From a57ef169c5ac20865c6c09c70ae212c5d03c1e6a Mon Sep 17 00:00:00 2001 From: L3D Date: Tue, 4 Aug 2020 15:07:02 +0200 Subject: [PATCH] change variable layout --- README.md | 17 ------ defaults/main.yml | 125 ++++++++++++++++++--------------------- handlers/main.yml | 4 +- tasks/main.yml | 16 ++--- tasks/versioncheck.yml | 24 +------- templates/sshd_config.j2 | 26 ++++---- vars/main.yml | 9 +-- vars/sshd_archlinux.yml | 6 +- vars/sshd_centos.yml | 6 +- vars/sshd_debian.yml | 6 +- vars/sshd_default.yml | 6 +- vars/sshd_fedora.yml | 6 +- 12 files changed, 94 insertions(+), 157 deletions(-) diff --git a/README.md b/README.md index 8da33c5..fd35134 100644 --- a/README.md +++ b/README.md @@ -20,23 +20,6 @@ The following roles are tested in combination and work well - at least for the u ------------------------------ **Remember:** Have a look into ``defaults/main.yml`` for all possible variables. -```bash -restrict_allow_users: True -``` -With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else. -The default ddh groups are ``admins`` and ``root`` - -```bash -only_allow_ed25519: true -``` -Force ssh to deny all ssh keys except for eliptic curve ed25519 keys. - -```bash -sshd_password_authentication: 'no' -``` -Change the string from 'no' to 'yes' if you want to log in with a password (not recomended). - -There are some other cryptographic algorythmen you could enable... ### Important part: Define the users (and optional their ssh keys) for the ssh config template: diff --git a/defaults/main.yml b/defaults/main.yml index 075031d..87fd492 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,80 +1,67 @@ --- -sshd: - # set the ssh server port - port: 22 +# set the ssh server port +sshd__port: 22 # ssh password authorisatuin (not recomended) - password_authentication: false +sshd__password_authentication: false # should we disable not selected ssh key types? - manage_key_types: true +sshd__manage_key_types: true # choose ssh server allowed key types - key_types: - - 'ed25519' - # - 'rsa' - # - 'ecdsa' - # - 'dsa' # (do not use!) +sshd__key_types: + - 'ed25519' + # - 'rsa' + # - 'ecdsa' + # - 'dsa' # (do not use!) - key_algorithmus: - - 'ssh-ed25519-cert-v01@openssh.com' - - 'ssh-ed25519' - # - 'ecdsa-sha2-nistp521-cert-v01@openssh.com' - # - 'ecdsa-sha2-nistp384-cert-v01@openssh.com' - # - 'ecdsa-sha2-nistp256-cert-v01@openssh.com' - # - 'rsa-sha2-512-cert-v01@openssh.com' - # - 'rsa-sha2-256-cert-v01@openssh.com' - # - 'ssh-rsa-cert-v01@openssh.com' - # - 'ecdsa-sha2-nistp521' - # - 'ecdsa-sha2-nistp384' - # - 'ecdsa-sha2-nistp256' - # - 'rsa-sha2-512' - # - 'rsa-sha2-256' - # - 'ssh-rsa' +sshd__key_algorithmus: + - 'ssh-ed25519-cert-v01@openssh.com' + - 'ssh-ed25519' + # - 'ecdsa-sha2-nistp521-cert-v01@openssh.com' + # - 'ecdsa-sha2-nistp384-cert-v01@openssh.com' + # - 'ecdsa-sha2-nistp256-cert-v01@openssh.com' + # - 'rsa-sha2-512-cert-v01@openssh.com' + # - 'rsa-sha2-256-cert-v01@openssh.com' + # - 'ssh-rsa-cert-v01@openssh.com' + # - 'ecdsa-sha2-nistp521' + # - 'ecdsa-sha2-nistp384' + # - 'ecdsa-sha2-nistp256' + # - 'rsa-sha2-512' + # - 'rsa-sha2-256' + # - 'ssh-rsa' - kex_algorithmus: - - 'curve25519-sha256@libssh.org' - - 