Use the Users CA for authentication
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
b3f25e2c8b
commit
e6363e9668
7 changed files with 111 additions and 9 deletions
11
ansible.cfg
11
ansible.cfg
|
@ -12,7 +12,7 @@ retry_files_enabled = False
|
|||
inventory = ./hosts
|
||||
|
||||
# Custom header in templates
|
||||
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
|
||||
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
|
||||
|
||||
# Do not use cows (with cowsay)
|
||||
nocows = 1
|
||||
|
@ -23,19 +23,12 @@ forks = 15
|
|||
# Some SSH connection will take time
|
||||
timeout = 60
|
||||
|
||||
[privilege_escalation]
|
||||
|
||||
# Use sudo to get priviledge access
|
||||
become = True
|
||||
|
||||
# Ask for password
|
||||
become_ask_pass = True
|
||||
remote_user = root
|
||||
|
||||
[diff]
|
||||
|
||||
# TO know what changed
|
||||
always = yes
|
||||
|
||||
|
||||
[ssh_connection]
|
||||
pipelining = True
|
||||
|
|
3
hosts
3
hosts
|
@ -10,6 +10,9 @@
|
|||
|
||||
[aurore_pve]
|
||||
escalope.adm.auro.re
|
||||
services-1.pve.auro.re
|
||||
services-2.pve.auro.re
|
||||
services-3.pve.auro.re
|
||||
|
||||
[aurore_vm]
|
||||
routeur-aurore.adm.auro.re
|
||||
|
|
12
playbooks/ssh.yml
Executable file
12
playbooks/ssh.yml
Executable file
|
@ -0,0 +1,12 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: services-*.pve.auro.re
|
||||
vars:
|
||||
openssh_users_ca_public_key: >-
|
||||
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==
|
||||
openssh_authorized_principals:
|
||||
- any
|
||||
- "{{ inventory_hostname }}"
|
||||
roles:
|
||||
- openssh_server
|
||||
...
|
4
roles/openssh_server/defaults/main.yml
Normal file
4
roles/openssh_server/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
openssh_authorized_principals:
|
||||
- any
|
||||
...
|
6
roles/openssh_server/handlers/main.yml
Normal file
6
roles/openssh_server/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Restart sshd
|
||||
systemd:
|
||||
name: ssh.service
|
||||
state: restarted
|
||||
...
|
39
roles/openssh_server/tasks/main.yml
Normal file
39
roles/openssh_server/tasks/main.yml
Normal file
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
- name: Install OpenSSH server
|
||||
apt:
|
||||
name: openssh-server
|
||||
|
||||
- name: Enable OpenSSH Server
|
||||
systemd:
|
||||
name: sshd.service
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Install sshd configuration file
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
validate: "/usr/sbin/sshd -tf %s"
|
||||
notify: Restart sshd
|
||||
|
||||
- name: Install Users CA public key
|
||||
copy:
|
||||
content: "{{ openssh_users_ca_public_key }}"
|
||||
dest: /etc/ssh/users_ca.pub
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
notify: Restart sshd
|
||||
|
||||
- name: Install authorized principals file
|
||||
copy:
|
||||
content: "{{ openssh_authorized_principals | join('\n') }}"
|
||||
dest: /etc/ssh/authorized_principals
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
notify: Restart sshd
|
||||
...
|
45
roles/openssh_server/templates/sshd_config.j2
Normal file
45
roles/openssh_server/templates/sshd_config.j2
Normal file
|
@ -0,0 +1,45 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
SyslogFacility AUTH
|
||||
LogLevel VERBOSE
|
||||
|
||||
AddressFamily any
|
||||
ListenAddress 0.0.0.0
|
||||
ListenAddress ::
|
||||
|
||||
Port 22
|
||||
|
||||
MaxStartups 10:30:100
|
||||
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
# https://infosec.mozilla.org/guidelines/openssh.html
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
|
||||
AuthenticationMethods publickey
|
||||
|
||||
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
||||
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
||||
|
||||
StrictModes yes
|
||||
UsePAM no
|
||||
PermitRootLogin yes
|
||||
PermitUserRC no
|
||||
PermitUserEnvironment no
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding yes
|
||||
X11Forwarding no
|
||||
PermitTTY yes
|
||||
PermitTunnel no
|
||||
VersionAddendum none
|
||||
PrintLastLog yes
|
||||
PrintMotd yes
|
||||
TCPKeepAlive yes
|
||||
UseDNS no
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
Loading…
Reference in a new issue