From e6363e9668372f8946eb851b70f29307ce6a2a96 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 12 Dec 2021 05:56:26 +0100 Subject: [PATCH] Use the Users CA for authentication --- ansible.cfg | 11 +---- hosts | 3 ++ playbooks/ssh.yml | 12 +++++ roles/openssh_server/defaults/main.yml | 4 ++ roles/openssh_server/handlers/main.yml | 6 +++ roles/openssh_server/tasks/main.yml | 39 ++++++++++++++++ roles/openssh_server/templates/sshd_config.j2 | 45 +++++++++++++++++++ 7 files changed, 111 insertions(+), 9 deletions(-) create mode 100755 playbooks/ssh.yml create mode 100644 roles/openssh_server/defaults/main.yml create mode 100644 roles/openssh_server/handlers/main.yml create mode 100644 roles/openssh_server/tasks/main.yml create mode 100644 roles/openssh_server/templates/sshd_config.j2 diff --git a/ansible.cfg b/ansible.cfg index c5f49b4..ebe93da 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -12,7 +12,7 @@ retry_files_enabled = False inventory = ./hosts # Custom header in templates -ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid} +ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S # Do not use cows (with cowsay) nocows = 1 @@ -23,19 +23,12 @@ forks = 15 # Some SSH connection will take time timeout = 60 -[privilege_escalation] - -# Use sudo to get priviledge access -become = True - -# Ask for password -become_ask_pass = True +remote_user = root [diff] # TO know what changed always = yes - [ssh_connection] pipelining = True diff --git a/hosts b/hosts index dec08b1..2f397b4 100644 --- a/hosts +++ b/hosts @@ -10,6 +10,9 @@ [aurore_pve] escalope.adm.auro.re +services-1.pve.auro.re +services-2.pve.auro.re +services-3.pve.auro.re [aurore_vm] routeur-aurore.adm.auro.re diff --git a/playbooks/ssh.yml b/playbooks/ssh.yml new file mode 100755 index 0000000..8fc50b7 --- /dev/null +++ b/playbooks/ssh.yml @@ -0,0 +1,12 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: services-*.pve.auro.re + vars: + openssh_users_ca_public_key: >- + ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg== + openssh_authorized_principals: + - any + - "{{ inventory_hostname }}" + roles: + - openssh_server +... diff --git a/roles/openssh_server/defaults/main.yml b/roles/openssh_server/defaults/main.yml new file mode 100644 index 0000000..606659a --- /dev/null +++ b/roles/openssh_server/defaults/main.yml @@ -0,0 +1,4 @@ +--- +openssh_authorized_principals: + - any +... diff --git a/roles/openssh_server/handlers/main.yml b/roles/openssh_server/handlers/main.yml new file mode 100644 index 0000000..f9db470 --- /dev/null +++ b/roles/openssh_server/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart sshd + systemd: + name: ssh.service + state: restarted +... diff --git a/roles/openssh_server/tasks/main.yml b/roles/openssh_server/tasks/main.yml new file mode 100644 index 0000000..f22b82c --- /dev/null +++ b/roles/openssh_server/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Install OpenSSH server + apt: + name: openssh-server + +- name: Enable OpenSSH Server + systemd: + name: sshd.service + enabled: true + state: started + +- name: Install sshd configuration file + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: u=r,g=,o= + validate: "/usr/sbin/sshd -tf %s" + notify: Restart sshd + +- name: Install Users CA public key + copy: + content: "{{ openssh_users_ca_public_key }}" + dest: /etc/ssh/users_ca.pub + owner: root + group: root + mode: u=r,g=,o= + notify: Restart sshd + +- name: Install authorized principals file + copy: + content: "{{ openssh_authorized_principals | join('\n') }}" + dest: /etc/ssh/authorized_principals + owner: root + group: root + mode: u=r,g=,o= + notify: Restart sshd +... diff --git a/roles/openssh_server/templates/sshd_config.j2 b/roles/openssh_server/templates/sshd_config.j2 new file mode 100644 index 0000000..fd3d50f --- /dev/null +++ b/roles/openssh_server/templates/sshd_config.j2 @@ -0,0 +1,45 @@ +{{ ansible_managed | comment }} + +SyslogFacility AUTH +LogLevel VERBOSE + +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +Port 22 + +MaxStartups 10:30:100 + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +# https://infosec.mozilla.org/guidelines/openssh.html +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +AuthenticationMethods publickey + +TrustedUserCAKeys /etc/ssh/users_ca.pub +AuthorizedPrincipalsFile /etc/ssh/authorized_principals + +StrictModes yes +UsePAM no +PermitRootLogin yes +PermitUserRC no +PermitUserEnvironment no +AllowAgentForwarding no +AllowTcpForwarding yes +X11Forwarding no +PermitTTY yes +PermitTunnel no +VersionAddendum none +PrintLastLog yes +PrintMotd yes +TCPKeepAlive yes +UseDNS no +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO