Compare commits
No commits in common. "docs" and "main" have entirely different histories.
11
.gitignore
vendored
Normal file
11
.gitignore
vendored
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# ---> Ansible
|
||||||
|
*.retry
|
||||||
|
plugins
|
||||||
|
library
|
||||||
|
|
||||||
|
# ---> Python
|
||||||
|
# Byte-compiled / optimized / DLL files
|
||||||
|
__pycache__/
|
||||||
|
*.py[cod]
|
||||||
|
*$py.class
|
||||||
|
|
7
.markdownlint.yml
Normal file
7
.markdownlint.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
default: True
|
||||||
|
MD013: False
|
||||||
|
MD041: False
|
||||||
|
MD024: False
|
||||||
|
MD004:
|
||||||
|
style: dash
|
1
.prettierignore
Normal file
1
.prettierignore
Normal file
@ -0,0 +1 @@
|
|||||||
|
LICENSE
|
47
.woodpecker/docs.yaml
Normal file
47
.woodpecker/docs.yaml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
when:
|
||||||
|
- event: [pull_request]
|
||||||
|
- event: [push, manual]
|
||||||
|
branch:
|
||||||
|
- ${CI_REPO_DEFAULT_BRANCH}
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: generate
|
||||||
|
image: quay.io/thegeeklab/ansible-doctor
|
||||||
|
environment:
|
||||||
|
ANSIBLE_DOCTOR_EXCLUDE_FILES: "['molecule/']"
|
||||||
|
ANSIBLE_DOCTOR_RENDERER__FORCE_OVERWRITE: "true"
|
||||||
|
ANSIBLE_DOCTOR_LOGGING__LEVEL: info
|
||||||
|
ANSIBLE_DOCTOR_ROLE__NAME: ${CI_REPO_NAME}
|
||||||
|
ANSIBLE_DOCTOR_TEMPLATE__NAME: readme
|
||||||
|
|
||||||
|
- name: format
|
||||||
|
image: quay.io/thegeeklab/alpine-tools
|
||||||
|
commands:
|
||||||
|
- prettier -w README.md
|
||||||
|
|
||||||
|
- name: diff
|
||||||
|
image: quay.io/thegeeklab/alpine-tools
|
||||||
|
commands:
|
||||||
|
- git diff --color=always README.md
|
||||||
|
|
||||||
|
- name: publish
|
||||||
|
image: quay.io/thegeeklab/wp-git-action
|
||||||
|
settings:
|
||||||
|
action:
|
||||||
|
- commit
|
||||||
|
- push
|
||||||
|
author_email: ci-bot@rknet.org
|
||||||
|
author_name: ci-bot
|
||||||
|
branch: main
|
||||||
|
message: "[skip ci] automated docs update"
|
||||||
|
netrc_machine: gitea.rknet.org
|
||||||
|
netrc_password:
|
||||||
|
from_secret: gitea_token
|
||||||
|
when:
|
||||||
|
- event: [push, manual]
|
||||||
|
branch:
|
||||||
|
- ${CI_REPO_DEFAULT_BRANCH}
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- test
|
30
.woodpecker/lint.yaml
Normal file
30
.woodpecker/lint.yaml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
---
|
||||||
|
when:
|
||||||
|
- event: [pull_request, tag]
|
||||||
|
- event: [push, manual]
|
||||||
|
branch:
|
||||||
|
- ${CI_REPO_DEFAULT_BRANCH}
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: ansible-lint
|
||||||
|
image: quay.io/thegeeklab/ansible-dev-tools:1
|
||||||
|
commands:
|
||||||
|
- ansible-lint
|
||||||
|
environment:
|
||||||
|
FORCE_COLOR: "1"
|
||||||
|
|
||||||
|
- name: python-format
|
||||||
|
image: docker.io/python:3.12
|
||||||
|
commands:
|
||||||
|
- pip install -qq ruff
|
||||||
|
- ruff format --check --diff .
|
||||||
|
environment:
|
||||||
|
PY_COLORS: "1"
|
||||||
|
|
||||||
|
- name: python-lint
|
||||||
|
image: docker.io/python:3.12
|
||||||
|
commands:
|
||||||
|
- pip install -qq ruff
|
||||||
|
- ruff check .
