Commit ff74043e authored by Felix Delattre's avatar Felix Delattre Committed by Felix Delattre
Browse files

Added basic Ansible role

parent 69720cda
......@@ -3,6 +3,29 @@ sshd
Ansible role to set up a ssh server with a standard configuration on a Debian system.
Requirements
------------
One or multiple users must be member of the `ssh_login` group. Group Membership is not managed by this role.
SSH keys of the authorized users must be present in the `~/.ssh/authorized_keys` file. Keys are not managed by this role.
Ansible role [xamanu.user](https://galaxy.ansible.com/xamanu/user/) may be used to manage a default user with group membership and keys.
Configuration
-------------
-* Only connections with ssh key authentication are possible (no password login).
-* `root` access is generally not allowed.
-* Only users that are members of the `ssh_login` group can login through ssh.
-* The group can be configured via the `secure_ssh_group` variable.
-* Port is switched from `22` to the indicated value from the ansible variable `secure_ssh_port`, which can be [specified conveniently](https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#host-variables) in the `ansible.hosts` file.
-* A link to download the `authorized_keys` file for ssh must be specified with the variable `ssh_authorized_keys`.
**You can connect directly with**:
-`ssh -p YOURPORT user@123.456.789.1`
Example Playbook
----------------
......
---
secure_ssh_port: 22
secure_ssh_group: ssh_login
---
- name: restart ssh
service:
name: ssh
state: restarted
galaxy_info:
author: Felix Delattre
description: This roles sets up a ssh server with its configuration on a Debian (based) system.
license: AGPLv3
min_ansible_version: 1.2
platforms:
- name: Debian
versions:
- bullseye
- buster
galaxy_tags:
- server
- openssh
- ssh
- provision
- debian
dependencies:
- dynamicexposure.user
---
- name: Install tools for remote access
apt: name={{ item }} state=present
with_items:
- openssh-server
- name: Check if ssh_login group exists
group:
name: "{{ secure_ssh_group }}"
state: present
register: logingroup
check_mode: yes # do not create group
- name: Adding existing user to group ssh_login
user: name=user
groups={{ secure_ssh_group }}
append=yes
- name: Make sure that the .ssh directory exsists
file:
path: "/home/user/.ssh"
state: directory
mode: 0755
- name: Download authorized_keys file
get_url:
url: "{{ ssh_authorized_keys }}"
dest: "/home/user/.ssh/authorized_keys"
owner: user
group: user
mode: 0644
# At this point, at least one user must be present which is member
# of ssh_login, otherwise we will lock ourselves out of the system!
# If the group was just created, that means this is probably not the case.
- fail:
msg: "{{ secure_ssh_group }} must exist, you will lock yourself out of the system!"
when: logingroup.changed
- name: Secured ssh configuration (disallows password login!)
template:
src: "sshd_config.j2"
dest: "/etc/ssh/sshd_config"
owner: root
group: root
mode: 0644
backup: yes
notify:
- restart ssh
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port {{ secure_ssh_port }}
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
AllowGroups {{ secure_ssh_group }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
---
- hosts: localhost
remote_user: root
roles:
- ansible-role-ssh-server
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment