Merge pull request #1184 from moreati/issue1083-host_key_checking

ansible_mitogen: Templated SSH host key checking

.ci/localhost_ansible_tests.py

@@ -51,6 +51,9 @@ with ci_lib.Fold('machine_prep'):
         subprocess.check_call('sudo chmod 700 ~root/.ssh', shell=True)
         subprocess.check_call('sudo chmod 600 ~root/.ssh/authorized_keys', shell=True)
 
+    os.chdir(IMAGE_PREP_DIR)
+    ci_lib.run("ansible-playbook -c local -i localhost, macos_localhost.yml")
+
     if os.path.expanduser('~mitogen__user1') == '~mitogen__user1':
         os.chdir(IMAGE_PREP_DIR)
         ci_lib.run("ansible-playbook -c local -i localhost, _user_accounts.yml")

ansible_mitogen/transport_config.py

@@ -500,12 +500,7 @@ class PlayContextSpec(Spec):
             rediscover_python=rediscover_python)
 
     def host_key_checking(self):
-        def candidates():
+        return self._connection_option('host_key_checking')
-            yield self._connection.get_task_var('ansible_ssh_host_key_checking')
-            yield self._connection.get_task_var('ansible_host_key_checking')
-            yield C.HOST_KEY_CHECKING
-        val = next((v for v in candidates() if v is not None), True)
-        return boolean(val)
 
     def private_key_file(self):
         return self._connection_option('private_key_file')

docs/changelog.rst

@@ -25,6 +25,8 @@ In progress (unreleased)
   on SSH key ``mitogen__has_sudo_pubkey.key`` during Ansible tests.
 * :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH private key file
   (e.g. ``ansible_private_key_file``).
+* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH host key checking
+  (e.g. ``ansible_host_key_checking``, ``ansible_ssh_host_key_checking``).
 
 
 v0.3.16 (2024-11-05)

tests/ansible/hosts/default.hosts

@@ -43,6 +43,7 @@ ansible_host=localhost
 ansible_user="{{ lookup('pipe', 'whoami') }}"
 
 [tt_targets_inventory]
+tt-host-key-checking        ansible_host_key_checking="{{ 'false' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw
 tt-password                 ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw
 tt-port                     ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw
 tt-private-key-file         ansible_private_key_file="{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_user=mitogen__has_sudo_pubkey

tests/ansible/templates/test-targets.j2

@@ -71,6 +71,7 @@ ansible_python_interpreter={{ tt.python_path }}
 ansible_user=mitogen__has_sudo_nopw
 
 [tt_targets_inventory]
+tt-host-key-checking        ansible_host_key_checking="{{ '{{' }} 'false' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_user=mitogen__has_sudo_nopw
 tt-password                 ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}"  ansible_port={{ tt.port }} ansible_user=mitogen__has_sudo_nopw
 tt-port                     ansible_password=has_sudo_nopw_password  ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}"  ansible_user=mitogen__has_sudo_nopw
 tt-private-key-file         ansible_port={{ tt.port }} ansible_private_key_file="{{ '{{' }} git_basedir {{ '}}' }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_user=mitogen__has_sudo_pubkey

tests/image_prep/_container_setup.yml

@@ -23,10 +23,16 @@
   gather_facts: true
   vars:
     distro: "{{ansible_distribution}}"
-  tasks:
-    - when: ansible_virtualization_type != "docker"
-      meta: end_play
 
+  pre_tasks:
+    - meta: end_play
+      when:
+        - ansible_facts.virtualization_type != "docker"
+
+  roles:
+    - role: sshd
+
+  tasks:
     - name: Ensure requisite apt packages are installed
       apt:
         name: "{{ common_packages + packages }}"
@@ -134,10 +140,6 @@
         content: |
           i-am-mitogen-test-docker-image
 
-    - copy:
-        dest: /etc/ssh/banner.txt
-        src: ../data/docker/ssh_login_banner.txt
-
     - name: Ensure /etc/sudoers.d exists
       file:
         state: directory
@@ -169,17 +171,6 @@
         line: "%wheel  ALL=(ALL)       ALL"
       when: ansible_os_family == 'RedHat'
 
-    - name: Enable SSH banner
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        line: Banner /etc/ssh/banner.txt
-
-    - name: Allow remote SSH root login
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        line: PermitRootLogin yes
-        regexp: '.*PermitRootLogin.*'
-
     - name: Allow remote SSH root login
       lineinfile:
         path: /etc/pam.d/sshd

tests/image_prep/macos_localhost.yml

@@ -0,0 +1,7 @@
+- name: Configure macOS
+  hosts: all
+  gather_facts: true
+  strategy: mitogen_free
+  become: true
+  roles:
+    - role: sshd

tests/image_prep/roles/sshd/defaults/main.yml

@@ -0,0 +1,3 @@
+sshd_config_file: /etc/ssh/sshd_config
+
+sshd_config__max_auth_tries: 50

tests/image_prep/roles/sshd/tasks/main.yml

@@ -0,0 +1,31 @@
+- name: Create login banner
+  copy:
+    src: banner.txt
+    dest: /etc/ssh/banner.txt
+    mode: u=rw,go=r
+
+- name: Configure sshd_config
+  lineinfile:
+    path: "{{ sshd_config_file }}"
+    line: "{{ item.line }}"
+    regexp: "{{ item.regexp }}"
+  loop:
+    - line:     Banner /etc/ssh/banner.txt
+      regexp:   '^#? *Banner.*'
+    - line:     MaxAuthTries {{ sshd_config__max_auth_tries }}
+      regexp:   '^#? *MaxAuthTries.*'
+    - line:     PermitRootLogin yes
+      regexp:   '.*PermitRootLogin.*'
+  loop_control:
+    label: "{{ item.line }}"
+  register: configure_sshd_result
+
+- name: Restart sshd
+  shell: |
+    launchctl unload /System/Library/LaunchDaemons/ssh.plist
+    wait 5
+    launchctl load -w /System/Library/LaunchDaemons/ssh.plist
+  changed_when: true
+  when:
+    - ansible_facts.distribution == "MacOSX"
+    - configure_sshd_result is changed