2024-02-15 02:51:39 +01:00
Ansible Role SSHD
====================
2024-02-15 20:02:08 +01:00
Ansible role l3d.users.sshd to Manage SSHD Configuration of the system and which Accounts are allowed to login.
2024-02-15 02:51:39 +01:00
There are two variables to define users. The ``l3d_users__default_users`` is ment to put to your group_vars to define a default for your system. The ``l3d_users__local_users`` could be put in your host_vars to define host-specific user and admin roles.
Variables:
-----------
### User Management
+ The dictionary-variable for your group_vars to set your general users and admins is ``l3d_users__default_users``.
+ The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``.
The Option of these directory-variables are the following.
2024-02-16 18:00:07 +01:00
| option | values | required | description |
| ------ | ------ | --- | --- |
| ``name`` | *string* | ``required`` | The user you want to create |
| ``state`` | ``present`` | - | Create or delete user |
| ``shell`` | ``/bin/bash`` | - | The Shell of the User |
| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* |
2024-02-17 04:12:29 +01:00
| ``admin`` | ``false`` | - | enable it to give the user superpowers |
2024-02-16 18:00:07 +01:00
| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
| ``admin_ansible_login`` | ``true`` | - |if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
| ``pubkeys`` | string or lookup | - | see examples |
| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
| ``password`` | password hash | - | See [official FAQ ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module ) |
2024-02-23 19:13:13 +01:00
| ``groups`` | list | - | Additional groups for your user |
2024-02-16 18:00:07 +01:00
| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` |
2024-02-15 02:51:39 +01:00
2024-02-15 20:02:08 +01:00
There is a third directory-variable called ``l3d_users__ssh_login: []`` which only support ``name`` and ``state`` for users, that sould be able to login on that system.
### Other Variables
2024-02-15 02:51:39 +01:00
| name | default value | description |
| --- | --- | --- |
2024-02-15 20:02:08 +01:00
| ``l3d_users__limit_login`` | ``true`` | Only allow SSH login for specified users |
| ``l3d_users__sshd_port`` | ``22`` | Port for SSH |
| ``l3d_users__sshd_password_authentication`` | ``false`` | Allow login with Password |
| ``l3d_users__sshd_permitrootlogin`` | ``false`` | Allow login as root |
| ``l3d_users__create_ansible`` | ``true`` | Create Ansible User |
| ``l3d_users__ansible_user_state`` | ``present`` | Ansible User State |
| ``l3d_users__sshd_manage_server_key_types`` | ``true`` | Manage Server SSH Key types |
| ``l3d_users__sshd_server_key_types`` | ``['ed25519']`` | List of supported SSH Key Types |
| ``l3d_users__sshd_manage_key_algorithmus`` | ``true`` | Manage SSH Key Algorythmins |
| ``l3d_users__sshd_key_algorithmus`` | ``['ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519', 'ecdsa-sha2-nistp521-cert-v01@openssh.com', 'ecdsa-sha2-nistp384-cert-v01@openssh.com', 'ecdsa-sha2-nistp256-cert-v01@openssh.com']`` | Used SSH Key Algorithms |
| ``l3d_users__sshd_manage_kex_algorithmus`` | ``true`` | Manage SSH Kex Algorythms |
| ``l3d_users__sshd_kex_algorithmus`` | ``['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1']`` | Used Kex Algorythms |
| ``l3d_users__sshd_manage_ciphers`` | ``true`` | Manage SSH Ciphers |
| ``l3d_users__sshd_ciphers`` | ``['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr']`` | Used SSH Ciphers |
| ``l3d_users__sshd_manage_macs`` | ``true`` | Manage Used MACs |
| ``l3d_users__sshd_macs`` | ``['hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512']`` | Used MACs |
| ``l3d_users__sshd_xforwarding`` |``true`` | Enable X-Forwarding |
2024-02-16 18:00:07 +01:00
| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
2024-02-15 02:51:39 +01:00
Example Playbook
-----------------
```yaml
- name: Create System with User and Passwords
hosts: example.com
roles:
2024-02-15 20:02:08 +01:00
- {role: l3d.users.sshd, tags: 'sshd'}
2024-02-15 02:51:39 +01:00
vars:
l3d_users__local_users:
- name: 'alice'
state: 'present'
- name: 'bob'
state: 'present'
2024-02-15 20:02:08 +01:00
l3d_users__ssh_login:
- name: 'charlie'
state: 'present'
2024-02-15 02:51:39 +01:00
2024-02-15 20:02:08 +01:00
l3d_users__limit_login: true
2024-02-15 02:51:39 +01:00
l3d_users__create_ansible: true
submodules_versioncheck: true
```