WIP: Various cleanups #83

Draft
jeltz wants to merge 9 commits from cleanup_no_ldap_for_servers into master
3 changed files with 22 additions and 3 deletions
Showing only changes of commit 859a84f69c - Show all commits

View file

@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: services-*.pve.auro.re - hosts: all,!unifi
vars: vars:
openssh_users_ca_public_key: openssh_users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
@ -9,6 +9,10 @@
openssh_authorized_principals: openssh_authorized_principals:
- any - any
- "{{ inventory_hostname }}" - "{{ inventory_hostname }}"
openssh_whitelist_groups: "{{ ['adherent']
if inventory_hostname == 'camelot.adm.auro.re'
else [] }}"
openssh_allow_passwords: "{{ inventory_hostname == 'camelot.adm.auro.re' }}"
roles: roles:
- openssh_server - openssh_server
... ...

View file

@ -1,4 +1,7 @@
--- ---
openssh_authorized_principals: openssh_authorized_principals:
- any - any
openssh_allow_passwords: false
openssh_whitelist_users: []
openssh_whitelist_groups: []
... ...

View file

@ -20,14 +20,19 @@ KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
{% if openssh_allow_passwords %}
AuthenticationMethods password publickey
UsePAM yes
{% else %}
AuthenticationMethods publickey AuthenticationMethods publickey
UsePAM no
{% endif %}
TrustedUserCAKeys /etc/ssh/users_ca.pub TrustedUserCAKeys /etc/ssh/users_ca.pub
AuthorizedPrincipalsFile /etc/ssh/authorized_principals AuthorizedPrincipalsFile /etc/ssh/authorized_principals
StrictModes yes StrictModes yes
UsePAM no PermitRootLogin without-password
PermitRootLogin yes
PermitUserRC no PermitUserRC no
PermitUserEnvironment no PermitUserEnvironment no
AllowAgentForwarding no AllowAgentForwarding no
@ -43,3 +48,10 @@ UseDNS no
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
{% for group in openssh_whitelist_groups %}
Match group {{ group }}
AllowUsers *
{% endfor %}