From e1c3bebcd97ca97d817215fd8d6c02086569d791 Mon Sep 17 00:00:00 2001 From: mg Date: Fri, 22 Oct 2021 13:34:08 +0200 Subject: [PATCH] rolle: ssh neu erstellt (#227) Co-authored-by: Michael Grote Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/227 Co-authored-by: mg Co-committed-by: mg --- playbooks/2_all.yml | 2 +- playbooks/base/ssh.yml | 5 + playbooks/base/ssh_pass_login.yml | 5 - .../README.md | 9 -- .../tasks/main.yml | 31 ----- roles/mgrote.ssh/README.md | 12 ++ .../handlers/main.yml | 2 +- roles/mgrote.ssh/tasks/main.yml | 10 ++ roles/mgrote.ssh/tasks/pve.yml | 15 +++ roles/mgrote.ssh/tasks/ubuntu.yml | 15 +++ roles/mgrote.ssh/templates/pve.j2 | 120 +++++++++++++++++ roles/mgrote.ssh/templates/ubuntu.j2 | 124 ++++++++++++++++++ roles/mgrote.ssh/vars/pve.yml | 5 + roles/mgrote.ssh/vars/ubuntu.yml | 5 + 14 files changed, 313 insertions(+), 47 deletions(-) create mode 100644 playbooks/base/ssh.yml delete mode 100644 playbooks/base/ssh_pass_login.yml delete mode 100644 roles/mgrote.deactivate_ssh_password_login/README.md delete mode 100644 roles/mgrote.deactivate_ssh_password_login/tasks/main.yml create mode 100644 roles/mgrote.ssh/README.md rename roles/{mgrote.deactivate_ssh_password_login => mgrote.ssh}/handlers/main.yml (80%) create mode 100644 roles/mgrote.ssh/tasks/main.yml create mode 100644 roles/mgrote.ssh/tasks/pve.yml create mode 100644 roles/mgrote.ssh/tasks/ubuntu.yml create mode 100644 roles/mgrote.ssh/templates/pve.j2 create mode 100644 roles/mgrote.ssh/templates/ubuntu.j2 create mode 100644 roles/mgrote.ssh/vars/pve.yml create mode 100644 roles/mgrote.ssh/vars/ubuntu.yml diff --git a/playbooks/2_all.yml b/playbooks/2_all.yml index f2f0dc52..f9312865 100644 --- a/playbooks/2_all.yml +++ b/playbooks/2_all.yml @@ -10,7 +10,7 @@ - import_playbook: base/vim.yml - import_playbook: base/postfix.yml - import_playbook: base/ufw.yml - - import_playbook: base/ssh_pass_login.yml + - import_playbook: base/ssh.yml - import_playbook: base/f2b.yml - import_playbook: base/monitoring.yml - import_playbook: base/remove_snapd.yml diff --git a/playbooks/base/ssh.yml b/playbooks/base/ssh.yml new file mode 100644 index 00000000..42bb3ef7 --- /dev/null +++ b/playbooks/base/ssh.yml @@ -0,0 +1,5 @@ +--- + - hosts: all + roles: + - { role: mgrote.ssh, + tags: "ssh"} diff --git a/playbooks/base/ssh_pass_login.yml b/playbooks/base/ssh_pass_login.yml deleted file mode 100644 index aab9942d..00000000 --- a/playbooks/base/ssh_pass_login.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - - hosts: all:!proxmox - roles: - - { role: mgrote.deactivate_ssh_password_login, - tags: "ssh"} diff --git a/roles/mgrote.deactivate_ssh_password_login/README.md b/roles/mgrote.deactivate_ssh_password_login/README.md deleted file mode 100644 index 381480a0..00000000 --- a/roles/mgrote.deactivate_ssh_password_login/README.md +++ /dev/null @@ -1,9 +0,0 @@ -## mgrote.deactivate_ssh_password_login - -### Beschreibung -Deaktiviert den SSH LogIn mit Passwort - -### getestet auf -- [x] Ubuntu (>=18.04) -- [x] Debian -- [x ] ProxMox 6.1 diff --git a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml deleted file mode 100644 index c24c65f1..00000000 --- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - - name: prohibit ssh login with password - become: yes - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '#PasswordAuthentication yes' - line: 'PasswordAuthentication no' - state: present - validate: "/usr/sbin/sshd -T -f %s" - notify: restart_sshd - - - name: prohibit ssh login with password - become: yes - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: 'PasswordAuthentication yes' - line: 'PasswordAuthentication no' - state: present - validate: "/usr/sbin/sshd -T -f %s" - notify: restart_sshd - - - - name: prohibit ssh root login with password - become: yes - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: 'PermitRootLogin yes' - line: 'PermitRootLogin no' - state: present - validate: "/usr/sbin/sshd -T -f %s" - notify: restart_sshd diff --git a/roles/mgrote.ssh/README.md b/roles/mgrote.ssh/README.md new file mode 100644 index 00000000..52582b8e --- /dev/null +++ b/roles/mgrote.ssh/README.md @@ -0,0 +1,12 @@ +## mgrote.ssh + +### Beschreibung +Konfigutiert sshd. + +### getestet auf +- [x] Ubuntu (>=20.04) +- [ ] Debian +- [x] ProxMox 7* + +## Defaults +- befinden sich in ``/vars``; getrennt nach OS. diff --git a/roles/mgrote.deactivate_ssh_password_login/handlers/main.yml b/roles/mgrote.ssh/handlers/main.yml similarity index 80% rename from roles/mgrote.deactivate_ssh_password_login/handlers/main.yml rename to roles/mgrote.ssh/handlers/main.yml index a97f0dcb..aa01ea6d 100644 --- a/roles/mgrote.deactivate_ssh_password_login/handlers/main.yml +++ b/roles/mgrote.ssh/handlers/main.yml @@ -1,5 +1,5 @@ --- - - name: restart_sshd + - name: restart sshd become: yes systemd: name: sshd diff --git a/roles/mgrote.ssh/tasks/main.yml b/roles/mgrote.ssh/tasks/main.yml new file mode 100644 index 00000000..e21ad406 --- /dev/null +++ b/roles/mgrote.ssh/tasks/main.yml @@ -0,0 +1,10 @@ +--- + - name: include ubuntu tasks (determined by "ansible_distribution") + include_tasks: ubuntu.yml + when: + - ansible_distribution == 'Ubuntu' + + - name: include proxmox tasks (determined by group) + include_tasks: pve.yml + when: + - "'proxmox' in group_names" diff --git a/roles/mgrote.ssh/tasks/pve.yml b/roles/mgrote.ssh/tasks/pve.yml new file mode 100644 index 00000000..a049fd18 --- /dev/null +++ b/roles/mgrote.ssh/tasks/pve.yml @@ -0,0 +1,15 @@ +--- + - name: source proxmox vars + include_vars: pve.yml + + - name: template sshd_config + become: true + ansible.builtin.template: + src: pve.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0644' + validate: "/usr/sbin/sshd -T -f %s" + backup: true + notify: restart sshd diff --git a/roles/mgrote.ssh/tasks/ubuntu.yml b/roles/mgrote.ssh/tasks/ubuntu.yml new file mode 100644 index 00000000..e3f19f97 --- /dev/null +++ b/roles/mgrote.ssh/tasks/ubuntu.yml @@ -0,0 +1,15 @@ +--- + - name: source ubuntu vars + include_vars: ubuntu.yml + + - name: template sshd_config + become: true + ansible.builtin.template: + src: ubuntu.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0644' + validate: "/usr/sbin/sshd -T -f %s" + backup: true + notify: restart sshd diff --git a/roles/mgrote.ssh/templates/pve.j2 b/roles/mgrote.ssh/templates/pve.j2 new file mode 100644 index 00000000..6ad591e4 --- /dev/null +++ b/roles/mgrote.ssh/templates/pve.j2 @@ -0,0 +1,120 @@ +{{ file_header | default () }} +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin {{ ssh_permit_root_login }} +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication {{ ssh_password_authentication }} +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd {{ ssh_print_motd }} +PrintLastLog {{ ssh_print_lastlog }} +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/mgrote.ssh/templates/ubuntu.j2 b/roles/mgrote.ssh/templates/ubuntu.j2 new file mode 100644 index 00000000..c1879373 --- /dev/null +++ b/roles/mgrote.ssh/templates/ubuntu.j2 @@ -0,0 +1,124 @@ +{{ file_header | default () }} +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd {{ ssh_print_motd }} +PrintLastLog {{ ssh_print_lastlog }} +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +PasswordAuthentication {{ ssh_password_authentication }} +PermitRootLogin {{ ssh_permit_root_login }} diff --git a/roles/mgrote.ssh/vars/pve.yml b/roles/mgrote.ssh/vars/pve.yml new file mode 100644 index 00000000..eb834eaa --- /dev/null +++ b/roles/mgrote.ssh/vars/pve.yml @@ -0,0 +1,5 @@ +--- + ssh_permit_root_login: "yes" + ssh_password_authentication: "yes" + ssh_print_motd: "no" + ssh_print_lastlog: "no" diff --git a/roles/mgrote.ssh/vars/ubuntu.yml b/roles/mgrote.ssh/vars/ubuntu.yml new file mode 100644 index 00000000..7076f225 --- /dev/null +++ b/roles/mgrote.ssh/vars/ubuntu.yml @@ -0,0 +1,5 @@ +--- + ssh_permit_root_login: "no" + ssh_password_authentication: "no" + ssh_print_motd: "no" + ssh_print_lastlog: "no"