From edd671a7bdc3c5961cb551e9859162aab345d87c Mon Sep 17 00:00:00 2001 From: L3D Date: Thu, 29 Dec 2022 16:40:39 +0100 Subject: [PATCH] upgrade powershell scripts --- defaults/main.yml | 7 +++++++ handlers/main.yml | 3 +++ tasks/main.yml | 3 +++ tasks/powershell.yml | 18 ++++++++++++++++++ tasks/pubkeys.yml | 16 ++++++++++++++++ templates/ssh_keys.ps1 | 17 +++++++++++++++++ 6 files changed, 64 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/pubkeys.yml create mode 100644 templates/ssh_keys.ps1 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..892bd6f --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,7 @@ +win_sshd_pubkeys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsOE9FWrhICb0i9WuTorFzD9+K7hy1bR/KSq4VGW8J2 l3d' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX l3d' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbMB5Z1AoNeEyk3x+XN6mXU+cUOUlOqRzn0Z64kiE+O l3d' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8 l3d' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC l3d' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDFziTFj+iUnReuEk6wDabXUN4yuSlqIl+4THEoTYeZ9S/cGqm6/LkchaoIVXy4HpY/CwoKWzbOxh14oRFE7+Ak6PgYt0D8YdhXhEQqV/ZIW7qp/HL25dKIom40xAkSU8Hff/dd0EUeqbSoGqKGPsxY4Hw0u6Wkg48SDorXn2YT9raAolZsJelyR+VQrIpAidXLjvFbSP0k5CQ/aHJg9M6dW+JoF3wl+rPSO1lQRb5OntKLO9/34qNO2311l7N9SmN06LGikTEoWRy8bds3ATeiNYEaRs1OFnc/cK9EH739Haq9bzG2m4EWEbLNT84fdwdWlPbRiCk391h5N/zmTdW5Hlth6GxllI2XQqOnfjXICw+SQQCbX2qMea1Ci94IlrfUOSDaV1aJgVe2Dxl218OXn5I5C81KstVy1GYoEvfXZZFyRf+0EBbiPy2mWb/H//U9fTIjZrHkjG3swEqkVBRM2QqY+5nD959HtjbkJEV0cNPRAF+3deTXPiNafbJepOheBTbiO+G06B0vnT6WiVfW7Qpfl6NEcNrqeb1Ddr93O2y6fvdMJvx/CFtRuFmQKx7tkHC5mDrA8zS+O405i5zpSnYoN7YLGVkpc94XLXOyc00JChF66Zm78EW/65/2R4FuHfwkbmrsTcwyGfGTAE3riKl3OrWI24/TBtN2NZtISxibMnuxKDgz3VawF1WXXArWhZsgQSz+z2wHWpyJfzyrBdmF7WG5058KMSf1WMIS6tY9ZFfRGd+IEHyP4wb2jqXZmDxu9tYWB6naPutZVNULzwK0hkrIYIqnG8U4w2NS+urfOQ/9o3riT6Zan33GH5S5ot9iCLPTQJmB/0detUFp6/aJcvAslyWMLC8eqrzp2lqgRfMPOc0nqLtIVxRN37k9htn1UFyovfETjueICeu8diSSiNLv1W2yHWTPqZTxSKIyqGoLHFq6QwAHGDD9ALj/NPdoAC6ITGOYlVsff3ginX6y3J+RK2B2i9JRGdJZcLmcqqV5nkbRlUjoIGIDe0bXXJooUnNhD9ig6Vp1LeLdVMqdMDkHe0PtQdcfnlhNrLHZsFuJU/2wCdNtiA9f5m94V8k/XFJgX1T5uwq4hFMJH9IFXrj9d+ozZiEHlK/s9kG58toAWkZY33ai74hiCU3grePc+mYFCVe5NECIMXb6dSnEsLmp9noskntLc2jNeEORXCA20VPse8RQ86F5dH3Un5XCaqoB26+63delh5LhHDsIr4tgfQmq4ycJoZeZDz8afD9xyWRbdcmqmvtuJzeoWTbpS7ouuojS/rS3LGhoPZv4bsgPwNNKkJu1fZY1irhkM559Ce00wux/oOJd8MMKHPmEzMgFe9HzzqxwifbKgR0nQo49lCSUhozEhlMr75FSkZWNNaa1W/7MNQOtgv5nsxEZFsRs0uRcG1Gs4kBpaCLNFYuw4c3m/ZuZn2d4YZVRM1cpZuanyDTUR6+025LfqhsesB7ui6UikTLaeGGvRG/MkVoZVu4TluYrqyjiF589NNMRKBrENz4FLjo7zx01rIUrEvqLgUvxciD1NrYqPRWwCfvQ8SCGd5urCO8TbDnU0RywykvFJlybKQndiTReh/gtso3TyZYZ237NZlNcFuWjEO4U5JMZI7oE58yt33UE9GPDrTib3rjPyfjbdc1FuW42TcOzeO2SKfuw0UCE5KnzzJuLdhjHGOhqmT8mfm+jaLlxvQKUqWNV3GUA0sD57jfTC/EBvMaL2EZ9Sv1k3+d/jfyweYSUYKwHdvgvIOPcNAp6mY2IHPIO/fYYuO2pnkuW0fF5XsZipSa9j7Xj4YeIS+n4XQ5mjwLmj+GJFOa0bicm4nX8LHYvurqFXOnFvLenWjeMmyXomQ281wusWRcX8QaeOIr51IXhdbNry2vb80cjmFa9wxya2Egipoar7q2/nun1oRvPuwCEXvNqJWSYZLm/2NWG7CXSpuTEs9AdMTp61VMtx9c4XtK+3tIpSNOpa1dF9sMefv5WEms7+asjUBk8YCtiE3gvkQzpRh7oSKQIMS4R2gQT5FlQw++/A00Ii4nwDVaDEKCSpeiycfyAev3/QVltWc0us6Ze9Wemsye/j78YP9kWW8aAmem7jxa0kxqx6lrrc/P01Bur4EnnTIa0k7I7RWHEEc/LdPTHa4gcoIWpsxBGv+5D2pYe8Wj88WBoXTI+HfyqbxwRouVTc9sFtgatS55lGSR5rdSGkR0U9qYE8ZZUM/cVbjWirwtcsAnj