'diffie-hellman-group-exchange-sha256' - # - 'diffie-hellman-group-exchange-sha1' - # - 'diffie-hellman-group14-sha1' - # - 'diffie-hellman-group1-sha1' +sshd__kex_algorithmus: + - 'curve25519-sha256@libssh.org' + - 'diffie-hellman-group-exchange-sha256' + # - 'diffie-hellman-group-exchange-sha1' + # - 'diffie-hellman-group14-sha1' + # - 'diffie-hellman-group1-sha1' - ciphers: - - 'chacha20-poly1305@openssh.com' - - 'aes256-gcm@openssh.com' - # - 'aes256-ctr' - # - 'aes256-cbc' - # - 'aes128-ctr' - # - 'aes128-cbc' - macs: - - 'hmac-sha2-512-etm@openssh.com' - - 'hmac-sha2-256-etm@openssh.com' - # - 'hmac-sha2-512' - # - 'hmac-sha2-256' - # - 'hmac-ripemd160-etm@openssh.com' - # - 'umac-128-etm@openssh.com' - # - 'hmac-sha1' - # Enable AllowUsers and AllowGroups options - restrict_users: True - allowed_users: - - "root" - - "ansible" - restrict_groups: True - allowed_groups: - - "root" - - "admins" - xforwarding: True +sshd__ciphers: + - 'chacha20-poly1305@openssh.com' + - 'aes256-gcm@openssh.com' + # - 'aes256-ctr' + # - 'aes256-cbc' + # - 'aes128-ctr' + # - 'aes128-cbc' -# -### Forcing only ed25519 SSH keys -#only_allow_ed25519: true -# -## Allow login with password? -# -### Allow optional cryptho methods (NOT RECOMENDED) -#generate_ecdsa_too: false -#use_diffie_hellman_group_exchange_sha256: false -#u#se_aes256_ctr: false -#u#se_hmac_sha2_512: false -### -#do_not_delete_legacy_ssh_keys: true +sshd__macs: + - 'hmac-sha2-512-etm@openssh.com' + - 'hmac-sha2-256-etm@openssh.com' + # - 'hmac-sha2-512' + # - 'hmac-sha2-256' + # - 'hmac-ripemd160-etm@openssh.com' + # - 'umac-128-etm@openssh.com' + # - 'hmac-sha1' + +# Enable AllowUsers and AllowGroups options +sshd__restrict_users: True +sshd__allowed_users: + - "root" + - "ansible" +sshd__restrict_groups: True +sshd__allowed_groups: + - "root" + - "admins" +sshd__xforwarding: True # perform simple version check for this role? (true is recomended) submodules_versioncheck: false diff --git a/handlers/main.yml b/handlers/main.yml index 12e4c62..44e4115 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,6 +2,6 @@ - name: systemctrl restart ssh become: yes service: - name: "{{ sshd_service }}" + name: "{{ sshd__service }}" state: restarted - when: sshd_service is defined + when: sshd__service is defined diff --git a/tasks/main.yml b/tasks/main.yml index 2a518a9..02c64e2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,8 +1,4 @@ --- -- name: combine sshd variable - set_fact: - sshd: "{{ _sshd|combine(sshd, recursive=True) }}" - - include_tasks: versioncheck.yml when: submodules_versioncheck|bool @@ -16,8 +12,8 @@ - name: Collect all users and groups allowed to login via ssh set_fact: - sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}' - sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}' + sshd__allowed_users: '{{ sshd__allowed_users + users.keys() | default({}) | sort }}' + sshd__allowed_groups: '{{ sshd__allowed_groups + users.keys() | default({}) | sort }}' - name: Generate new ssh host key pair if necessary become: yes @@ -27,9 +23,9 @@ creates: 'ssh_host_{{ item }}_key.pub' notify: - systemctrl restart ssh - with_items: "{{ sshd.key_types }}" + with_items: "{{ sshd__key_types }}" when: - - sshd.manage_key_types | bool + - sshd__manage_key_types | bool - name: Remove unwanted host keys become: yes @@ -48,7 +44,7 @@ state: absent become: yes with_items: - - "{{ sshd_key_types_list | difference( sshd.key_types ) }}" + - "{{ sshd__key_types_list | difference( sshd__key_types ) }}" notify: - systemctrl restart ssh @@ -58,7 +54,7 @@ state: absent become: yes with_items: - - "{{ sshd_key_types_list | difference( sshd.key_types ) }}" + - "{{ sshd__key_types_list | difference( sshd__key_types ) }}" notify: - systemctrl restart ssh diff --git a/tasks/versioncheck.yml b/tasks/versioncheck.yml index 9cfdbba..598b57f 100644 --- a/tasks/versioncheck.yml +++ b/tasks/versioncheck.yml @@ -7,15 +7,6 @@ mode: 0755 when: submodules_versioncheck|bool -- name: check legacy playbook version - become: true - slurp: - src: "/etc/ansible-version/{{ playbook_version_path }}" - register: legacy_playbook_version - when: submodules_versioncheck|bool - ignore_errors: yes - changed_when: False - - name: check playbook version become: true slurp: @@ -23,6 +14,7 @@ register: playbook_version when: submodules_versioncheck|bool ignore_errors: yes + failed_when: false - name: Print remote role version debug: @@ -39,26 +31,12 @@ msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!" when: - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool - - legacy_playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool - -- name: delete legacy version if needed - become: true - file: - state: absent - path: "/etc/ansible-version/{{ playbook_version_path }}" - name: check if '/etc/ansible-version/' is empty find: paths: '/etc/ansible-version/' register: filesFound -- name: delete legacy version folder if needed - become: true - file: - state: absent - path: "/etc/ansible-version" - when: filesFound.matched < 0 - - name: write new version to remote disk become: true copy: diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 0dde17d..b67aea6 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -7,7 +7,7 @@ Include /etc/ssh/sshd_config.d/*.conf # Networking -Port {{ sshd.port }} +Port {{ sshd__port }} AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: @@ -16,7 +16,7 @@ TCPKeepAlive yes # Key exchange {{ 'KexAlgorithms ' }} -{%- for algo in sshd.kex_algorithmus -%} +{%- for algo in sshd__kex_algorithmus -%} {{ algo }}{{ "," if not loop.last }} {%- endfor %} @@ -25,7 +25,7 @@ TCPKeepAlive yes #RekeyLimit default none {{ 'Ciphers ' }} -{%- for cipher in sshd.ciphers -%} +{%- for cipher in sshd__ciphers -%} {{ cipher }}{{ "," if not loop.last }} {%- endfor %} @@ -36,7 +36,7 @@ LogLevel INFO # Macs {{ 'MACs ' }} -{%- for mac in sshd.macs -%} +{%- for mac in sshd__macs -%} {{ mac }}{{ "," if not loop.last }} {%- endfor %} @@ -44,9 +44,9 @@ LogLevel INFO Protocol 2 -{% if sshd.manage_key_types | bool -%} +{% if sshd__manage_key_types | bool -%} # host key types -{% for key in sshd.key_types %} +{% for key in sshd__key_types %} HostKey /etc/ssh/ssh_host_{{ key }}_key {% endfor %} {%- endif %} @@ -55,7 +55,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key # HostKeyAlgorithms # Maybe