Deploy the SSH CA for user authentication #80
7 changed files with 111 additions and 9 deletions
11
ansible.cfg
11
ansible.cfg
|
@ -12,7 +12,7 @@ retry_files_enabled = False
|
||||||
inventory = ./hosts
|
inventory = ./hosts
|
||||||
|
|
||||||
# Custom header in templates
|
# Custom header in templates
|
||||||
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
|
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
|
||||||
|
|
||||||
# Do not use cows (with cowsay)
|
# Do not use cows (with cowsay)
|
||||||
nocows = 1
|
nocows = 1
|
||||||
|
@ -23,19 +23,12 @@ forks = 15
|
||||||
# Some SSH connection will take time
|
# Some SSH connection will take time
|
||||||
timeout = 60
|
timeout = 60
|
||||||
|
|
||||||
[privilege_escalation]
|
remote_user = root
|
||||||
|
|
||||||
# Use sudo to get priviledge access
|
|
||||||
become = True
|
|
||||||
|
|
||||||
# Ask for password
|
|
||||||
become_ask_pass = True
|
|
||||||
|
|
||||||
[diff]
|
[diff]
|
||||||
|
|
||||||
# TO know what changed
|
# TO know what changed
|
||||||
always = yes
|
always = yes
|
||||||
|
|
||||||
|
|
||||||
[ssh_connection]
|
[ssh_connection]
|
||||||
pipelining = True
|
pipelining = True
|
||||||
|
|
3
hosts
3
hosts
|
@ -10,6 +10,9 @@
|
||||||
|
|
||||||
[aurore_pve]
|
[aurore_pve]
|
||||||
escalope.adm.auro.re
|
escalope.adm.auro.re
|
||||||
|
services-1.pve.auro.re
|
||||||
|
services-2.pve.auro.re
|
||||||
|
services-3.pve.auro.re
|
||||||
|
|
||||||
[aurore_vm]
|
[aurore_vm]
|
||||||
routeur-aurore.adm.auro.re
|
routeur-aurore.adm.auro.re
|
||||||
|
|
12
playbooks/ssh.yml
Executable file
12
playbooks/ssh.yml
Executable file
|
@ -0,0 +1,12 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: services-*.pve.auro.re
|
||||||
|
vars:
|
||||||
|
openssh_users_ca_public_key: >-
|
||||||
|
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg==
|
||||||
|
openssh_authorized_principals:
|
||||||
|
- any
|
||||||
|
- "{{ inventory_hostname }}"
|
||||||
|
roles:
|
||||||
|
- openssh_server
|
||||||
|
...
|
4
roles/openssh_server/defaults/main.yml
Normal file
4
roles/openssh_server/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
openssh_authorized_principals:
|
||||||
|
- any
|
||||||
|
...
|
6
roles/openssh_server/handlers/main.yml
Normal file
6
roles/openssh_server/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Restart sshd
|
||||||
|
systemd:
|
||||||
|
name: ssh.service
|
||||||
|
state: restarted
|
||||||
|
...
|
39
roles/openssh_server/tasks/main.yml
Normal file
39
roles/openssh_server/tasks/main.yml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
- name: Install OpenSSH server
|
||||||
|
apt:
|
||||||
|
name: openssh-server
|
||||||
|
|
||||||
|
- name: Enable OpenSSH Server
|
||||||
|
systemd:
|
||||||
|
name: sshd.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Install sshd configuration file
|
||||||
|
template:
|
||||||
|
src: sshd_config.j2
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
validate: "/usr/sbin/sshd -tf %s"
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
|
- name: Install Users CA public key
|
||||||
|
copy:
|
||||||
|
content: "{{ openssh_users_ca_public_key }}"
|
||||||
|
dest: /etc/ssh/users_ca.pub
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
|
- name: Install authorized principals file
|
||||||
|
copy:
|
||||||
|
content: "{{ openssh_authorized_principals | join('\n') }}"
|
||||||
|
dest: /etc/ssh/authorized_principals
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
notify: Restart sshd
|
||||||
|
...
|
45
roles/openssh_server/templates/sshd_config.j2
Normal file
45
roles/openssh_server/templates/sshd_config.j2
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel VERBOSE
|
||||||
|
|
||||||
|
AddressFamily any
|
||||||
|
ListenAddress 0.0.0.0
|
||||||
|
ListenAddress ::
|
||||||
|
|
||||||
|
Port 22
|
||||||
|
|
||||||
|
MaxStartups 10:30:100
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
|
||||||
|
# https://infosec.mozilla.org/guidelines/openssh.html
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||||
|
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
|
||||||
|
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
||||||
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
||||||
|
|
||||||
|
StrictModes yes
|
||||||
|
UsePAM no
|
||||||
|
PermitRootLogin yes
|
||||||
|
PermitUserRC no
|
||||||
|
PermitUserEnvironment no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
X11Forwarding no
|
||||||
|
PermitTTY yes
|
||||||
|
PermitTunnel no
|
||||||
|
VersionAddendum none
|
||||||
|
PrintLastLog yes
|
||||||
|
PrintMotd yes
|
||||||
|
TCPKeepAlive yes
|
||||||
|
UseDNS no
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
Loading…
Reference in a new issue