mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
creating users + groups auth
This commit is contained in:
Lilian Roller
parent
a9beb6230e
commit
025ebcec25
3 changed files with 30 additions and 79 deletions
|
|
@ -51,23 +51,16 @@ sshd:
|
||||||
# - 'hmac-ripemd160-etm@openssh.com'
|
# - 'hmac-ripemd160-etm@openssh.com'
|
||||||
# - 'umac-128-etm@openssh.com'
|
# - 'umac-128-etm@openssh.com'
|
||||||
# - 'hmac-sha1'
|
# - 'hmac-sha1'
|
||||||
|
# Enable AllowUsers and AllowGroups options
|
||||||
|
restrict_users: True
|
||||||
|
allowed_users:
|
||||||
|
- "root"
|
||||||
|
- "ansible"
|
||||||
|
restrict_groups: True
|
||||||
|
allowed_groups:
|
||||||
|
- "root"
|
||||||
|
- "admins"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# default users for SSH access
|
|
||||||
#sshd_default_allowed_users:
|
|
||||||
# - "root"
|
|
||||||
# - "ansible"
|
|
||||||
#
|
|
||||||
## don't forget to add the ssh_access group!
|
|
||||||
#sshd_default_allowed_groups:
|
|
||||||
# - "root"
|
|
||||||
# - "admins"
|
|
||||||
##
|
|
||||||
## Enable AllowUsers and AllowGroups options
|
|
||||||
#restrict_allow_users: True
|
|
||||||
#
|
#
|
||||||
### Forcing only ed25519 SSH keys
|
### Forcing only ed25519 SSH keys
|
||||||
#only_allow_ed25519: true
|
#only_allow_ed25519: true
|
||||||
|
|
|
||||||
|
|
@ -14,10 +14,10 @@
|
||||||
- name: read default variable
|
- name: read default variable
|
||||||
include_vars: vars/default.yml
|
include_vars: vars/default.yml
|
||||||
|
|
||||||
#- name: Collect all users and groups allowed to login via ssh
|
- name: Collect all users and groups allowed to login via ssh
|
||||||
# set_fact:
|
set_fact:
|
||||||
# sshd_allow_users: '{{ sshd_default_allowed_users + users.keys() | default({}) | sort }}'
|
sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
|
||||||
# sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() | default({}) | sort }}'
|
sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'
|
||||||
|
|
||||||
- name: Copy sshd configuration
|
- name: Copy sshd configuration
|
||||||
become: yes
|
become: yes
|
||||||
|
|
@ -27,7 +27,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
# validate: /usr/sbin/sshd -t -f %s
|
validate: /usr/sbin/sshd -t -f %s
|
||||||
backup: yes
|
backup: yes
|
||||||
notify:
|
notify:
|
||||||
- systemctrl restart ssh
|
- systemctrl restart ssh
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
# Attention, local changew will be overwritten
|
# Attention, local changew will be overwritten
|
||||||
|
# MIT (C) L3D
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
# Networking
|
# Networking
|
||||||
|
|
@ -7,23 +8,23 @@ Port {{ sshd.port }}
|
||||||
TCPKeepAlive yes
|
TCPKeepAlive yes
|
||||||
|
|
||||||
# Key exchange
|
# Key exchange
|
||||||
KexAlgorithms
|
{{ 'KexAlgorithms ' }}
|
||||||
{%- for algo in sshd.kex_algorithmus -%}
|
{%- for algo in sshd.kex_algorithmus -%}
|
||||||
{{ ' ' }}{{ algo }}{{ "," if not loop.last }}
|
{{ algo }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
|
||||||
# Ciphers:
|
# Ciphers:
|
||||||
Ciphers
|
{{ 'Ciphers ' }}
|
||||||
{%- for cipher in sshd.ciphers -%}
|
{%- for cipher in sshd.ciphers -%}
|
||||||
{{ ' ' }}{{ cipher }}{{ "," if not loop.last }}
|
{{ cipher }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
|
||||||
# Macs
|
# Macs
|
||||||
MACs
|
{{ 'MACs ' }}
|
||||||
{%- for mac in sshd.macs -%}
|
{%- for mac in sshd.macs -%}
|
||||||
{{ ' ' }}{{ mac }}{{ "," if not loop.last }}
|
