fix: include external config files first so they can override all options (#316)

* fix: include external config files first so they can override all options

* test: replaced cipher option with usedns for tests_deprecated_sshd_variable

Author: domrim

meta/options_body

@@ -1,3 +1,4 @@
+Include
 Port
 AddressFamily
 ListenAddress
@@ -51,7 +52,6 @@ HostbasedAcceptedKeyTypes
 HostbasedAcceptedAlgorithms
 HostbasedAuthentication
 HostbasedUsesNameFromPacketOnly
-Include
 IPQoS
 IgnoreRhosts
 IgnoreUserKnownHosts

meta/options_match

@@ -1,3 +1,4 @@
+Include
 AcceptEnv
 AllowAgentForwarding
 AllowGroups
@@ -29,7 +30,6 @@ HostbasedAcceptedAlgorithms
 HostbasedAuthentication
 HostbasedUsesNameFromPacketOnly
 IgnoreRhosts
-Include
 IPQoS
 KbdInteractiveAuthentication
 KerberosAuthentication

templates/sshd_config.j2

@@ -51,6 +51,7 @@
 {%   if match_list is iterable %}
 {%     for match in match_list %}
 Match {{ match["Condition"] }}
+{{       render_option("Include",match["Include"],true) -}}
 {{       render_option("AcceptEnv",match["AcceptEnv"],true) -}}
 {{       render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
 {{       render_option("AllowGroups",match["AllowGroups"],true) -}}
@@ -82,7 +83,6 @@ Match {{ match["Condition"] }}
 {{       render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
 {{       render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
 {{       render_option("IgnoreRhosts",match["IgnoreRhosts"],true) -}}
-{{       render_option("Include",match["Include"],true) -}}
 {{       render_option("IPQoS",match["IPQoS"],true) -}}
 {{       render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
 {{       render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
@@ -131,6 +131,7 @@ Match {{ match["Condition"] }}
 {{     match_block(match_list) -}}
 {%   endif %}
 {% endmacro %}
+{{ body_option("Include",sshd_Include) -}}
 {{ body_option("Port",sshd_Port) -}}
 {{ body_option("AddressFamily",sshd_AddressFamily) -}}
 {{ body_option("ListenAddress",sshd_ListenAddress) -}}
@@ -184,7 +185,6 @@ Match {{ match["Condition"] }}
 {{ body_option("HostbasedAcceptedAlgorithms",sshd_HostbasedAcceptedAlgorithms) -}}
 {{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
 {{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
-{{ body_option("Include",sshd_Include) -}}
 {{ body_option("IPQoS",sshd_IPQoS) -}}
 {{ body_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
 {{ body_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}

templates/sshd_config_snippet.j2

@@ -49,6 +49,7 @@
 {%   if match_list is iterable %}
 {%     for match in match_list %}
 Match {{ match["Condition"] }}
+{{       render_option("Include",match["Include"],true) -}}
 {{       render_option("AcceptEnv",match["AcceptEnv"],true) -}}
 {{       render_option("AllowAgentForwarding",match["AllowAgentForwarding"],true) -}}
 {{       render_option("AllowGroups",match["AllowGroups"],true) -}}
@@ -80,7 +81,6 @@ Match {{ match["Condition"] }}
 {{       render_option("HostbasedAuthentication",match["HostbasedAuthentication"],true) -}}
 {{       render_option("HostbasedUsesNameFromPacketOnly",match["HostbasedUsesNameFromPacketOnly"],true) -}}
 {{       render_option("IgnoreRhosts",match["IgnoreRhosts"],true) -}}
-{{       render_option("Include",match["Include"],true) -}}
 {{       render_option("IPQoS",match["IPQoS"],true) -}}
 {{       render_option("KbdInteractiveAuthentication",match["KbdInteractiveAuthentication"],true) -}}
 {{       render_option("KerberosAuthentication",match["KerberosAuthentication"],true) -}}
@@ -129,6 +129,7 @@ Match {{ match["Condition"] }}
 {{     match_block(match_list) -}}
 {%   endif %}
 {% endmacro %}
+{{ body_option("Include",sshd_Include) -}}
 {{ body_option("Port",sshd_Port) -}}
 {{ body_option("AddressFamily",sshd_AddressFamily) -}}
 {{ body_option("ListenAddress",sshd_ListenAddress) -}}
@@ -182,7 +183,6 @@ Match {{ match["Condition"] }}
 {{ body_option("HostbasedAcceptedAlgorithms",sshd_HostbasedAcceptedAlgorithms) -}}
 {{ body_option("HostbasedAuthentication",sshd_HostbasedAuthentication) -}}
 {{ body_option("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) -}}
-{{ body_option("Include",sshd_Include) -}}
 {{ body_option("IPQoS",sshd_IPQoS) -}}
 {{ body_option("IgnoreRhosts",sshd_IgnoreRhosts) -}}
 {{ body_option("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) -}}

tests/tests_deprecated_sshd_variable.yml

@@ -16,8 +16,8 @@
         sshd:
           AcceptEnv: LANG
           Banner: /etc/issue
-          Ciphers: aes256-ctr
           Subsystem: "sftp internal-sftp"
+          UseDNS: true
         sshd_config_file: /etc/ssh/sshd_config
 
     - name: Verify the options are correctly set
@@ -50,16 +50,16 @@
             that:
               - "'acceptenv LANG' in runtime.stdout"
               - "'banner /etc/issue' in runtime.stdout"
-              - "'ciphers aes256-ctr' in runtime.stdout"
               - "'subsystem sftp internal-sftp' in runtime.stdout"
+              - "'usedns yes' in runtime.stdout"
 
         - name: Check the options are in configuration file
           ansible.builtin.assert:
             that:
               - "'AcceptEnv LANG' in config.content | b64decode"
               - "'Banner /etc/issue' in config.content | b64decode"
-              - "'Ciphers aes256-ctr' in config.content | b64decode"
               - "'Subsystem sftp internal-sftp' in config.content | b64decode"
+              - "'UseDNS yes' in config.content | b64decode"
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml
@@ -80,8 +80,8 @@
         sshd:
           AcceptEnv: LANG
           Banner: /etc/issue
-          Ciphers: aes256-ctr
           Subsystem: "sftp internal-sftp"
+          UseDNS: true
         sshd_config_file: /etc/ssh/sshd_config
 
   tasks:
@@ -107,16 +107,16 @@
         that:
           - "'acceptenv LANG' in runtime.stdout"
           - "'banner /etc/issue' in runtime.stdout"
-          - "'ciphers aes256-ctr' in runtime.stdout"
           - "'subsystem sftp internal-sftp' in runtime.stdout"
+          - "'usedns yes' in runtime.stdout"
 
     - name: Check the options are in configuration file
       ansible.builtin.assert:
         that:
           - "'AcceptEnv LANG' in config.content | b64decode"
           - "'Banner /etc/issue' in config.content | b64decode"
-          - "'Ciphers aes256-ctr' in config.content | b64decode"
           - "'Subsystem sftp internal-sftp' in config.content | b64decode"
+          - "'UseDNS yes' in config.content | b64decode"
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_set_common.yml

@@ -16,8 +16,8 @@
         sshd_config:
           AcceptEnv: LANG
           Banner: /etc/issue
-          Ciphers: aes256-ctr
           Subsystem: "sftp internal-sftp"
+          UseDNS: true
         sshd_config_file: /etc/ssh/sshd_config
 
     - name: Verify the options are correctly set
@@ -42,16 +42,16 @@
             that:
               - "'acceptenv LANG' in runtime.stdout"
               - "'banner /etc/issue' in runtime.stdout"
-              - "'ciphers aes256-ctr' in runtime.stdout"
               - "'subsystem sftp internal-sftp' in runtime.stdout"
+              - "'usedns yes' in runtime.stdout"
 
         - name: Check the options are in configuration file
           ansible.builtin.assert:
             that:
               - "'AcceptEnv LANG' in config.content | b64decode"
               - "'Banner /etc/issue' in config.content | b64decode"
-              - "'Ciphers aes256-ctr' in config.content | b64decode"
               - "'Subsystem sftp internal-sftp' in config.content | b64decode"
+              - "'UseDNS yes' in config.content | b64decode"
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml