:
- define it as a variable, then
ansible.builtin.include_tasks: crypto_ciphers.ymlwon't be run. - by the tasks in
ansible.builtin.include_tasks: crypto_ciphers.yml
Or is there something I am missing where we want to define Ciphers but not actually configure them?
There was a problem hiding this comment.
Actually on main we have :
- If I don't define them as a variable, the tasks crypto_ciphers.yml will define them for me and the template will use the defaults and hardcode them in the configuration file.
- If I define them as a non true variable, the same apply as I wasn't defining them.
- If I define them as a variable, the template will use this variable and hardcode them in the configuration file.
So what about if I doesn't want to define Ciphers and does not want to configure them ?
rndmh3ro
reviewed
Sep 15, 2024
| @@ -34,7 +34,7 @@ ListenAddress {{ address }} | |||
| {% endfor %} | |||
|
|
|||
| # HostKeys are listed here. | |||
| {% for key in ssh_host_key_files %} | |||
| {% for key in ssh_host_key_files if ssh_host_key_config%} | |||
There was a problem hiding this comment.
Can we do something like {{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers and ssh_ciphers_config else 'Ciphers'|comment }} here, too?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
We would like to have more fine grained options on applying or not specific configurations.
This commit let the user choose to noop some configuration by setting their value to false.
Another option would have been to create more variables but I was reticent to do so.
Motivation for theses options are we may configure ourselves some (ssh host key regeneration in a templating system) or we are not ready for others (ssh_kex will break dist-upgrades, letting the operator without ssh).