diff --git a/defaults/main.yml b/defaults/main.yml index 0b6ceb9..6019052 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,23 +51,16 @@ sshd: # - 'hmac-ripemd160-etm@openssh.com' # - 'umac-128-etm@openssh.com' # - 'hmac-sha1' + # Enable AllowUsers and AllowGroups options + restrict_users: True + allowed_users: + - "root" + - "ansible" + restrict_groups: True + allowed_groups: + - "root" + - "admins" - - - -# -# default users for SSH access -#sshd_default_allowed_users: -# - "root" -# - "ansible" -# -## don't forget to add the ssh_access group! -#sshd_default_allowed_groups: -# - "root" -# - "admins" -## -## Enable AllowUsers and AllowGroups options -#restrict_allow_users: True # ### Forcing only ed25519 SSH keys #only_allow_ed25519: true diff --git a/tasks/main.yml b/tasks/main.yml index 054fbf3..a523a3a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,10 +14,10 @@ - name: read default variable include_vars: vars/default.yml -#- name: Collect all users and groups allowed to login via ssh -# set_fact: -# sshd_allow_users: '{{ sshd_default_allowed_users + users.keys() | default({}) | sort }}' -# sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() | default({}) | sort }}' +- name: Collect all users and groups allowed to login via ssh + set_fact: + sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}' + sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}' - name: Copy sshd configuration become: yes @@ -27,7 +27,7 @@ owner: root group: root mode: 'u=rw,g=r,o=r' -# validate: /usr/sbin/sshd -t -f %s + validate: /usr/sbin/sshd -t -f %s backup: yes notify: - systemctrl restart ssh diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index aa6e0bf..c464fa1 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -1,4 +1,5 @@ # Attention, local changew will be overwritten +# MIT (C) L3D # {{ ansible_managed }} # Networking @@ -7,23 +8,23 @@ Port {{ sshd.port }} TCPKeepAlive yes # Key exchange -KexAlgorithms +{{ 'KexAlgorithms ' }} {%- for algo in sshd.kex_algorithmus -%} -{{ ' ' }}{{ algo }}{{ "," if not loop.last }} +{{ algo }}{{ "," if not loop.last }} {%- endfor %} # Ciphers: -Ciphers +{{ 'Ciphers ' }} {%- for cipher in sshd.ciphers -%} -{{ ' ' }}{{ cipher }}{{ "," if not loop.last }} +{{ cipher }}{{ "," if not loop.last }} {%- endfor %} # Macs -MACs +{{ 'MACs ' }} {%- for mac in sshd.macs -%} -{{ ' ' }}{{ mac }}{{ "," if not loop.last }} +{{ mac }}{{ "," if not loop.last }} {%- endfor %} # Server authentication @@ -39,9 +40,9 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key # HostKeyAlgorithms # Maybe not available in openssh 6.7 -HostKeyAlgorithms +{{ 'HostKeyAlgorithms ' }} {%- for key in sshd.key_algorithmus -%} -{{ ' ' }}{{ key }}{{ "," if not loop.last }} +{{ key }}{{ "," if not loop.last }} {%- endfor %} @@ -54,61 +55,21 @@ PasswordAuthentication {% endif %} ChallengeResponseAuthentication no PubkeyAuthentication yes +PermitRootLogin without-password +LoginGraceTime 120 +StrictModes yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes -{# # User Authentication -{% if restrict_allow_users|default(True) %} -AllowUsers {{ sshd_allow_users|join(' ') }} -AllowGroups {{ sshd_allow_groups|join(' ') }} -{% endif %} -PermitRootLogin without-password - -LoginGraceTime 120 - -StrictModes yes - -# Not available in openssh 6.7 -{% if only_allow_ed25519 == false %}# {% -endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 - -# Symmetric ciphers -#Ciphers chacha20-poly1305@openssh.com, -# aes256-gcm@openssh.com, -# aes128-gcm@openssh.com, -# aes256-ctr, -# aes192-ctr, -# aes128-ctr -{% if ansible_distribution_release == 'wheezy' -%} - Ciphers aes192-ctr,aes256-ctr,arcfour256 -{%- else -%} - Ciphers chacha20-poly1305@openssh.com - {%- if use_aes256_ctr -%} - ,aes256-ctr - {%- endif -%} +{% if sshd.restrict_users -%} + AllowUsers {{ sshd_allowed_users|join(' ') }} {%- endif %} - - -# Message authentication codes -#MACs hmac-sha2-512-etm@openssh.com, -# hmac-sha2-256-etm@openssh.com, -# hmac-ripemd160-etm@openssh.com, -# umac-128-etm@openssh.com, -# hmac-sha2-512, -# hmac-sha2-256, -# hmac-ripemd160, -# umac-128@openssh.com -{% if ansible_distribution_release == 'wheezy' -%} - MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -{%- else -%} - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com - {%- if use_hmac_sha2_512 -%} - ,hmac-sha2-512 - {%- endif -%} +{% if sshd.restrict_groups -%} + AllowUsers {{ sshd_allowed_groups|join(' ') }} {%- endif %} # Allow client to pass locale environment variables @@ -123,6 +84,3 @@ Subsystem sftp /usr/libexec/openssh/sftp-server {% else %} Subsystem sftp /usr/lib/openssh/sftp-server {% endif %} - -# ETC -#}