mirror of
https://github.com/roles-ansible/ansible_role_sshd.git
synced 2024-08-16 11:59:49 +02:00
change variable layout
This commit is contained in:
parent
99519f3ced
commit
a57ef169c5
12 changed files with 94 additions and 157 deletions
17
README.md
17
README.md
|
@ -20,23 +20,6 @@ The following roles are tested in combination and work well - at least for the u
|
|||
------------------------------
|
||||
**Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
|
||||
|
||||
```bash
|
||||
restrict_allow_users: True
|
||||
```
|
||||
With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else.
|
||||
The default ddh groups are ``admins`` and ``root``
|
||||
|
||||
```bash
|
||||
only_allow_ed25519: true
|
||||
```
|
||||
Force ssh to deny all ssh keys except for eliptic curve ed25519 keys.
|
||||
|
||||
```bash
|
||||
sshd_password_authentication: 'no'
|
||||
```
|
||||
Change the string from 'no' to 'yes' if you want to log in with a password (not recomended).
|
||||
|
||||
There are some other cryptographic algorythmen you could enable...
|
||||
|
||||
### Important part:
|
||||
Define the users (and optional their ssh keys) for the ssh config template:
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
---
|
||||
sshd:
|
||||
# set the ssh server port
|
||||
port: 22
|
||||
# set the ssh server port
|
||||
sshd__port: 22
|
||||
# ssh password authorisatuin (not recomended)
|
||||
password_authentication: false
|
||||
sshd__password_authentication: false
|
||||
# should we disable not selected ssh key types?
|
||||
manage_key_types: true
|
||||
sshd__manage_key_types: true
|
||||
# choose ssh server allowed key types
|
||||
key_types:
|
||||
sshd__key_types:
|
||||
- 'ed25519'
|
||||
# - 'rsa'
|
||||
# - 'ecdsa'
|
||||
# - 'dsa' # (do not use!)
|
||||
|
||||
key_algorithmus:
|
||||
sshd__key_algorithmus:
|
||||
- 'ssh-ed25519-cert-v01@openssh.com'
|
||||
- 'ssh-ed25519'
|
||||
# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
|
||||
|
@ -29,21 +28,22 @@ sshd:
|
|||
# - 'rsa-sha2-256'
|
||||
# - 'ssh-rsa'
|
||||
|
||||
kex_algorithmus:
|
||||
sshd__kex_algorithmus:
|
||||
- 'curve25519-sha256@libssh.org'
|
||||
- 'diffie-hellman-group-exchange-sha256'
|
||||
# - 'diffie-hellman-group-exchange-sha1'
|
||||
# - 'diffie-hellman-group14-sha1'
|
||||
# - 'diffie-hellman-group1-sha1'
|
||||
|
||||
ciphers:
|
||||
sshd__ciphers:
|
||||
- 'chacha20-poly1305@openssh.com'
|
||||
- 'aes256-gcm@openssh.com'
|
||||
# - 'aes256-ctr'
|
||||
# - 'aes256-cbc'
|
||||
# - 'aes128-ctr'
|
||||
# - 'aes128-cbc'
|
||||
macs:
|
||||
|
||||
sshd__macs:
|
||||
- 'hmac-sha2-512-etm@openssh.com'
|
||||
- 'hmac-sha2-256-etm@openssh.com'
|
||||
# - 'hmac-sha2-512'
|
||||
|
@ -51,30 +51,17 @@ sshd:
|
|||
# - 'hmac-ripemd160-etm@openssh.com'
|
||||
# - 'umac-128-etm@openssh.com'
|
||||
# - 'hmac-sha1'
|
||||
# Enable AllowUsers and AllowGroups options
|
||||
restrict_users: True
|
||||
allowed_users:
|
||||
|
||||
# Enable AllowUsers and AllowGroups options
|
||||
sshd__restrict_users: True
|
||||
sshd__allowed_users:
|
||||
- "root"
|
||||
- "ansible"
|
||||
restrict_groups: True
|
||||
allowed_groups:
|
||||
sshd__restrict_groups: True
|
||||
sshd__allowed_groups:
|
||||
- "root"
|
||||
- "admins"
|
||||
xforwarding: True
|
||||
|
||||
#
|
||||
### Forcing only ed25519 SSH keys
|
||||
#only_allow_ed25519: true
|
||||
#
|
||||
## Allow login with password?
|
||||
#
|
||||
### Allow optional cryptho methods (NOT RECOMENDED)
|
||||
#generate_ecdsa_too: false
|
||||
#use_diffie_hellman_group_exchange_sha256: false
|
||||
#u#se_aes256_ctr: false
|
||||
#u#se_hmac_sha2_512: false
|
||||
###
|
||||
#do_not_delete_legacy_ssh_keys: true
|
||||
sshd__xforwarding: True
|
||||
|
||||
# perform simple version check for this role? (true is recomended)
|
||||
submodules_versioncheck: false
|
||||
|
|
|
@ -2,6 +2,6 @@
|
|||
- name: systemctrl restart ssh
|
||||
become: yes
|
||||
service:
|
||||
name: "{{ sshd_service }}"
|
||||
name: "{{ sshd__service }}"
|
||||
state: restarted
|
||||
when: sshd_service is defined
|
||||
when: sshd__service is defined
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
---
|
||||
- name: combine sshd variable
|
||||
set_fact:
|
||||
sshd: "{{ _sshd|combine(sshd, recursive=True) }}"
|
||||
|
||||
- include_tasks: versioncheck.yml
|
||||
when: submodules_versioncheck|bool
|
||||
|
||||
|
@ -16,8 +12,8 @@
|
|||
|
||||
- name: Collect all users and groups allowed to login via ssh
|
||||
set_fact:
|
||||
sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
|
||||
sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'
|
||||
sshd__allowed_users: '{{ sshd__allowed_users + users.keys() | default({}) | sort }}'
|
||||
sshd__allowed_groups: '{{ sshd__allowed_groups + users.keys() | default({}) | sort }}'
|
||||
|
||||
- name: Generate new ssh host key pair if necessary
|
||||
become: yes
|
||||
|
@ -27,9 +23,9 @@
|
|||
creates: 'ssh_host_{{ item }}_key.pub'
|
||||
notify:
|
||||
- systemctrl restart ssh
|
||||
with_items: "{{ sshd.key_types }}"
|
||||
with_items: "{{ sshd__key_types }}"
|
||||
when:
|
||||
- sshd.manage_key_types | bool
|
||||
- sshd__manage_key_types | bool
|
||||
|
||||
- name: Remove unwanted host keys
|
||||
become: yes
|
||||
|
@ -48,7 +44,7 @@
|
|||
state: absent
|
||||
become: yes
|
||||
with_items:
|
||||
- "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
|
||||
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
||||
notify:
|
||||
- systemctrl restart ssh
|
||||
|
||||
|
@ -58,7 +54,7 @@
|
|||
state: absent
|
||||
become: yes
|
||||
with_items:
|
||||
- "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
|
||||
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
|
||||
notify:
|
||||
- systemctrl restart ssh
|
||||
|
||||
|
|
|
@ -7,15 +7,6 @@
|
|||
mode: 0755
|
||||
when: submodules_versioncheck|bool
|
||||
|
||||
- name: check legacy playbook version
|
||||
become: true
|
||||
slurp:
|
||||
src: "/etc/ansible-version/{{ playbook_version_path }}"
|
||||
register: legacy_playbook_version
|
||||
when: submodules_versioncheck|bool
|
||||
ignore_errors: yes
|
||||
changed_when: False
|
||||
|
||||
- name: check playbook version
|
||||
become: true
|
||||
slurp:
|
||||
|
@ -23,6 +14,7 @@
|
|||
register: playbook_version
|
||||
when: submodules_versioncheck|bool
|
||||
ignore_errors: yes
|
||||
failed_when: false
|
||||
|
||||
- name: Print remote role version
|
||||
debug:
|
||||
|
@ -39,26 +31,12 @@
|
|||
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
||||
when:
|
||||
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
||||
- legacy_playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
||||
|
||||
- name: delete legacy version if needed
|
||||
become: true
|
||||
file:
|
||||
state: absent
|
||||
path: "/etc/ansible-version/{{ playbook_version_path }}"
|
||||
|
||||
- name: check if '/etc/ansible-version/' is empty
|
||||
find:
|
||||
paths: '/etc/ansible-version/'
|
||||
register: filesFound
|
||||
|
||||
- name: delete legacy version folder if needed
|
||||
become: true
|
||||
file:
|
||||
state: absent
|
||||
path: "/etc/ansible-version"
|
||||
when: filesFound.matched < 0
|
||||
|
||||
- name: write new version to remote disk
|
||||
become: true
|
||||
copy:
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
# Networking
|
||||
Port {{ sshd.port }}
|
||||
Port {{ sshd__port }}
|
||||
AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
@ -16,7 +16,7 @@ TCPKeepAlive yes
|
|||
|
||||
# Key exchange
|
||||
{{ 'KexAlgorithms ' }}
|
||||
{%- for algo in sshd.kex_algorithmus -%}
|
||||
{%- for algo in sshd__kex_algorithmus -%}
|
||||
{{ algo }}{{ "," if not loop.last }}
|
||||
{%- endfor %}
|
||||
|
||||
|
@ -25,7 +25,7 @@ TCPKeepAlive yes
|
|||
#RekeyLimit default none
|
||||
|
||||
{{ 'Ciphers ' }}
|
||||
{%- for cipher in sshd.ciphers -%}
|
||||
{%- for cipher in sshd__ciphers -%}
|
||||
{{ cipher }}{{ "," if not loop.last }}
|
||||
{%- endfor %}
|
||||
|
||||
|
@ -36,7 +36,7 @@ LogLevel INFO
|
|||
|
||||
# Macs
|
||||
{{ 'MACs ' }}
|
||||
{%- for mac in sshd.macs -%}
|
||||
{%- for mac in sshd__macs -%}
|
||||
{{ mac }}{{ "," if not loop.last }}
|
||||
{%- endfor %}
|
||||
|
||||
|
@ -44,9 +44,9 @@ LogLevel INFO
|
|||
Protocol 2
|
||||
|
||||
|
||||
{% if sshd.manage_key_types | bool -%}
|
||||
{% if sshd__manage_key_types | bool -%}
|
||||
# host key types
|
||||
{% for key in sshd.key_types %}
|
||||
{% for key in sshd__key_types %}
|
||||
HostKey /etc/ssh/ssh_host_{{ key }}_key
|
||||
{% endfor %}
|
||||
{%- endif %}
|
||||
|
@ -55,7 +55,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
|
|||
# HostKeyAlgorithms
|
||||
# Maybe not available in openssh 6.7
|
||||
{{ 'HostKeyAlgorithms ' }}
|
||||
{%- for key in sshd.key_algorithmus -%}
|
||||
{%- for key in sshd__key_algorithmus -%}
|
||||
{{ key }}{{ "," if not loop.last }}
|
||||
{%- endfor %}
|
||||
|
||||
|
@ -64,7 +64,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
|
|||
MaxAuthTries 6
|
||||
MaxSessions 10
|
||||
PasswordAuthentication
|
||||
{%- if sshd.password_authentication | bool -%}
|
||||
{%- if sshd__password_authentication | bool -%}
|
||||
{{ ' yes' }}
|
||||
{% else -%}
|
||||
{{ ' no' }}
|
||||
|
@ -75,7 +75,7 @@ PermitRootLogin without-password
|
|||
LoginGraceTime 120
|
||||
StrictModes yes
|
||||
X11Forwarding
|
||||
{%- if sshd.xforwarding | bool -%}
|
||||
{%- if sshd__xforwarding | bool -%}
|
||||
{{ ' yes' }}
|
||||
{% else -%}
|
||||
{{ ' no' }}
|
||||
|
@ -112,11 +112,11 @@ TCPKeepAlive yes
|
|||
UsePAM yes
|
||||
|
||||
# User Authentication
|
||||
{% if sshd.restrict_users -%}
|
||||
AllowUsers {{ sshd_allowed_users|join(' ') }}
|
||||
{% if sshd__restrict_users -%}
|
||||
AllowUsers {{ sshd__allowed_users|join(' ') }}
|
||||
{%- endif %}
|
||||
{% if sshd.restrict_groups -%}
|
||||
AllowUsers {{ sshd_allowed_groups|join(' ') }}
|
||||
{% if sshd__restrict_groups -%}
|
||||
AllowUsers {{ sshd__allowed_groups|join(' ') }}
|
||||
{%- endif %}
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
|
|
|
@ -1,10 +1,3 @@
|
|||
---
|
||||
_sshd:
|
||||
port: 22
|
||||
password_authentication: false
|
||||
manage_key_types: true
|
||||
key_types:
|
||||
- ed25519
|
||||
|
||||
playbook_version_number: 2060 # should be over ninethousand
|
||||
playbook_version_number: 2070 # should be over ninethousand
|
||||
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
sshd_service: sshd
|
||||
sshd_key_types_list:
|
||||
sshd__service: sshd
|
||||
sshd__key_types_list:
|
||||
- ed25519
|
||||
- rsa
|
||||
- ecdsa
|
||||
- dsa
|
||||
|
||||
sshd_xauth:
|
||||
sshd__xauth:
|
||||
- xorg-xauth
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
sshd_service: sshd
|
||||
sshd_key_types_list:
|
||||
sshd__service: sshd
|
||||
sshd__key_types_list:
|
||||
- ed25519
|
||||
- rsa
|
||||
- ecdsa
|
||||
- dsa
|
||||
|
||||
sshd_xauth:
|
||||
sshd__xauth:
|
||||
- xorg-xauth
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
sshd_service: ssh
|
||||
sshd_key_types_list:
|
||||
sshd__service: ssh
|
||||
sshd__key_types_list:
|
||||
- ed25519
|
||||
- rsa
|
||||
- ecdsa
|
||||
- dsa
|
||||
|
||||
sshd_xauth:
|
||||
sshd__xauth:
|
||||
- xorg-xauth
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
sshd_service: ssh
|
||||
sshd_key_types_list:
|
||||
sshd__service: ssh
|
||||
sshd__key_types_list:
|
||||
- ed25519
|
||||
- rsa
|
||||
- ecdsa
|
||||
- dsa
|
||||
|
||||
sshd_xauth:
|
||||
sshd__xauth:
|
||||
- xorg-xauth
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
sshd_service: sshd
|
||||
sshd_key_types_list:
|
||||
sshd__service: sshd
|
||||
sshd__key_types_list:
|
||||
- ed25519
|
||||
- rsa
|
||||
- ecdsa
|
||||
- dsa
|
||||
|
||||
sshd_xauth:
|
||||
sshd__xauth:
|
||||
- xorg-xauth
|
||||
|
|
Loading…
Reference in a new issue