ara | File #6640: /home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes-CR.yaml

/home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes-CR.yaml

Execution

Date 20 Nov 2025 13:31:05 +0000

Duration 00:00:56.31

Controller ssh-gw-4.layershift.com

User root

Versions

Ansible 2.16.11

ara 1.7.3 / 1.7.3

Python 3.10.10

Summary

24 Hosts

8 Tasks

192 Results

1 Plays

1 Files

0 Records

remote_user:root check:False tags:all

Date
20 Nov 2025 13:31:05 +0000
Path
/home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes-CR.yaml

Argument	Value
version	None
verbosity	2
private_key_file	/home/ssh-gateway/.ssh/id_rsa
remote_user	root
connection	ssh
timeout	None
ssh_common_args	None
sftp_extra_args	None
scp_extra_args	None
ssh_extra_args	None
ask_pass	False
connection_password_file	None
force_handlers	False
flush_cache	False
become	False
become_method	sudo
become_user	None
become_ask_pass	False
become_password_file	None
tags	['all']
skip_tags	[]
check	False
diff	False
inventory	['/home/ssh-gateway/ansible/kuly/hosts-kvm-nodes']
listhosts	False
subset	None
extra_vars	Not saved by ARA as configured by 'ignored_arguments'
vault_ids	[]
ask_vault_pass	False
vault_password_files	[]
forks	20
module_path	None
syntax	False
listtasks	False
listtags	False
step	False
start_at_task	None
args	['RM10193-sshd-config-changes-CR.yaml']

File: /home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes-CR.yaml

---
- name: Playbook to make sshd changes
  hosts: all
  gather_facts: true
  vars:
    sshd_config_path: /etc/ssh/sshd_config
    sshd_configd: /etc/ssh/sshd_config.d/50-redhat.conf
    sshd_hardening_params:
      - {regexp: '^#?AllowAgentForwarding', line: 'AllowAgentForwarding no'}
      - {regexp: '^#?AllowTcpForwarding', line: 'AllowTcpForwarding no'}
      - {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}
    ssh_port: 2233

  tasks:
    - name: Ensure SSHD config file exists before proceeding
      ansible.builtin.stat:
        path: "{{ sshd_config_path }}"
      register: sshd_config_stat
      failed_when: not sshd_config_stat.stat.exists

    - name: Make the replacements
      ansible.builtin.lineinfile:
        path: "{{ sshd_config_path }}"
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        backup: true
        validate: 'sshd -t -f %s'
      loop: "{{ sshd_hardening_params }}"

    - name: Alma9 has one more do replace
      ansible.builtin.lineinfile:
        path: "{{ sshd_configd }}"
        regexp: '^#?X11Forwarding'
        line: 'X11Forwarding no'
        state: present
        backup: true
        validate: 'sshd -t -f %s'

    - name: Restart sshd daemon
      ansible.builtin.systemd:
        name: sshd.service
        state: restarted

    - name: Verify if the options are there
      ansible.builtin.shell: |
        set -o pipefail
        sshd -T -C lport=2233| egrep "x11forwarding|allowtcpforwarding|allowagentforwarding"
      args:
        executable: /bin/bash
      register: ssh_out
      changed_when: "'yes' in ssh_out.stdout"
      tags:
        - check

    - name: Check sshd status
      ansible.builtin.systemd:
        name: sshd.service
      register: sshd_config_status

    - name: Check sshd status
      ansible.builtin.debug:
        msg: "SSH is not runing as expected"
      when: sshd_config_status.status.ActiveState != "active"

Playbook #4514

File: /home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes-CR.yaml