8Ji0A5duAbtqdRzkCvWPmJpNX3ZL8uz+VwgKhEIlCF2+NF8y2HSHgvylbg1BcO59gqr27Ze5qhYzrSAkVdyboWNUbe/x21w71WBZjT1j/AKKYocdG3KKpsetQx6XoFaA4++t+riYZpsNIZqQJLXUKIDQQbau9eME+6sTpMRjQrckB6c4jQKSXDBNIOpPBSemm+f0EFl1i3z4/CZetCgX6xYmQaDxJ0Xdb2mJEo1kfZ5qK/+VCkyhYlVAOaYHYxJ6qigv1Sa5ecGzP77amIlhbdtnCGcLa63JyFik6QyYP44sXo+TRiTO5urjTfMq3RWL39NJ0wbqLNyol3NdS36LG++IKviBD81gl6E0gJE3USgBwhVAxYHxfig+HCr1DCcrV8mU+tre7T63yZCWB9/l2U+SRjKYkMDs7oPU32blKfCiTlZiLqZBy1lWqGk04s/s6BwDszPxw3prmchkkriB3CgGhhha/FCn0Q== l3d@' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..ba9d3d6 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: 'Install SSH Keys' + ansible.windows.win_shell: '.ansible\ssh_keys.ps1' diff --git a/tasks/main.yml b/tasks/main.yml index 2757f38..ff2ff5a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,3 +4,6 @@ - name: Install OpenSSH via Powershell ansible.builtin.include_tasks: powershell.yml + +- name: Add OpenSSH Pubkey Access + ansible.builtin.include_tasks: pubkeys.yml diff --git a/tasks/powershell.yml b/tasks/powershell.yml index b274459..cccb5c2 100644 --- a/tasks/powershell.yml +++ b/tasks/powershell.yml @@ -11,3 +11,21 @@ start_mode: auto state: started +- name: Configure Powershell as default + ansible.windows.win_powershell: + script: 'New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "$Env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force' + changed_when: _fw.changed + +#- name: Configure ACL and ssh keys +# ansible.windows.win_powershell: +# script: | +# # set acl on administrators_authorized_keys +# $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value +# $acl = Get-Acl $Env:ProgramData\ssh\administrators_authorized_keys +# $acl.SetAccessRuleProtection($true, $false) +# $administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule($admins,"FullControl","Allow") +# $systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow") +# $acl.SetAccessRule($administratorsRule) +# $acl.SetAccessRule($systemRule) +# $acl | Set-Acl +# changed_when: _fw.changed diff --git a/tasks/pubkeys.yml b/tasks/pubkeys.yml new file mode 100644 index 0000000..b111047 --- /dev/null +++ b/tasks/pubkeys.yml @@ -0,0 +1,16 @@ +--- +- name: Create .ansible folder + ansible.windows.win_powershell: + script: "[System.IO.Directory]::CreateDirectory('.ansible')" + changed_when: _fw.changed + +- name: Create .ansible folder + ansible.windows.win_powershell: + script: "attrib +h .ansible" + changed_when: _fw.changed + +- name: Prepare Pubkey PS1 Script + ansible.windows.win_template: + src: 'templates/ssh_keys.ps1' + dest: '.ansible\ssh_keys.ps1' + notify: 'Install SSH Keys' diff --git a/templates/ssh_keys.ps1 b/templates/ssh_keys.ps1 new file mode 100644 index 0000000..e969fe0 --- /dev/null +++ b/templates/ssh_keys.ps1 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} +# Variable for PS1 +$content = @" +{% for pubkey in win_sshd_pubkeys %} +{{ pubkey }} +{%endfor %} +"@ + +# Write public key to file for admin access +[System.IO.Directory]::CreateDirectory("$Env:ProgramData\ssh") +$content | Set-Content -Path "$Env:ProgramData\ssh\administrators_authorized_keys" + +# Write Public key to file for user access +[System.IO.Directory]::CreateDirectory("$env:USERPROFILE\.ssh") +$content | Set-Content -Path "$env:USERPROFILE\.ssh\authorized" + +echo "Writing SSH Keys successful"