Use the Users CA for authentication
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
parent
b3f25e2c8b
commit
e6363e9668
@ -0,0 +1,12 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: services-*.pve.auro.re
|
||||
vars:
|
||||
openssh_users_ca_public_key: >-
|
||||
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==
|
||||
openssh_authorized_principals:
|
||||
- any
|
||||
- "{{ inventory_hostname }}"
|
||||
roles:
|
||||
- openssh_server
|
||||
...
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
openssh_authorized_principals:
|
||||
- any
|
||||
...
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Restart sshd
|
||||
systemd:
|
||||
name: ssh.service
|
||||
state: restarted
|
||||
...
|
@ -0,0 +1,39 @@
|
||||
---
|
||||
- name: Install OpenSSH server
|
||||
apt:
|
||||
name: openssh-server
|
||||
|
||||
- name: Enable OpenSSH Server
|
||||
systemd:
|
||||
name: sshd.service
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Install sshd configuration file
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
validate: "/usr/sbin/sshd -tf %s"
|
||||
notify: Restart sshd
|
||||
|
||||
- name: Install Users CA public key
|
||||
copy:
|
||||
content: "{{ openssh_users_ca_public_key }}"
|
||||
dest: /etc/ssh/users_ca.pub
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
notify: Restart sshd
|
||||
|
||||
- name: Install authorized principals file
|
||||
copy:
|
||||
content: "{{ openssh_authorized_principals | join('\n') }}"
|
||||
dest: /etc/ssh/authorized_principals
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
notify: Restart sshd
|
||||
...
|
@ -0,0 +1,45 @@
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
SyslogFacility AUTH
|
||||
LogLevel VERBOSE
|
||||
|
||||
AddressFamily any
|
||||
ListenAddress 0.0.0.0
|
||||
ListenAddress ::
|
||||
|
||||
Port 22
|
||||
|
||||
MaxStartups 10:30:100
|
||||
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
# https://infosec.mozilla.org/guidelines/openssh.html
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
|
||||
AuthenticationMethods publickey
|
||||
|
||||
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
||||
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
||||
|
||||
StrictModes yes
|
||||
UsePAM no
|
||||
PermitRootLogin yes
|
||||
PermitUserRC no
|
||||
PermitUserEnvironment no
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding yes
|
||||
X11Forwarding no
|
||||
PermitTTY yes
|
||||
PermitTunnel no
|
||||
VersionAddendum none
|
||||
PrintLastLog yes
|
||||
PrintMotd yes
|
||||
TCPKeepAlive yes
|
||||
UseDNS no
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
Loading…
Reference in New Issue