1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00

change variable layout

This commit is contained in:
L3D 2020-08-04 15:07:02 +02:00 committed by L3D
parent 99519f3ced
commit a57ef169c5
No known key found for this signature in database
GPG key ID: 5215C3441797AB2B
12 changed files with 94 additions and 157 deletions

View file

@ -20,23 +20,6 @@ The following roles are tested in combination and work well - at least for the u
------------------------------
**Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
```bash
restrict_allow_users: True
```
With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else.
The default ddh groups are ``admins`` and ``root``
```bash
only_allow_ed25519: true
```
Force ssh to deny all ssh keys except for eliptic curve ed25519 keys.
```bash
sshd_password_authentication: 'no'
```
Change the string from 'no' to 'yes' if you want to log in with a password (not recomended).
There are some other cryptographic algorythmen you could enable...
### Important part:
Define the users (and optional their ssh keys) for the ssh config template:

View file

@ -1,19 +1,18 @@
---
sshd:
# set the ssh server port
port: 22
# set the ssh server port
sshd__port: 22
# ssh password authorisatuin (not recomended)
password_authentication: false
sshd__password_authentication: false
# should we disable not selected ssh key types?
manage_key_types: true
sshd__manage_key_types: true
# choose ssh server allowed key types
key_types:
sshd__key_types:
- 'ed25519'
# - 'rsa'
# - 'ecdsa'
# - 'dsa' # (do not use!)
key_algorithmus:
sshd__key_algorithmus:
- 'ssh-ed25519-cert-v01@openssh.com'
- 'ssh-ed25519'
# - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
@ -29,21 +28,22 @@ sshd:
# - 'rsa-sha2-256'
# - 'ssh-rsa'
kex_algorithmus:
sshd__kex_algorithmus:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
# - 'diffie-hellman-group-exchange-sha1'
# - 'diffie-hellman-group14-sha1'
# - 'diffie-hellman-group1-sha1'
ciphers:
sshd__ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
# - 'aes256-ctr'
# - 'aes256-cbc'
# - 'aes128-ctr'
# - 'aes128-cbc'
macs:
sshd__macs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
# - 'hmac-sha2-512'
@ -51,30 +51,17 @@ sshd:
# - 'hmac-ripemd160-etm@openssh.com'
# - 'umac-128-etm@openssh.com'
# - 'hmac-sha1'
# Enable AllowUsers and AllowGroups options
restrict_users: True
allowed_users:
# Enable AllowUsers and AllowGroups options
sshd__restrict_users: True
sshd__allowed_users:
- "root"
- "ansible"
restrict_groups: True
allowed_groups:
sshd__restrict_groups: True
sshd__allowed_groups:
- "root"
- "admins"
xforwarding: True
#
### Forcing only ed25519 SSH keys
#only_allow_ed25519: true
#
## Allow login with password?
#
### Allow optional cryptho methods (NOT RECOMENDED)
#generate_ecdsa_too: false
#use_diffie_hellman_group_exchange_sha256: false
#u#se_aes256_ctr: false
#u#se_hmac_sha2_512: false
###
#do_not_delete_legacy_ssh_keys: true
sshd__xforwarding: True
# perform simple version check for this role? (true is recomended)
submodules_versioncheck: false

View file

@ -2,6 +2,6 @@
- name: systemctrl restart ssh
become: yes
service:
name: "{{ sshd_service }}"
name: "{{ sshd__service }}"
state: restarted
when: sshd_service is defined
when: sshd__service is defined

View file

@ -1,8 +1,4 @@
---
- name: combine sshd variable
set_fact:
sshd: "{{ _sshd|combine(sshd, recursive=True) }}"
- include_tasks: versioncheck.yml
when: submodules_versioncheck|bool
@ -16,8 +12,8 @@
- name: Collect all users and groups allowed to login via ssh
set_fact:
sshd_allowed_users: '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'
sshd__allowed_users: '{{ sshd__allowed_users + users.keys() | default({}) | sort }}'
sshd__allowed_groups: '{{ sshd__allowed_groups + users.keys() | default({}) | sort }}'
- name: Generate new ssh host key pair if necessary
become: yes
@ -27,9 +23,9 @@
creates: 'ssh_host_{{ item }}_key.pub'
notify:
- systemctrl restart ssh
with_items: "{{ sshd.key_types }}"
with_items: "{{ sshd__key_types }}"
when:
- sshd.manage_key_types | bool
- sshd__manage_key_types | bool
- name: Remove unwanted host keys
become: yes
@ -48,7 +44,7 @@
state: absent
become: yes
with_items:
- "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
notify:
- systemctrl restart ssh
@ -58,7 +54,7 @@
state: absent
become: yes
with_items:
- "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
- "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
notify:
- systemctrl restart ssh

View file

@ -7,15 +7,6 @@
mode: 0755
when: submodules_versioncheck|bool
- name: check legacy playbook version
become: true
slurp:
src: "/etc/ansible-version/{{ playbook_version_path }}"
register: legacy_playbook_version
when: submodules_versioncheck|bool
ignore_errors: yes
changed_when: False
- name: check playbook version
become: true
slurp:
@ -23,6 +14,7 @@
register: playbook_version
when: submodules_versioncheck|bool
ignore_errors: yes
failed_when: false
- name: Print remote role version
debug:
@ -39,26 +31,12 @@
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
when:
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
- legacy_playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
- name: delete legacy version if needed
become: true
file:
state: absent
path: "/etc/ansible-version/{{ playbook_version_path }}"
- name: check if '/etc/ansible-version/' is empty
find:
paths: '/etc/ansible-version/'
register: filesFound
- name: delete legacy version folder if needed
become: true
file:
state: absent
path: "/etc/ansible-version"
when: filesFound.matched < 0
- name: write new version to remote disk
become: true
copy:

View file

@ -7,7 +7,7 @@
Include /etc/ssh/sshd_config.d/*.conf
# Networking
Port {{ sshd.port }}
Port {{ sshd__port }}
AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
@ -16,7 +16,7 @@ TCPKeepAlive yes
# Key exchange
{{ 'KexAlgorithms ' }}
{%- for algo in sshd.kex_algorithmus -%}
{%- for algo in sshd__kex_algorithmus -%}
{{ algo }}{{ "," if not loop.last }}
{%- endfor %}
@ -25,7 +25,7 @@ TCPKeepAlive yes
#RekeyLimit default none
{{ 'Ciphers ' }}
{%- for cipher in sshd.ciphers -%}
{%- for cipher in sshd__ciphers -%}
{{ cipher }}{{ "," if not loop.last }}
{%- endfor %}
@ -36,7 +36,7 @@ LogLevel INFO
# Macs
{{ 'MACs ' }}
{%- for mac in sshd.macs -%}
{%- for mac in sshd__macs -%}
{{ mac }}{{ "," if not loop.last }}
{%- endfor %}
@ -44,9 +44,9 @@ LogLevel INFO
Protocol 2
{% if sshd.manage_key_types | bool -%}
{% if sshd__manage_key_types | bool -%}
# host key types
{% for key in sshd.key_types %}
{% for key in sshd__key_types %}
HostKey /etc/ssh/ssh_host_{{ key }}_key
{% endfor %}
{%- endif %}
@ -55,7 +55,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
# HostKeyAlgorithms
# Maybe not available in openssh 6.7
{{ 'HostKeyAlgorithms ' }}
{%- for key in sshd.key_algorithmus -%}
{%- for key in sshd__key_algorithmus -%}
{{ key }}{{ "," if not loop.last }}
{%- endfor %}
@ -64,7 +64,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
MaxAuthTries 6
MaxSessions 10
PasswordAuthentication
{%- if sshd.password_authentication | bool -%}
{%- if sshd__password_authentication | bool -%}
{{ ' yes' }}
{% else -%}
{{ ' no' }}
@ -75,7 +75,7 @@ PermitRootLogin without-password
LoginGraceTime 120
StrictModes yes
X11Forwarding
{%- if sshd.xforwarding | bool -%}
{%- if sshd__xforwarding | bool -%}
{{ ' yes' }}
{% else -%}
{{ ' no' }}
@ -112,11 +112,11 @@ TCPKeepAlive yes
UsePAM yes
# User Authentication
{% if sshd.restrict_users -%}
AllowUsers {{ sshd_allowed_users|join(' ') }}
{% if sshd__restrict_users -%}
AllowUsers {{ sshd__allowed_users|join(' ') }}
{%- endif %}
{% if sshd.restrict_groups -%}
AllowUsers {{ sshd_allowed_groups|join(' ') }}
{% if sshd__restrict_groups -%}
AllowUsers {{ sshd__allowed_groups|join(' ') }}
{%- endif %}
# Allow client to pass locale environment variables

View file

@ -1,10 +1,3 @@
---
_sshd:
port: 22
password_authentication: false
manage_key_types: true
key_types:
- ed25519
playbook_version_number: 2060 # should be over ninethousand
playbook_version_number: 2070 # should be over ninethousand
playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'

View file

@ -1,10 +1,10 @@
---
sshd_service: sshd
sshd_key_types_list:
sshd__service: sshd
sshd__key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
sshd__xauth:
- xorg-xauth

View file

@ -1,10 +1,10 @@
---
sshd_service: sshd
sshd_key_types_list:
sshd__service: sshd
sshd__key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
sshd__xauth:
- xorg-xauth

View file

@ -1,10 +1,10 @@
---
sshd_service: ssh
sshd_key_types_list:
sshd__service: ssh
sshd__key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
sshd__xauth:
- xorg-xauth

View file

@ -1,10 +1,10 @@
---
sshd_service: ssh
sshd_key_types_list:
sshd__service: ssh
sshd__key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
sshd__xauth:
- xorg-xauth

View file

@ -1,10 +1,10 @@
---
sshd_service: sshd
sshd_key_types_list:
sshd__service: sshd
sshd__key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
sshd__xauth:
- xorg-xauth