Use the Users CA for authentication

ansible.cfg

@@ -12,7 +12,7 @@ retry_files_enabled = False
 inventory = ./hosts
 
 # Custom header in templates
-ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
+ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
 
 # Do not use cows (with cowsay)
 nocows = 1
@@ -23,19 +23,12 @@ forks = 15
 # Some SSH connection will take time
 timeout = 60
 
-[privilege_escalation]
-
-# Use sudo to get priviledge access
-become = True
-
-# Ask for password
-become_ask_pass = True
+remote_user = root
 
 [diff]
 
 # TO know what changed
 always = yes
 
-
 [ssh_connection]
 pipelining = True

hosts

@@ -10,6 +10,9 @@
 
 [aurore_pve]
 escalope.adm.auro.re
+services-1.pve.auro.re
+services-2.pve.auro.re
+services-3.pve.auro.re
 
 [aurore_vm]
 routeur-aurore.adm.auro.re

playbooks/ssh.yml

@@ -0,0 +1,12 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: services-*.pve.auro.re
+  vars:
+    openssh_users_ca_public_key: >-
+      ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==
+    openssh_authorized_principals:
+      - any
+      - "{{ inventory_hostname }}"
+  roles:
+    - openssh_server
+...

roles/openssh_server/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+openssh_authorized_principals:
+  - any
+...

roles/openssh_server/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart sshd
+  systemd:
+    name: ssh.service
+    state: restarted
+...

roles/openssh_server/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Install OpenSSH server
+  apt:
+    name: openssh-server
+
+- name: Enable OpenSSH Server
+  systemd:
+    name: sshd.service
+    enabled: true
+    state: started
+
+- name: Install sshd configuration file
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+    validate: "/usr/sbin/sshd -tf %s"
+  notify: Restart sshd
+
+- name: Install Users CA public key
+  copy:
+    content: "{{ openssh_users_ca_public_key }}"
+    dest: /etc/ssh/users_ca.pub
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+  notify: Restart sshd
+
+- name: Install authorized principals file
+  copy:
+    content: "{{ openssh_authorized_principals | join('\n') }}"
+    dest: /etc/ssh/authorized_principals
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+  notify: Restart sshd
+...

roles/openssh_server/templates/sshd_config.j2

@@ -0,0 +1,45 @@
+{{ ansible_managed | comment }}
+
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+Port 22
+
+MaxStartups 10:30:100
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# https://infosec.mozilla.org/guidelines/openssh.html
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+AuthenticationMethods publickey
+
+TrustedUserCAKeys /etc/ssh/users_ca.pub
+AuthorizedPrincipalsFile /etc/ssh/authorized_principals
+
+StrictModes yes
+UsePAM no
+PermitRootLogin yes
+PermitUserRC no
+PermitUserEnvironment no
+AllowAgentForwarding no
+AllowTcpForwarding yes
+X11Forwarding no
+PermitTTY yes
+PermitTunnel no
+VersionAddendum none
+PrintLastLog yes
+PrintMotd yes
+TCPKeepAlive yes
+UseDNS no
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO