openssh: cleanup playblook + role
This commit is contained in:
parent
e0c95b8f10
commit
0c7b5a2c68
GPG key ID:
800882B66C0C3326
4 changed files with 29 additions and 9 deletions
|
|
@ -4,11 +4,11 @@
|
||||||
- pve_network
|
- pve_network
|
||||||
- vm_network
|
- vm_network
|
||||||
vars:
|
vars:
|
||||||
openssh_users_ca_public_key:
|
openssh__users_ca_public_key:
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
|
||||||
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
|
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
|
||||||
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
|
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
|
||||||
openssh_authorized_principals:
|
openssh__authorized_principals:
|
||||||
- any
|
- any
|
||||||
- "{{ inventory_hostname }}"
|
- "{{ inventory_hostname }}"
|
||||||
roles:
|
roles:
|
||||||
|
|
@ -1,4 +1,25 @@
|
||||||
---
|
---
|
||||||
openssh_authorized_principals:
|
openssh__authorized_principals:
|
||||||
- any
|
- any
|
||||||
|
# https://infosec.mozilla.org/guidelines/openssh.html
|
||||||
|
openssh__kex_algorithms:
|
||||||
|
- curve25519-sha256@libssh.org
|
||||||
|
- ecdh-sha2-nistp521
|
||||||
|
- ecdh-sha2-nistp384
|
||||||
|
- ecdh-sha2-nistp256
|
||||||
|
- diffie-hellman-group-exchange-sha256
|
||||||
|
openssh__ciphers:
|
||||||
|
- chacha20-poly1305@openssh.com
|
||||||
|
- aes256-gcm@openssh.com
|
||||||
|
- aes128-gcm@openssh.com
|
||||||
|
- aes256-ctr
|
||||||
|
- aes192-ctr
|
||||||
|
- aes128-ctr
|
||||||
|
openssh__macs:
|
||||||
|
- hmac-sha2-512-etm@openssh.com
|
||||||
|
- hmac-sha2-256-etm@openssh.com
|
||||||
|
- umac-128-etm@openssh.com
|
||||||
|
- hmac-sha2-512
|
||||||
|
- hmac-sha2-256
|
||||||
|
- umac-128@openssh.com
|
||||||
...
|
...
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
|
|
||||||
- name: Install Users CA public key
|
- name: Install Users CA public key
|
||||||
copy:
|
copy:
|
||||||
content: "{{ openssh_users_ca_public_key }}"
|
content: "{{ openssh__users_ca_public_key }}"
|
||||||
dest: /etc/ssh/users_ca.pub
|
dest: /etc/ssh/users_ca.pub
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
@ -30,7 +30,7 @@
|
||||||
|
|
||||||
- name: Install authorized principals file
|
- name: Install authorized principals file
|
||||||
copy:
|
copy:
|
||||||
content: "{{ openssh_authorized_principals | join('\n') }}"
|
content: "{{ openssh__authorized_principals | join('\n') }}"
|
||||||
dest: /etc/ssh/authorized_principals
|
dest: /etc/ssh/authorized_principals
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
||||||
|
|
@ -15,10 +15,9 @@ HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
|
||||||
# https://infosec.mozilla.org/guidelines/openssh.html
|
KexAlgorithms {{ openssh__kex_algorithms | join(",") }}
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
Ciphers {{ openssh__ciphers | join(",") }}
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
MACs {{ openssh__macs | join(",") }}
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
||||||
|
|
||||||
AuthenticationMethods publickey
|
AuthenticationMethods publickey
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue