rolle: ssh neu erstellt (#227)

Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#227 Co-authored-by: mg <michael.grote@posteo.de> Co-committed-by: mg <michael.grote@posteo.de>
2021-10-22 13:34:08 +02:00 · 2021-10-22 13:34:08 +02:00 · e1c3bebcd9
commit e1c3bebcd9
parent e63aabf5d9
14 changed files with 313 additions and 47 deletions
--- a/playbooks/2_all.yml
+++ b/playbooks/2_all.yml
@ -10,7 +10,7 @@
  - import_playbook: base/vim.yml
  - import_playbook: base/postfix.yml
  - import_playbook: base/ufw.yml
-  - import_playbook: base/ssh_pass_login.yml
+  - import_playbook: base/ssh.yml
  - import_playbook: base/f2b.yml
  - import_playbook: base/monitoring.yml
  - import_playbook: base/remove_snapd.yml
--- a/playbooks/base/ssh.yml
+++ b/playbooks/base/ssh.yml
@ -0,0 +1,5 @@
 ---
  - hosts: all
    roles:
      - { role: mgrote.ssh,
          tags: "ssh"}
--- a/playbooks/base/ssh_pass_login.yml
+++ b/playbooks/base/ssh_pass_login.yml
@ -1,5 +0,0 @@
 ---
  - hosts: all:!proxmox
    roles:
      - { role: mgrote.deactivate_ssh_password_login,
          tags: "ssh"}
--- a/roles/mgrote.deactivate_ssh_password_login/README.md
+++ b/roles/mgrote.deactivate_ssh_password_login/README.md
@ -1,9 +0,0 @@
 ## mgrote.deactivate_ssh_password_login
 ### Beschreibung
 Deaktiviert den SSH LogIn mit Passwort
 ### getestet auf
 - [x] Ubuntu (>=18.04)
 - [x] Debian
 - [x ] ProxMox 6.1
--- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
@ -1,31 +0,0 @@
 ---
  - name: prohibit ssh login with password
    become: yes
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '#PasswordAuthentication yes'
      line: 'PasswordAuthentication no'
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
  - name: prohibit ssh login with password
    become: yes
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: 'PasswordAuthentication yes'
      line: 'PasswordAuthentication no'
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
  - name: prohibit ssh root login with password
    become: yes
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: 'PermitRootLogin yes'
      line: 'PermitRootLogin no'
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
--- a/roles/mgrote.ssh/README.md
+++ b/roles/mgrote.ssh/README.md
@ -0,0 +1,12 @@
 ## mgrote.ssh
 ### Beschreibung
 Konfigutiert sshd.
 ### getestet auf
 - [x] Ubuntu (>=20.04)
 - [ ] Debian
 - [x] ProxMox 7*
 ## Defaults
 - befinden sich in ``/vars``; getrennt nach OS.
--- a/roles/mgrote.deactivate_ssh_password_login/handlers/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/handlers/main.yml
@ -1,5 +1,5 @@
 ---
-  - name: restart_sshd
+  - name: restart sshd
    become: yes
    systemd:
      name: sshd
--- a/roles/mgrote.ssh/tasks/main.yml
+++ b/roles/mgrote.ssh/tasks/main.yml
@ -0,0 +1,10 @@
 ---
  - name: include ubuntu tasks (determined by "ansible_distribution")
    include_tasks: ubuntu.yml
    when:
      - ansible_distribution == 'Ubuntu'
  - name: include proxmox tasks (determined by group)
    include_tasks: pve.yml
    when:
      - "'proxmox' in group_names"
--- a/roles/mgrote.ssh/tasks/pve.yml
+++ b/roles/mgrote.ssh/tasks/pve.yml
@ -0,0 +1,15 @@
 ---
  - name: source proxmox vars
    include_vars: pve.yml
  - name: template sshd_config
    become: true
    ansible.builtin.template:
      src: pve.j2
      dest: /etc/ssh/sshd_config
      owner: root
      group: root
      mode: '0644'
      validate: "/usr/sbin/sshd -T -f %s"
      backup: true
    notify: restart sshd
--- a/roles/mgrote.ssh/tasks/ubuntu.yml
+++ b/roles/mgrote.ssh/tasks/ubuntu.yml
@ -0,0 +1,15 @@
 ---
  - name: source ubuntu vars
    include_vars: ubuntu.yml
  - name: template sshd_config
    become: true
    ansible.builtin.template:
      src: ubuntu.j2
      dest: /etc/ssh/sshd_config
      owner: root
      group: root
      mode: '0644'
      validate: "/usr/sbin/sshd -T -f %s"
      backup: true
    notify: restart sshd
--- a/roles/mgrote.ssh/templates/pve.j2
+++ b/roles/mgrote.ssh/templates/pve.j2
@ -0,0 +1,120 @@
 {{ file_header | default () }}
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 #LogLevel INFO
 # Authentication:
 #LoginGraceTime 2m
 PermitRootLogin {{ ssh_permit_root_login }}
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 #PubkeyAuthentication yes
 # Expect .ssh/authorized_keys2 to be disregarded by default in future.
 #AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication {{ ssh_password_authentication }}
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd {{ ssh_print_motd }}
 PrintLastLog {{ ssh_print_lastlog }}
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
--- a/roles/mgrote.ssh/templates/ubuntu.j2
+++ b/roles/mgrote.ssh/templates/ubuntu.j2
@ -0,0 +1,124 @@
 {{ file_header | default () }}
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 Include /etc/ssh/sshd_config.d/*.conf
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 #LogLevel INFO
 # Authentication:
 #LoginGraceTime 2m
 #PermitRootLogin prohibit-password
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 #PubkeyAuthentication yes
 # Expect .ssh/authorized_keys2 to be disregarded by default in future.
 #AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd {{ ssh_print_motd }}
 PrintLastLog {{ ssh_print_lastlog }}
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 PasswordAuthentication {{ ssh_password_authentication }}
 PermitRootLogin {{ ssh_permit_root_login }}
--- a/roles/mgrote.ssh/vars/pve.yml
+++ b/roles/mgrote.ssh/vars/pve.yml
@ -0,0 +1,5 @@
 ---
  ssh_permit_root_login: "yes"
  ssh_password_authentication: "yes"
  ssh_print_motd: "no"
  ssh_print_lastlog: "no"
--- a/roles/mgrote.ssh/vars/ubuntu.yml
+++ b/roles/mgrote.ssh/vars/ubuntu.yml
@ -0,0 +1,5 @@
 ---
  ssh_permit_root_login: "no"
  ssh_password_authentication: "no"
  ssh_print_motd: "no"
  ssh_print_lastlog: "no"