rolle: ssh neu erstellt (#227)

Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#227 Co-authored-by: mg <michael.grote@posteo.de> Co-committed-by: mg <michael.grote@posteo.de>
2021-10-22 13:34:08 +02:00 · 2021-10-22 13:34:08 +02:00 · e1c3bebcd9
commit e1c3bebcd9
parent e63aabf5d9
14 changed files with 313 additions and 47 deletions
--- a/playbooks/2_all.yml
+++ b/playbooks/2_all.yml
@ -10,7 +10,7 @@
  - import_playbook: base/vim.yml
  - import_playbook: base/postfix.yml
  - import_playbook: base/ufw.yml
-  - import_playbook: base/ssh_pass_login.yml
+  - import_playbook: base/ssh.yml
  - import_playbook: base/f2b.yml
  - import_playbook: base/monitoring.yml
  - import_playbook: base/remove_snapd.yml
--- a/playbooks/base/ssh.yml
+++ b/playbooks/base/ssh.yml
@ -0,0 +1,5 @@
+---
+  - hosts: all
+    roles:
+      - { role: mgrote.ssh,
+          tags: "ssh"}
--- a/playbooks/base/ssh_pass_login.yml
+++ b/playbooks/base/ssh_pass_login.yml
@ -1,5 +0,0 @@
---
-  - hosts: all:!proxmox
-    roles:
-      - { role: mgrote.deactivate_ssh_password_login,
-          tags: "ssh"}
--- a/roles/mgrote.deactivate_ssh_password_login/README.md
+++ b/roles/mgrote.deactivate_ssh_password_login/README.md
@ -1,9 +0,0 @@
-## mgrote.deactivate_ssh_password_login
-
-### Beschreibung
-Deaktiviert den SSH LogIn mit Passwort
-
-### getestet auf
- [x] Ubuntu (>=18.04)
- [x] Debian
- [x ] ProxMox 6.1
--- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
@ -1,31 +0,0 @@
---
-  - name: prohibit ssh login with password
-    become: yes
-    ansible.builtin.lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: '#PasswordAuthentication yes'
-      line: 'PasswordAuthentication no'
-      state: present
-      validate: "/usr/sbin/sshd -T -f %s"
-    notify: restart_sshd
-
-  - name: prohibit ssh login with password
-    become: yes
-    ansible.builtin.lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: 'PasswordAuthentication yes'
-      line: 'PasswordAuthentication no'
-      state: present
-      validate: "/usr/sbin/sshd -T -f %s"
-    notify: restart_sshd
-
-
-  - name: prohibit ssh root login with password
-    become: yes
-    ansible.builtin.lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: 'PermitRootLogin yes'
-      line: 'PermitRootLogin no'
-      state: present
-      validate: "/usr/sbin/sshd -T -f %s"
-    notify: restart_sshd
--- a/roles/mgrote.ssh/README.md
+++ b/roles/mgrote.ssh/README.md
@ -0,0 +1,12 @@
+## mgrote.ssh
+
+### Beschreibung
+Konfigutiert sshd.
+
+### getestet auf
+- [x] Ubuntu (>=20.04)
+- [ ] Debian
+- [x] ProxMox 7*
+
+## Defaults
+- befinden sich in ``/vars``; getrennt nach OS.
--- a/roles/mgrote.deactivate_ssh_password_login/handlers/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/handlers/main.yml
@ -1,5 +1,5 @@
 ---
-  - name: restart_sshd
+  - name: restart sshd
    become: yes
    systemd:
      name: sshd
--- a/roles/mgrote.ssh/tasks/main.yml
+++ b/roles/mgrote.ssh/tasks/main.yml
@ -0,0 +1,10 @@
+---
+  - name: include ubuntu tasks (determined by "ansible_distribution")
+    include_tasks: ubuntu.yml
+    when:
+      - ansible_distribution == 'Ubuntu'
+
+  - name: include proxmox tasks (determined by group)
+    include_tasks: pve.yml
+    when:
+      - "'proxmox' in group_names"
--- a/roles/mgrote.ssh/tasks/pve.yml
+++ b/roles/mgrote.ssh/tasks/pve.yml
@ -0,0 +1,15 @@
+---
+  - name: source proxmox vars
+    include_vars: pve.yml
+
+  - name: template sshd_config
+    become: true
+    ansible.builtin.template:
+      src: pve.j2
+      dest: /etc/ssh/sshd_config
+      owner: root
+      group: root
+      mode: '0644'
+      validate: "/usr/sbin/sshd -T -f %s"
+      backup: true
+    notify: restart sshd
--- a/roles/mgrote.ssh/tasks/ubuntu.yml
+++ b/roles/mgrote.ssh/tasks/ubuntu.yml
@ -0,0 +1,15 @@
+---
+  - name: source ubuntu vars
+    include_vars: ubuntu.yml
+
+  - name: template sshd_config
+    become: true
+    ansible.builtin.template:
+      src: ubuntu.j2
+      dest: /etc/ssh/sshd_config
+      owner: root
+      group: root
+      mode: '0644'
+      validate: "/usr/sbin/sshd -T -f %s"
+      backup: true
+    notify: restart sshd
--- a/roles/mgrote.ssh/templates/pve.j2
+++ b/roles/mgrote.ssh/templates/pve.j2
@ -0,0 +1,120 @@
+{{ file_header | default () }}
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ ssh_permit_root_login }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ ssh_password_authentication }}
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd {{ ssh_print_motd }}
+PrintLastLog {{ ssh_print_lastlog }}
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
--- a/roles/mgrote.ssh/templates/ubuntu.j2
+++ b/roles/mgrote.ssh/templates/ubuntu.j2
@ -0,0 +1,124 @@
+{{ file_header | default () }}
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd {{ ssh_print_motd }}
+PrintLastLog {{ ssh_print_lastlog }}
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+PasswordAuthentication {{ ssh_password_authentication }}
+PermitRootLogin {{ ssh_permit_root_login }}
--- a/roles/mgrote.ssh/vars/pve.yml
+++ b/roles/mgrote.ssh/vars/pve.yml
@ -0,0 +1,5 @@
+---
+  ssh_permit_root_login: "yes"
+  ssh_password_authentication: "yes"
+  ssh_print_motd: "no"
+  ssh_print_lastlog: "no"
--- a/roles/mgrote.ssh/vars/ubuntu.yml
+++ b/roles/mgrote.ssh/vars/ubuntu.yml
@ -0,0 +1,5 @@
+---
+  ssh_permit_root_login: "no"
+  ssh_password_authentication: "no"
+  ssh_print_motd: "no"
+  ssh_print_lastlog: "no"