not available in openssh 6.7 {{ 'HostKeyAlgorithms ' }} -{%- for key in sshd.key_algorithmus -%} +{%- for key in sshd__key_algorithmus -%} {{ key }}{{ "," if not loop.last }} {%- endfor %} @@ -64,7 +64,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key MaxAuthTries 6 MaxSessions 10 PasswordAuthentication -{%- if sshd.password_authentication | bool -%} +{%- if sshd__password_authentication | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} @@ -75,7 +75,7 @@ PermitRootLogin without-password LoginGraceTime 120 StrictModes yes X11Forwarding -{%- if sshd.xforwarding | bool -%} +{%- if sshd__xforwarding | bool -%} {{ ' yes' }} {% else -%} {{ ' no' }} @@ -112,11 +112,11 @@ TCPKeepAlive yes UsePAM yes # User Authentication -{% if sshd.restrict_users -%} - AllowUsers {{ sshd_allowed_users|join(' ') }} +{% if sshd__restrict_users -%} + AllowUsers {{ sshd__allowed_users|join(' ') }} {%- endif %} -{% if sshd.restrict_groups -%} - AllowUsers {{ sshd_allowed_groups|join(' ') }} +{% if sshd__restrict_groups -%} + AllowUsers {{ sshd__allowed_groups|join(' ') }} {%- endif %} # Allow client to pass locale environment variables diff --git a/vars/main.yml b/vars/main.yml index 24c606b..d50c765 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,10 +1,3 @@ --- -_sshd: - port: 22 - password_authentication: false - manage_key_types: true - key_types: - - ed25519 - -playbook_version_number: 2060 # should be over ninethousand +playbook_version_number: 2070 # should be over ninethousand playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version' diff --git a/vars/sshd_archlinux.yml b/vars/sshd_archlinux.yml index 5ac9abc..f866ea5 100644 --- a/vars/sshd_archlinux.yml +++ b/vars/sshd_archlinux.yml @@ -1,10 +1,10 @@ --- -sshd_service: sshd -sshd_key_types_list: +sshd__service: sshd +sshd__key_types_list: - ed25519 - rsa - ecdsa - dsa -sshd_xauth: +sshd__xauth: - xorg-xauth diff --git a/vars/sshd_centos.yml b/vars/sshd_centos.yml index 5ac9abc..f866ea5 100644 --- a/vars/sshd_centos.yml +++ b/vars/sshd_centos.yml @@ -1,10 +1,10 @@ --- -sshd_service: sshd -sshd_key_types_list: +sshd__service: sshd +sshd__key_types_list: - ed25519 - rsa - ecdsa - dsa -sshd_xauth: +sshd__xauth: - xorg-xauth diff --git a/vars/sshd_debian.yml b/vars/sshd_debian.yml index a6b6476..cc115de 100644 --- a/vars/sshd_debian.yml +++ b/vars/sshd_debian.yml @@ -1,10 +1,10 @@ --- -sshd_service: ssh -sshd_key_types_list: +sshd__service: ssh +sshd__key_types_list: - ed25519 - rsa - ecdsa - dsa -sshd_xauth: +sshd__xauth: - xorg-xauth diff --git a/vars/sshd_default.yml b/vars/sshd_default.yml index a6b6476..cc115de 100644 --- a/vars/sshd_default.yml +++ b/vars/sshd_default.yml @@ -1,10 +1,10 @@ --- -sshd_service: ssh -sshd_key_types_list: +sshd__service: ssh +sshd__key_types_list: - ed25519 - rsa - ecdsa - dsa -sshd_xauth: +sshd__xauth: - xorg-xauth diff --git a/vars/sshd_fedora.yml b/vars/sshd_fedora.yml index 5ac9abc..f866ea5 100644 --- a/vars/sshd_fedora.yml +++ b/vars/sshd_fedora.yml @@ -1,10 +1,10 @@ --- -sshd_service: sshd -sshd_key_types_list: +sshd__service: sshd +sshd__key_types_list: - ed25519 - rsa - ecdsa - dsa -sshd_xauth: +sshd__xauth: - xorg-xauth