{{ mac }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
# Server authentication
|
# Server authentication
|
||||||
|
|
@ -39,9 +40,9 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
|
||||||
|
|
||||||
# HostKeyAlgorithms
|
# HostKeyAlgorithms
|
||||||
# Maybe not available in openssh 6.7
|
# Maybe not available in openssh 6.7
|
||||||
HostKeyAlgorithms
|
{{ 'HostKeyAlgorithms ' }}
|
||||||
{%- for key in sshd.key_algorithmus -%}
|
{%- for key in sshd.key_algorithmus -%}
|
||||||
{{ ' ' }}{{ key }}{{ "," if not loop.last }}
|
{{ key }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -54,61 +55,21 @@ PasswordAuthentication
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ChallengeResponseAuthentication no
|
ChallengeResponseAuthentication no
|
||||||
PubkeyAuthentication yes
|
PubkeyAuthentication yes
|
||||||
|
PermitRootLogin without-password
|
||||||
|
LoginGraceTime 120
|
||||||
|
StrictModes yes
|
||||||
|
|
||||||
# If you just want the PAM account and session checks to run without
|
# If you just want the PAM account and session checks to run without
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
UsePAM yes
|
UsePAM yes
|
||||||
|
|
||||||
{#
|
|
||||||
# User Authentication
|
# User Authentication
|
||||||
{% if restrict_allow_users|default(True) %}
|
{% if sshd.restrict_users -%}
|
||||||
AllowUsers {{ sshd_allow_users|join(' ') }}
|
AllowUsers {{ sshd_allowed_users|join(' ') }}
|
||||||
AllowGroups {{ sshd_allow_groups|join(' ') }}
|
|
||||||
{% endif %}
|
|
||||||
PermitRootLogin without-password
|
|
||||||
|
|
||||||
LoginGraceTime 120
|
|
||||||
|
|
||||||
StrictModes yes
|
|
||||||
|
|
||||||
# Not available in openssh 6.7
|
|
||||||
{% if only_allow_ed25519 == false %}# {%
|
|
||||||
endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
|
|
||||||
|
|
||||||
# Symmetric ciphers
|
|
||||||
#Ciphers chacha20-poly1305@openssh.com,
|
|
||||||
# aes256-gcm@openssh.com,
|
|
||||||
# aes128-gcm@openssh.com,
|
|
||||||
# aes256-ctr,
|
|
||||||
# aes192-ctr,
|
|
||||||
# aes128-ctr
|
|
||||||
{% if ansible_distribution_release == 'wheezy' -%}
|
|
||||||
Ciphers aes192-ctr,aes256-ctr,arcfour256
|
|
||||||
{%- else -%}
|
|
||||||
Ciphers chacha20-poly1305@openssh.com
|
|
||||||
{%- if use_aes256_ctr -%}
|
|
||||||
,aes256-ctr
|
|
||||||
{%- endif -%}
|
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
{% if sshd.restrict_groups -%}
|
||||||
|
AllowUsers {{ sshd_allowed_groups|join(' ') }}
|
||||||
# Message authentication codes
|
|
||||||
#MACs hmac-sha2-512-etm@openssh.com,
|
|
||||||
# hmac-sha2-256-etm@openssh.com,
|
|
||||||
# hmac-ripemd160-etm@openssh.com,
|
|
||||||
# umac-128-etm@openssh.com,
|
|
||||||
# hmac-sha2-512,
|
|
||||||
# hmac-sha2-256,
|
|
||||||
# hmac-ripemd160,
|
|
||||||
# umac-128@openssh.com
|
|
||||||
{% if ansible_distribution_release == 'wheezy' -%}
|
|
||||||
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
|
||||||
{%- else -%}
|
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
|
||||||
{%- if use_hmac_sha2_512 -%}
|
|
||||||
,hmac-sha2-512
|
|
||||||
{%- endif -%}
|
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
# Allow client to pass locale environment variables
|
# Allow client to pass locale environment variables
|
||||||
|
|
@ -123,6 +84,3 @@ Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||||
{% else %}
|
{% else %}
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# ETC
|
|
||||||
#}
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue