Use the Users CA for authentication
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
parent
b3f25e2c8b
commit
e6363e9668
@ -0,0 +1,12 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: services-*.pve.auro.re
|
||||||
|
vars:
|
||||||
|
openssh_users_ca_public_key: >-
|
||||||
|
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==
|
||||||
|
openssh_authorized_principals:
|
||||||
|
- any
|
||||||
|
- "{{ inventory_hostname }}"
|
||||||
|
roles:
|
||||||
|
- openssh_server
|
||||||
|
...
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
openssh_authorized_principals:
|
||||||
|
- any
|
||||||
|
...
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Restart sshd
|
||||||
|
systemd:
|
||||||
|
name: ssh.service
|
||||||
|
state: restarted
|
||||||
|
...
|
@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
- name: Install OpenSSH server
|
||||||
|
apt:
|
||||||
|
name: openssh-server
|
||||||
|
|
||||||
|
- name: Enable OpenSSH Server
|
||||||
|
systemd:
|
||||||
|
name: sshd.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Install sshd configuration file
|
||||||
|
template:
|
||||||
|
src: sshd_config.j2
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
validate: "/usr/sbin/sshd -tf %s"
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
|
- name: Install Users CA public key
|
||||||
|
copy:
|
||||||
|
content: "{{ openssh_users_ca_public_key }}"
|
||||||
|
dest: /etc/ssh/users_ca.pub
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
|
- name: Install authorized principals file
|
||||||
|
copy:
|
||||||
|
content: "{{ openssh_authorized_principals | join('\n') }}"
|
||||||
|
dest: /etc/ssh/authorized_principals
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
notify: Restart sshd
|
||||||
|
...
|
@ -0,0 +1,45 @@
|
|||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel VERBOSE
|
||||||
|
|
||||||
|
AddressFamily any
|
||||||
|
ListenAddress 0.0.0.0
|
||||||
|
ListenAddress ::
|
||||||
|
|
||||||
|
Port 22
|
||||||
|
|
||||||
|
MaxStartups 10:30:100
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
|
||||||
|
# https://infosec.mozilla.org/guidelines/openssh.html
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||||
|
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
|
||||||
|
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
||||||
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
||||||
|
|
||||||
|
StrictModes yes
|
||||||
|
UsePAM no
|
||||||
|
PermitRootLogin yes
|
||||||
|
PermitUserRC no
|
||||||
|
PermitUserEnvironment no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
X11Forwarding no
|
||||||
|
PermitTTY yes
|
||||||
|
PermitTunnel no
|
||||||
|
VersionAddendum none
|
||||||
|
PrintLastLog yes
|
||||||
|
PrintMotd yes
|
||||||
|
TCPKeepAlive yes
|
||||||
|
UseDNS no
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
Loading…
Reference in New Issue