From c25df42253e3a5ae2e1eb07b19c3f1fe3ec948df Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Fri, 16 Aug 2019 18:53:57 +0200 Subject: [PATCH] common: Reworked ssh configuration generation --- group_vars/all/vars.yml | 5 + roles/common/handlers/main.yml | 5 - roles/common/meta/main.yml | 6 + roles/common/tasks/sshd.yml | 36 +++++- roles/common/templates/0_main.sshd_config | 121 +++++++++++++++++++++ roles/common/templates/ssh_config.makefile | 10 ++ roles/misc/handlers/handlers/main.yml | 16 +++ 7 files changed, 188 insertions(+), 11 deletions(-) create mode 100644 roles/common/meta/main.yml create mode 100644 roles/common/templates/0_main.sshd_config create mode 100644 roles/common/templates/ssh_config.makefile diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5dea5c6..9b6671e 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -40,5 +40,10 @@ backend_imap_port: 12892 global_apt_sources_directory: "/etc/apt/sources.list.d" +global_ssh_configuration_directory: "/etc/ssh/" +global_ssh_configuration_environment_directory: "/ansible/ssh_configuration" +global_ssh_configuration_link_name: "config" +global_ssh_configuration_link: "{{ global_ssh_configuration_environment_directory }}/{{ global_ssh_configuration_link_name }}" + # Debian Repository Mirror debian_repository_mirror: "http://deb.debian.org/debian/" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 5900d8e..a69b509 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -2,8 +2,3 @@ - name: generate locales command: locale-gen - -- name: restart ssh - systemd: - state: restarted - name: ssh diff --git a/roles/common/meta/main.yml b/roles/common/meta/main.yml new file mode 100644 index 0000000..90cd492 --- /dev/null +++ b/roles/common/meta/main.yml @@ -0,0 +1,6 @@ +--- + +allow_duplicates: no + +dependencies: + - misc/handlers diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index e5ddda2..af9f5c7 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -6,12 +6,36 @@ port: 22 proto: tcp -- name: Disable password authentication on ssh - lineinfile: - path: /etc/ssh/sshd_config - regexp: "^PasswordAuthentication " - line: "PasswordAuthentication no" - notify: restart ssh +- name: Create ssh configuration environment directory + file: + state: directory + path: "{{ global_ssh_configuration_environment_directory }}" + owner: root + group: root + mode: "u=rwx,g=rx,o=rx" + +- name: Upload makefile to ssh configuration environment + template: + src: ssh_config.makefile + dest: "{{ global_ssh_configuration_environment_directory }}/makefile" + owner: root + group: root + mode: "u=rw,g=r,o=r" + +- name: Create link in ssh configuration environment + file: + state: link + src: "{{ global_ssh_configuration_directory }}" + dest: "{{ global_ssh_configuration_link }}" + +- name: Upload main sshd_config + template: + src: 0_main.sshd_config + dest: "{{ global_ssh_configuration_environment_directory }}/0_main.sshd_config" + owner: root + group: root + mode: "u=rw,g=r,o=r" + notify: reassemble sshd config - name: Collect ssh host keys command: "cat /etc/ssh/ssh_host_{{ item | quote }}_key.pub" diff --git a/roles/common/templates/0_main.sshd_config b/roles/common/templates/0_main.sshd_config new file mode 100644 index 0000000..412cc10 --- /dev/null +++ b/roles/common/templates/0_main.sshd_config @@ -0,0 +1,121 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 22 +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +{% for type in ssh_host_key_types %} +HostKey /etc/ssh/ssh_host_{{ type }}_key +{% endfor %} + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/common/templates/ssh_config.makefile b/roles/common/templates/ssh_config.makefile new file mode 100644 index 0000000..2b78815 --- /dev/null +++ b/roles/common/templates/ssh_config.makefile @@ -0,0 +1,10 @@ +dest:={{ global_ssh_configuration_link_name }} + +ssh_files:=$(wildcard *.ssh_config) +sshd_files:=$(wildcard *.sshd_config) + +${dest}/ssh_config: ${ssh_files} + cat $^ > "$@" + +${dest}/sshd_config: ${sshd_files} + cat $^ > "$@" diff --git a/roles/misc/handlers/handlers/main.yml b/roles/misc/handlers/handlers/main.yml index 76f4e09..5ad9d3a 100644 --- a/roles/misc/handlers/handlers/main.yml +++ b/roles/misc/handlers/handlers/main.yml @@ -3,3 +3,19 @@ - name: reload systemd systemd: daemon_reload: yes + +- name: restart ssh + systemd: + state: restarted + name: ssh + +- name: reassemble ssh config + make: + chdir: "{{ global_ssh_configuration_environment_directory }}" + target: "{{ global_ssh_configuration_link_name }}/ssh_config" + +- name: reassemble sshd config + make: + chdir: "{{ global_ssh_configuration_environment_directory }}" + target: "{{ global_ssh_configuration_link_name }}/sshd_config" + notify: restart ssh