1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00

creating users + groups auth

This commit is contained in:
Lilian Roller 2020-03-18 11:30:48 +01:00
parent a9beb6230e
commit 025ebcec25
No known key found for this signature in database
GPG key ID: 5215C3441797AB2B
3 changed files with 30 additions and 79 deletions

View file

@ -51,23 +51,16 @@ sshd:
# - 'hmac-ripemd160-etm@openssh.com' # - 'hmac-ripemd160-etm@openssh.com'
# - 'umac-128-etm@openssh.com' # - 'umac-128-etm@openssh.com'
# - 'hmac-sha1' # - 'hmac-sha1'
# Enable AllowUsers and AllowGroups options
restrict_users: True
allowed_users:
- "root"
- "ansible"
restrict_groups: True
allowed_groups:
- "root"
- "admins"
#
# default users for SSH access
#sshd_default_allowed_users:
# - "root"
# - "ansible"
#
## don't forget to add the ssh_access group!
#sshd_default_allowed_groups:
# - "root"
# - "admins"
##
## Enable AllowUsers and AllowGroups options
#restrict_allow_users: True
# #
### Forcing only ed25519 SSH keys ### Forcing only ed25519 SSH keys
#only_allow_ed25519: true #only_allow_ed25519: true

View file

@ -14,10 +14,10 @@
- name: read default variable - name: read default variable
include_vars: vars/default.yml include_vars: vars/default.yml
#- name: Collect all users and groups allowed to login via ssh - name: Collect all users and groups allowed to login via ssh
# set_fact: set_fact:
# sshd_allow_users: '{{ sshd_default_allowed_users + users.keys() | default({}) | sort }}' sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
# sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() | default({}) | sort }}' sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'
- name: Copy sshd configuration - name: Copy sshd configuration
become: yes become: yes
@ -27,7 +27,7 @@
owner: root owner: root
group: root group: root
mode: 'u=rw,g=r,o=r' mode: 'u=rw,g=r,o=r'
# validate: /usr/sbin/sshd -t -f %s validate: /usr/sbin/sshd -t -f %s
backup: yes backup: yes
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh

View file

@ -1,4 +1,5 @@
# Attention, local changew will be overwritten # Attention, local changew will be overwritten
# MIT (C) L3D
# {{ ansible_managed }} # {{ ansible_managed }}
# Networking # Networking
@ -7,23 +8,23 @@ Port {{ sshd.port }}
TCPKeepAlive yes TCPKeepAlive yes
# Key exchange # Key exchange
KexAlgorithms {{ 'KexAlgorithms ' }}
{%- for algo in sshd.kex_algorithmus -%} {%- for algo in sshd.kex_algorithmus -%}
{{ ' ' }}{{ algo }}{{ "," if not loop.last }} {{ algo }}{{ "," if not loop.last }}
{%- endfor %} {%- endfor %}
# Ciphers: # Ciphers:
Ciphers {{ 'Ciphers ' }}
{%- for cipher in sshd.ciphers -%} {%- for cipher in sshd.ciphers -%}
{{ ' ' }}{{ cipher }}{{ "," if not loop.last }} {{ cipher }}{{ "," if not loop.last }}
{%- endfor %} {%- endfor %}
# Macs # Macs
MACs {{ 'MACs ' }}
{%- for mac in sshd.macs -%} {%- for mac in sshd.macs -%}
{{ ' ' }}{{ mac }}{{ "," if not loop.last }} {{ mac }}{{ "," if not loop.last }}
{%- endfor %} {%- endfor %}
# Server authentication # Server authentication
@ -39,9 +40,9 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
# HostKeyAlgorithms # HostKeyAlgorithms
# Maybe not available in openssh 6.7 # Maybe not available in openssh 6.7
HostKeyAlgorithms {{ 'HostKeyAlgorithms ' }}
{%- for key in sshd.key_algorithmus -%} {%- for key in sshd.key_algorithmus -%}
{{ ' ' }}{{ key }}{{ "," if not loop.last }} {{ key }}{{ "," if not loop.last }}
{%- endfor %} {%- endfor %}
@ -54,61 +55,21 @@ PasswordAuthentication
{% endif %} {% endif %}
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
PubkeyAuthentication yes PubkeyAuthentication yes
PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
UsePAM yes UsePAM yes
{#
# User Authentication # User Authentication
{% if restrict_allow_users|default(True) %} {% if sshd.restrict_users -%}
AllowUsers {{ sshd_allow_users|join(' ') }} AllowUsers {{ sshd_allowed_users|join(' ') }}
AllowGroups {{ sshd_allow_groups|join(' ') }}
{% endif %}
PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes
# Not available in openssh 6.7
{% if only_allow_ed25519 == false %}# {%
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
# Symmetric ciphers
#Ciphers chacha20-poly1305@openssh.com,
# aes256-gcm@openssh.com,
# aes128-gcm@openssh.com,
# aes256-ctr,
# aes192-ctr,
# aes128-ctr
{% if ansible_distribution_release == 'wheezy' -%}
Ciphers aes192-ctr,aes256-ctr,arcfour256
{%- else -%}
Ciphers chacha20-poly1305@openssh.com
{%- if use_aes256_ctr -%}
,aes256-ctr
{%- endif -%}
{%- endif %} {%- endif %}
{% if sshd.restrict_groups -%}
AllowUsers {{ sshd_allowed_groups|join(' ') }}
# Message authentication codes
#MACs hmac-sha2-512-etm@openssh.com,
# hmac-sha2-256-etm@openssh.com,
# hmac-ripemd160-etm@openssh.com,
# umac-128-etm@openssh.com,
# hmac-sha2-512,
# hmac-sha2-256,
# hmac-ripemd160,
# umac-128@openssh.com
{% if ansible_distribution_release == 'wheezy' -%}
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
{%- else -%}
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
{%- if use_hmac_sha2_512 -%}
,hmac-sha2-512
{%- endif -%}
{%- endif %} {%- endif %}
# Allow client to pass locale environment variables # Allow client to pass locale environment variables
@ -123,6 +84,3 @@ Subsystem sftp /usr/libexec/openssh/sftp-server
{% else %} {% else %}
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %} {% endif %}
# ETC
#}