mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
change variable layout
This commit is contained in:
parent
99519f3ced
commit
a57ef169c5
12 changed files with 94 additions and 157 deletions
17
README.md
17
README.md
|
@ -20,23 +20,6 @@ The following roles are tested in combination and work well - at least for the u
|
||||||
------------------------------
|
------------------------------
|
||||||
**Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
|
**Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
|
||||||
|
|
||||||
```bash
|
|
||||||
restrict_allow_users: True
|
|
||||||
```
|
|
||||||
With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else.
|
|
||||||
The default ddh groups are ``admins`` and ``root``
|
|
||||||
|
|
||||||
```bash
|
|
||||||
only_allow_ed25519: true
|
|
||||||
```
|
|
||||||
Force ssh to deny all ssh keys except for eliptic curve ed25519 keys.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sshd_password_authentication: 'no'
|
|
||||||
```
|
|
||||||
Change the string from 'no' to 'yes' if you want to log in with a password (not recomended).
|
|
||||||
|
|
||||||
There are some other cryptographic algorythmen you could enable...
|
|
||||||
|
|
||||||
### Important part:
|
### Important part:
|
||||||
Define the users (and optional their ssh keys) for the ssh config template:
|
Define the users (and optional their ssh keys) for the ssh config template:
|
||||||
|
|
|
@ -1,19 +1,18 @@
|
||||||
---
|
---
|
||||||
sshd:
|
# set the ssh server port
|
||||||
# set the ssh server port
|
sshd__port: 22
|
||||||
port: 22
|
|
||||||
# ssh password authorisatuin (not recomended)
|
# ssh password authorisatuin (not recomended)
|
||||||
password_authentication: false
|
sshd__password_authentication: false
|
||||||
# should we disable not selected ssh key types?
|
# should we disable not selected ssh key types?
|
||||||
manage_key_types: true
|
sshd__manage_key_types: true
|
||||||
# choose ssh server allowed key types
|
# choose ssh server allowed key types
|
||||||
key_types:
|
sshd__key_types:
|
||||||
- 'ed25519'
|
- 'ed25519'
|
||||||
# - 'rsa'
|
# - 'rsa'
|
||||||
# - 'ecdsa'
|
# - 'ecdsa'
|
||||||
# - 'dsa' # (do not use!)
|
# - 'dsa' # (do not use!)
|
||||||
|
|
||||||
key_algorithmus:
|
sshd__key_algorithmus:
|
||||||
- 'ssh-ed25519-cert-v01@openssh.com'
|
- 'ssh-ed25519-cert-v01@openssh.com'
|
||||||
- 'ssh-ed25519'
|
- 'ssh-ed25519'
|
||||||
# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
||||||
|
@ -29,21 +28,22 @@ sshd:
|
||||||
# - 'rsa-sha2-256'
|
# - 'rsa-sha2-256'
|
||||||
# - 'ssh-rsa'
|
# - 'ssh-rsa'
|
||||||
|
|
||||||
kex_algorithmus:
|
sshd__kex_algorithmus:
|
||||||
- 'curve25519-sha256@libssh.org'
|
- 'curve25519-sha256@libssh.org'
|
||||||
- 'diffie-hellman-group-exchange-sha256'
|
- 'diffie-hellman-group-exchange-sha256'
|
||||||
# - 'diffie-hellman-group-exchange-sha1'
|
# - 'diffie-hellman-group-exchange-sha1'
|
||||||
# - 'diffie-hellman-group14-sha1'
|
# - 'diffie-hellman-group14-sha1'
|
||||||
# - 'diffie-hellman-group1-sha1'
|
# - 'diffie-hellman-group1-sha1'
|
||||||
|
|
||||||
ciphers:
|
sshd__ciphers:
|
||||||
- 'chacha20-poly1305@openssh.com'
|
- 'chacha20-poly1305@openssh.com'
|
||||||
- 'aes256-gcm@openssh.com'
|
- 'aes256-gcm@openssh.com'
|
||||||
# - 'aes256-ctr'
|
# - 'aes256-ctr'
|
||||||
# - 'aes256-cbc'
|
# - 'aes256-cbc'
|
||||||
# - 'aes128-ctr'
|
# - 'aes128-ctr'
|
||||||
# - 'aes128-cbc'
|
# - 'aes128-cbc'
|
||||||
macs:
|
|
||||||
|
sshd__macs:
|
||||||
- 'hmac-sha2-512-etm@openssh.com'
|
- 'hmac-sha2-512-etm@openssh.com'
|
||||||
- 'hmac-sha2-256-etm@openssh.com'
|
- 'hmac-sha2-256-etm@openssh.com'
|
||||||
# - 'hmac-sha2-512'
|
# - 'hmac-sha2-512'
|
||||||
|
@ -51,30 +51,17 @@ sshd:
|
||||||
# - 'hmac-ripemd160-etm@openssh.com'
|
# - 'hmac-ripemd160-etm@openssh.com'
|
||||||
# - 'umac-128-etm@openssh.com'
|
# - 'umac-128-etm@openssh.com'
|
||||||
# - 'hmac-sha1'
|
# - 'hmac-sha1'
|
||||||
# Enable AllowUsers and AllowGroups options
|
|
||||||
restrict_users: True
|
# Enable AllowUsers and AllowGroups options
|
||||||
allowed_users:
|
sshd__restrict_users: True
|
||||||
|
sshd__allowed_users:
|
||||||
- "root"
|
- "root"
|
||||||
- "ansible"
|
- "ansible"
|
||||||
restrict_groups: True
|
sshd__restrict_groups: True
|
||||||
allowed_groups:
|
sshd__allowed_groups:
|
||||||
- "root"
|
- "root"
|
||||||
- "admins"
|
- "admins"
|
||||||
xforwarding: True
|
sshd__xforwarding: True
|
||||||
|
|
||||||
#
|
|
||||||
### Forcing only ed25519 SSH keys
|
|
||||||
#only_allow_ed25519: true
|
|
||||||
#
|
|
||||||
## Allow login with password?
|
|
||||||
#
|
|
||||||
### Allow optional cryptho methods (NOT RECOMENDED)
|
|
||||||
#generate_ecdsa_too: false
|
|
||||||
#use_diffie_hellman_group_exchange_sha256: false
|
|
||||||
#u#se_aes256_ctr: false
|
|
||||||
#u#se_hmac_sha2_512: false
|
|
||||||
###
|
|
||||||
#do_not_delete_legacy_ssh_keys: true
|
|
||||||
|
|
||||||
# perform simple version check for this role? (true is recomended)
|
# perform simple version check for this role? (true is recomended)
|
||||||
submodules_versioncheck: false
|
submodules_versioncheck: false
|
||||||
|
|
|
@ -2,6 +2,6 @@
|
||||||
- name: systemctrl restart ssh
|
- name: systemctrl restart ssh
|
||||||
become: yes
|
become: yes
|
||||||
service:
|
service:
|
||||||
name: "{{ sshd_service }}"
|
name: "{{ sshd__service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
when: sshd_service is defined
|
when: sshd__service is defined
|
||||||
|
|
|
@ -1,8 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: combine sshd variable
|
|
||||||
set_fact:
|
|
||||||
sshd: "{{ _sshd|combine(sshd, recursive=True) }}"
|
|
||||||
|
|
||||||
- include_tasks: versioncheck.yml
|
- include_tasks: versioncheck.yml
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck|bool
|
||||||
|
|
||||||
|
@ -16,8 +12,8 @@
|
||||||
|
|
||||||
- name: Collect all users and groups allowed to login via ssh
|
- name: Collect all users and groups allowed to login via ssh
|
||||||
set_fact:
|
set_fact:
|
||||||
sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
|
sshd__allowed_users: '{{ sshd__allowed_users + users.keys() | default({}) | sort }}'
|
||||||
sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'
|
sshd__allowed_groups: '{{ sshd__allowed_groups + users.keys() | default({}) | sort }}'
|
||||||
|
|
||||||
- name: Generate new ssh host key pair if necessary
|
- name: Generate new ssh host key pair if necessary
|
||||||
become: yes
|
become: yes
|
||||||
|
@ -27,9 +23,9 @@
|
||||||
creates: 'ssh_host_{{ item }}_key.pub'
|
creates: 'ssh_host_{{ item }}_key.pub'
|
||||||
notify:
|
notify:
|
||||||
- systemctrl restart ssh
|
- systemctrl restart ssh
|
||||||
with_items: "{{ sshd.key_types }}"
|
with_items: "{{ sshd__key_types }}"
|
||||||
when:
|
when:
|
||||||
- sshd.manage_key_types | bool
|
- sshd__manage_key_types | bool
|
||||||
|
|
||||||
- name: Remove unwanted host keys
|
- name: Remove unwanted host keys
|
||||||
become: yes
|
become: yes
|
||||||
|
@ -48,7 +44,7 @@
|
||||||
state: absent
|
state: absent
|
||||||
become: yes
|
become: yes
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
|
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
||||||
notify:
|
notify:
|
||||||
- systemctrl restart ssh
|
- systemctrl restart ssh
|
||||||
|
|
||||||
|
@ -58,7 +54,7 @@
|
||||||
state: absent
|
state: absent
|
||||||
become: yes
|
become: yes
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
|
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
||||||
notify:
|
notify:
|
||||||
- systemctrl restart ssh
|
- systemctrl restart ssh
|
||||||
|
|
||||||
|
|
|
@ -7,15 +7,6 @@
|
||||||
mode: 0755
|
mode: 0755
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck|bool
|
||||||
|
|
||||||
- name: check legacy playbook version
|
|
||||||
become: true
|
|
||||||
slurp:
|
|
||||||
src: "/etc/ansible-version/{{ playbook_version_path }}"
|
|
||||||
register: legacy_playbook_version
|
|
||||||
when: submodules_versioncheck|bool
|
|
||||||
ignore_errors: yes
|
|
||||||
changed_when: False
|
|
||||||
|
|
||||||
- name: check playbook version
|
- name: check playbook version
|
||||||
become: true
|
become: true
|
||||||
slurp:
|
slurp:
|
||||||
|
@ -23,6 +14,7 @@
|
||||||
register: playbook_version
|
register: playbook_version
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck|bool
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
|
failed_when: false
|
||||||
|
|
||||||
- name: Print remote role version
|
- name: Print remote role version
|
||||||
debug:
|
debug:
|
||||||
|
@ -39,26 +31,12 @@
|
||||||
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
||||||
when:
|
when:
|
||||||
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
||||||
- legacy_playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
|
||||||
|
|
||||||
- name: delete legacy version if needed
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
state: absent
|
|
||||||
path: "/etc/ansible-version/{{ playbook_version_path }}"
|
|
||||||
|
|
||||||
- name: check if '/etc/ansible-version/' is empty
|
- name: check if '/etc/ansible-version/' is empty
|
||||||
find:
|
find:
|
||||||
paths: '/etc/ansible-version/'
|
paths: '/etc/ansible-version/'
|
||||||
register: filesFound
|
register: filesFound
|
||||||
|
|
||||||
- name: delete legacy version folder if needed
