Deploy the SSH CA for user authentication #80

Merged
jeltz merged 2 commits from use_ssh_ca into master 2021-12-14 07:49:40 +01:00
7 changed files with 113 additions and 9 deletions

View file

@ -12,7 +12,7 @@ retry_files_enabled = False
inventory = ./hosts inventory = ./hosts
# Custom header in templates # Custom header in templates
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid} ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
# Do not use cows (with cowsay) # Do not use cows (with cowsay)
nocows = 1 nocows = 1
@ -23,19 +23,12 @@ forks = 15
# Some SSH connection will take time # Some SSH connection will take time
timeout = 60 timeout = 60
[privilege_escalation] remote_user = root
# Use sudo to get priviledge access
become = True
# Ask for password
become_ask_pass = True
[diff] [diff]
# TO know what changed # TO know what changed
always = yes always = yes
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True

3
hosts
View file

@ -10,6 +10,9 @@
[aurore_pve] [aurore_pve]
escalope.adm.auro.re escalope.adm.auro.re
services-1.pve.auro.re
services-2.pve.auro.re
services-3.pve.auro.re
[aurore_vm] [aurore_vm]
routeur-aurore.adm.auro.re routeur-aurore.adm.auro.re

14
playbooks/ssh.yml Executable file
View file

@ -0,0 +1,14 @@
#!/usr/bin/env ansible-playbook
---
- hosts: services-*.pve.auro.re
vars:
openssh_users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
hBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXW\
F1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
openssh_authorized_principals:
- any
- "{{ inventory_hostname }}"
roles:
- openssh_server
...

View file

@ -0,0 +1,4 @@
---
openssh_authorized_principals:
- any
...

View file

@ -0,0 +1,6 @@
---
- name: Restart sshd
systemd:
name: ssh.service
state: restarted
...

View file

@ -0,0 +1,39 @@
---
- name: Install OpenSSH server
apt:
name: openssh-server
- name: Enable OpenSSH Server
systemd:
name: sshd.service
enabled: true
state: started
- name: Install sshd configuration file
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: u=r,g=,o=
validate: "/usr/sbin/sshd -tf %s"
notify: Restart sshd
- name: Install Users CA public key
copy:
content: "{{ openssh_users_ca_public_key }}"
dest: /etc/ssh/users_ca.pub
owner: root
group: root
mode: u=r,g=,o=
notify: Restart sshd
- name: Install authorized principals file
copy:
content: "{{ openssh_authorized_principals | join('\n') }}"
dest: /etc/ssh/authorized_principals
owner: root
group: root
mode: u=r,g=,o=
notify: Restart sshd
...

View file

@ -0,0 +1,45 @@
{{ ansible_managed | comment }}
SyslogFacility AUTH
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port 22
MaxStartups 10:30:100
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
# https://infosec.mozilla.org/guidelines/openssh.html
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
AuthenticationMethods publickey
TrustedUserCAKeys /etc/ssh/users_ca.pub
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
StrictModes yes
UsePAM no
PermitRootLogin yes
PermitUserRC no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding yes
X11Forwarding no
PermitTTY yes
PermitTunnel no
VersionAddendum none
PrintLastLog yes
PrintMotd yes
TCPKeepAlive yes
UseDNS no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO