mirror of
https://github.com/roles-ansible/ansible_collection_users.git
synced 2024-08-16 10:29:50 +02:00
L3D
4d3dcce8f9
Enable option to modify SSHD Server Key visibility CLOSE https://github.com/roles-ansible/ansible_collection_users/issues/28
4.5 KiB
4.5 KiB
Ansible Role SSHD
Ansible role l3d.users.sshd to Manage SSHD Configuration of the system and which Accounts are allowed to login.
There are two variables to define users. The l3d_users__default_users
is ment to put to your group_vars to define a default for your system. The l3d_users__local_users
could be put in your host_vars to define host-specific user and admin roles.
Variables:
User Management
- The dictionary-variable for your group_vars to set your general users and admins is
l3d_users__default_users
. - The dictionary-variable for your host_vars to set your host-specific users and admins is:
l3d_users__local_users
. The Option of these directory-variables are the following.
option | values | required | description |
---|---|---|---|
name |
string | required |
The user you want to create |
state |
present |
- | Create or delete user |
shell |
/bin/bash |
- | The Shell of the User |
create_home |
true |
- | create a user home (needed to store ssh keys) |
admin |
false |
- | enable it to give the user superpowers |
admin_commands |
string or list | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
admin_nopassword |
false |
- | Need no Password for sudo |
admin_ansible_login |
true |
- | if admin: true and l3d_users__create_ansible: true your ssh keys will be added to ansible user |
pubkeys |
string or lookup | - | see examples |
exclusive_pubkeys |
true |
- | delete all undefined ssh keys |
password |
password hash | - | See official FAQ |
groups |
list | - | Additional groups for your user |
remove |
false |
- | completly remove user if state: absent |
There is a third directory-variable called l3d_users__ssh_login: []
which only support name
and state
for users, that sould be able to login on that system.
Other Variables
name | default value | description |
---|---|---|
l3d_users__limit_login |
true |
Only allow SSH login for specified users |
l3d_users__sshd_port |
22 |
Port for SSH |
l3d_users__sshd_password_authentication |
false |
Allow login with Password |
l3d_users__sshd_permitrootlogin |
false |
Allow login as root |
l3d_users__create_ansible |
true |
Create Ansible User |
l3d_users__ansible_user_state |
present |
Ansible User State |
l3d_users__sshd_manage_server_key_types |
true |
Manage Server SSH Key types |
l3d_users__sshd_server_key_types |
['ed25519'] |
List of supported SSH Key Types |
l3d_users__sshd_manage_key_algorithmus |
true |
Manage SSH Key Algorythmins |
l3d_users__sshd_key_algorithmus |
['ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519', 'ecdsa-sha2-nistp521-cert-v01@openssh.com', 'ecdsa-sha2-nistp384-cert-v01@openssh.com', 'ecdsa-sha2-nistp256-cert-v01@openssh.com'] |
Used SSH Key Algorithms |
l3d_users__sshd_manage_kex_algorithmus |
true |
Manage SSH Kex Algorythms |
l3d_users__sshd_kex_algorithmus |
['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1'] |
Used Kex Algorythms |
l3d_users__sshd_manage_ciphers |
true |
Manage SSH Ciphers |
l3d_users__sshd_ciphers |
['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr'] |
Used SSH Ciphers |
l3d_users__sshd_manage_macs |
true |
Manage Used MACs |
l3d_users__sshd_macs |
['hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512'] |
Used MACs |
l3d_users__sshd_xforwarding |
true |
Enable X-Forwarding |
l3d_users__server_key_mode |
0600 |
Mode of server keys in Filesystem |
submodules_versioncheck |
false |
Optionaly enable simple versionscheck of this role |
Example Playbook
- name: Create System with User and Passwords
hosts: example.com
roles:
- {role: l3d.users.sshd, tags: 'sshd'}
vars:
l3d_users__local_users:
- name: 'alice'
state: 'present'
- name: 'bob'
state: 'present'
l3d_users__ssh_login:
- name: 'charlie'
state: 'present'
l3d_users__limit_login: true
l3d_users__create_ansible: true
submodules_versioncheck: true