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
state: absent
|
|
||||||
path: "/etc/ansible-version"
|
|
||||||
when: filesFound.matched < 0
|
|
||||||
|
|
||||||
- name: write new version to remote disk
|
- name: write new version to remote disk
|
||||||
become: true
|
become: true
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
Include /etc/ssh/sshd_config.d/*.conf
|
Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
|
||||||
# Networking
|
# Networking
|
||||||
Port {{ sshd.port }}
|
Port {{ sshd__port }}
|
||||||
AddressFamily any
|
AddressFamily any
|
||||||
#ListenAddress 0.0.0.0
|
#ListenAddress 0.0.0.0
|
||||||
#ListenAddress ::
|
#ListenAddress ::
|
||||||
|
@ -16,7 +16,7 @@ TCPKeepAlive yes
|
||||||
|
|
||||||
# Key exchange
|
# Key exchange
|
||||||
{{ 'KexAlgorithms ' }}
|
{{ 'KexAlgorithms ' }}
|
||||||
{%- for algo in sshd.kex_algorithmus -%}
|
{%- for algo in sshd__kex_algorithmus -%}
|
||||||
{{ algo }}{{ "," if not loop.last }}
|
{{ algo }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ TCPKeepAlive yes
|
||||||
#RekeyLimit default none
|
#RekeyLimit default none
|
||||||
|
|
||||||
{{ 'Ciphers ' }}
|
{{ 'Ciphers ' }}
|
||||||
{%- for cipher in sshd.ciphers -%}
|
{%- for cipher in sshd__ciphers -%}
|
||||||
{{ cipher }}{{ "," if not loop.last }}
|
{{ cipher }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ LogLevel INFO
|
||||||
|
|
||||||
# Macs
|
# Macs
|
||||||
{{ 'MACs ' }}
|
{{ 'MACs ' }}
|
||||||
{%- for mac in sshd.macs -%}
|
{%- for mac in sshd__macs -%}
|
||||||
{{ mac }}{{ "," if not loop.last }}
|
{{ mac }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
@ -44,9 +44,9 @@ LogLevel INFO
|
||||||
Protocol 2
|
Protocol 2
|
||||||
|
|
||||||
|
|
||||||
{% if sshd.manage_key_types | bool -%}
|
{% if sshd__manage_key_types | bool -%}
|
||||||
# host key types
|
# host key types
|
||||||
{% for key in sshd.key_types %}
|
{% for key in sshd__key_types %}
|
||||||
HostKey /etc/ssh/ssh_host_{{ key }}_key
|
HostKey /etc/ssh/ssh_host_{{ key }}_key
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
@ -55,7 +55,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
|
||||||
# HostKeyAlgorithms
|
# HostKeyAlgorithms
|
||||||
# Maybe not available in openssh 6.7
|
# Maybe not available in openssh 6.7
|
||||||
{{ 'HostKeyAlgorithms ' }}
|
{{ 'HostKeyAlgorithms ' }}
|
||||||
{%- for key in sshd.key_algorithmus -%}
|
{%- for key in sshd__key_algorithmus -%}
|
||||||
{{ key }}{{ "," if not loop.last }}
|
{{ key }}{{ "," if not loop.last }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
@ -64,7 +64,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
|
||||||
MaxAuthTries 6
|
MaxAuthTries 6
|
||||||
MaxSessions 10
|
MaxSessions 10
|
||||||
PasswordAuthentication
|
PasswordAuthentication
|
||||||
{%- if sshd.password_authentication | bool -%}
|
{%- if sshd__password_authentication | bool -%}
|
||||||
{{ ' yes' }}
|
{{ ' yes' }}
|
||||||
{% else -%}
|
{% else -%}
|
||||||
{{ ' no' }}
|
{{ ' no' }}
|
||||||
|
@ -75,7 +75,7 @@ PermitRootLogin without-password
|
||||||
LoginGraceTime 120
|
LoginGraceTime 120
|
||||||
StrictModes yes
|
StrictModes yes
|
||||||
X11Forwarding
|
X11Forwarding
|
||||||
{%- if sshd.xforwarding | bool -%}
|
{%- if sshd__xforwarding | bool -%}
|
||||||
{{ ' yes' }}
|
{{ ' yes' }}
|
||||||
{% else -%}
|
{% else -%}
|
||||||
{{ ' no' }}
|
{{ ' no' }}
|
||||||
|
@ -112,11 +112,11 @@ TCPKeepAlive yes
|
||||||
UsePAM yes
|
UsePAM yes
|
||||||
|
|
||||||
# User Authentication
|
# User Authentication
|
||||||
{% if sshd.restrict_users -%}
|
{% if sshd__restrict_users -%}
|
||||||
AllowUsers {{ sshd_allowed_users|join(' ') }}
|
AllowUsers {{ sshd__allowed_users|join(' ') }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{% if sshd.restrict_groups -%}
|
{% if sshd__restrict_groups -%}
|
||||||
AllowUsers {{ sshd_allowed_groups|join(' ') }}
|
AllowUsers {{ sshd__allowed_groups|join(' ') }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
# Allow client to pass locale environment variables
|
# Allow client to pass locale environment variables
|
||||||
|
|
|
@ -1,10 +1,3 @@
|
||||||
---
|
---
|
||||||
_sshd:
|
playbook_version_number: 2070 # should be over ninethousand
|
||||||
port: 22
|
|
||||||
password_authentication: false
|
|
||||||
manage_key_types: true
|
|
||||||
key_types:
|
|
||||||
- ed25519
|
|
||||||
|
|
||||||
playbook_version_number: 2060 # should be over ninethousand
|
|
||||||
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
|
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
sshd_service: sshd
|
sshd__service: sshd
|
||||||
sshd_key_types_list:
|
sshd__key_types_list:
|
||||||
- ed25519
|
- ed25519
|
||||||
- rsa
|
- rsa
|
||||||
- ecdsa
|
- ecdsa
|
||||||
- dsa
|
- dsa
|
||||||
|
|
||||||
sshd_xauth:
|
sshd__xauth:
|
||||||
- xorg-xauth
|
- xorg-xauth
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
sshd_service: sshd
|
sshd__service: sshd
|
||||||
sshd_key_types_list:
|
sshd__key_types_list:
|
||||||
- ed25519
|
- ed25519
|
||||||
- rsa
|
- rsa
|
||||||
- ecdsa
|
- ecdsa
|
||||||
- dsa
|
- dsa
|
||||||
|
|
||||||
sshd_xauth:
|
sshd__xauth:
|
||||||
- xorg-xauth
|
- xorg-xauth
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
sshd_service: ssh
|
sshd__service: ssh
|
||||||
sshd_key_types_list:
|
sshd__key_types_list:
|
||||||
- ed25519
|
- ed25519
|
||||||
- rsa
|
- rsa
|
||||||
- ecdsa
|
- ecdsa
|
||||||
- dsa
|
- dsa
|
||||||
|
|
||||||
sshd_xauth:
|
sshd__xauth:
|
||||||
- xorg-xauth
|
- xorg-xauth
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
sshd_service: ssh
|
sshd__service: ssh
|
||||||
sshd_key_types_list:
|
sshd__key_types_list:
|
||||||
- ed25519
|
- ed25519
|
||||||
- rsa
|
- rsa
|
||||||
- ecdsa
|
- ecdsa
|
||||||
- dsa
|
- dsa
|
||||||
|
|
||||||
sshd_xauth:
|
sshd__xauth:
|
||||||
- xorg-xauth
|
- xorg-xauth
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
sshd_service: sshd
|
sshd__service: sshd
|
||||||
sshd_key_types_list:
|
sshd__key_types_list:
|
||||||
- ed25519
|
- ed25519
|
||||||
- rsa
|
- rsa
|
||||||
- ecdsa
|
- ecdsa
|
||||||
- dsa
|
- dsa
|
||||||
|
|
||||||
sshd_xauth:
|
sshd__xauth:
|
||||||
- xorg-xauth
|
- xorg-xauth
|
||||||
|
|
Loading…
Reference in a new issue