|
||||||
|
environment:
|
||||||
|
PY_COLORS: "1"
|
26
.woodpecker/notify.yml
Normal file
26
.woodpecker/notify.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
when:
|
||||||
|
- event: [tag]
|
||||||
|
- event: [push, manual]
|
||||||
|
branch:
|
||||||
|
- ${CI_REPO_DEFAULT_BRANCH}
|
||||||
|
|
||||||
|
runs_on: [success, failure]
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: matrix
|
||||||
|
image: quay.io/thegeeklab/wp-matrix
|
||||||
|
settings:
|
||||||
|
homeserver:
|
||||||
|
from_secret: matrix_homeserver
|
||||||
|
room_id:
|
||||||
|
from_secret: matrix_room_id
|
||||||
|
user_id:
|
||||||
|
from_secret: matrix_user_id
|
||||||
|
access_token:
|
||||||
|
from_secret: matrix_access_token
|
||||||
|
when:
|
||||||
|
- status: [failure]
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- docs
|
24
.woodpecker/test.yaml
Normal file
24
.woodpecker/test.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
when:
|
||||||
|
- event: [pull_request, tag]
|
||||||
|
- event: [push, manual]
|
||||||
|
branch:
|
||||||
|
- ${CI_REPO_DEFAULT_BRANCH}
|
||||||
|
|
||||||
|
variables:
|
||||||
|
- &molecule_base
|
||||||
|
image: quay.io/thegeeklab/ansible-dev-tools:1
|
||||||
|
group: molecule
|
||||||
|
environment:
|
||||||
|
PY_COLORS: "1"
|
||||||
|
HCLOUD_TOKEN:
|
||||||
|
from_secret: molecule_hcloud_token
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: molecule-default
|
||||||
|
<<: *molecule_base
|
||||||
|
commands:
|
||||||
|
- molecule test -s default
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- lint
|
20
.yamllint
Normal file
20
.yamllint
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
extends: default
|
||||||
|
|
||||||
|
rules:
|
||||||
|
truthy:
|
||||||
|
allowed-values: ["True", "False"]
|
||||||
|
comments:
|
||||||
|
min-spaces-from-content: 1
|
||||||
|
comments-indentation: False
|
||||||
|
line-length: disable
|
||||||
|
braces:
|
||||||
|
min-spaces-inside: 0
|
||||||
|
max-spaces-inside: 1
|
||||||
|
brackets:
|
||||||
|
min-spaces-inside: 0
|
||||||
|
max-spaces-inside: 0
|
||||||
|
indentation: enable
|
||||||
|
octal-values:
|
||||||
|
forbid-implicit-octal: True
|
||||||
|
forbid-explicit-octal: True
|
21
LICENSE
Normal file
21
LICENSE
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
MIT License
|
||||||
|
|
||||||
|
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is furnished
|
||||||
|
to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice (including the next
|
||||||
|
paragraph) shall be included in all copies or substantial portions of the
|
||||||
|
Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||||
|
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
|
||||||
|
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
||||||
|
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
|
||||||
|
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@ -1,14 +1,13 @@
|
|||||||
---
|
# xoxys.sshd
|
||||||
title: sshd
|
|
||||||
type: docs
|
|
||||||
---
|
|
||||||
|
|
||||||
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.sshd) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.sshd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.sshd) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
|
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd)
|
||||||
|
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
|
||||||
|
|
||||||
Configure sshd server.
|
Configure sshd server.
|
||||||
|
|
||||||
<!--more-->
|
## Table of content
|
||||||
|
|
||||||
|
- [Requirements](#requirements)
|
||||||
- [Default Variables](#default-variables)
|
- [Default Variables](#default-variables)
|
||||||
- [sshd_allow_agent_forwarding](#sshd_allow_agent_forwarding)
|
- [sshd_allow_agent_forwarding](#sshd_allow_agent_forwarding)
|
||||||
- [sshd_allow_groups](#sshd_allow_groups)
|
- [sshd_allow_groups](#sshd_allow_groups)
|
||||||
@ -35,15 +34,22 @@ Configure sshd server.
|
|||||||
- [sshd_password_authentication](#sshd_password_authentication)
|
- [sshd_password_authentication](#sshd_password_authentication)
|
||||||
- [sshd_permit_empty_passwords](#sshd_permit_empty_passwords)
|
- [sshd_permit_empty_passwords](#sshd_permit_empty_passwords)
|
||||||
- [sshd_permit_root_login](#sshd_permit_root_login)
|
- [sshd_permit_root_login](#sshd_permit_root_login)
|
||||||
|
- [sshd_port](#sshd_port)
|
||||||
- [sshd_protocol](#sshd_protocol)
|
- [sshd_protocol](#sshd_protocol)
|
||||||
- [sshd_strict_modes](#sshd_strict_modes)
|
- [sshd_strict_modes](#sshd_strict_modes)
|
||||||
- [sshd_tcp_keep_alive](#sshd_tcp_keep_alive)
|
- [sshd_tcp_keep_alive](#sshd_tcp_keep_alive)
|
||||||
- [sshd_use_dns](#sshd_use_dns)
|
- [sshd_use_dns](#sshd_use_dns)
|
||||||
- [sshd_x11_forwarding](#sshd_x11_forwarding)
|
- [sshd_x11_forwarding](#sshd_x11_forwarding)
|
||||||
- [Dependencies](#dependencies)
|
- [Dependencies](#dependencies)
|
||||||
|
- [License](#license)
|
||||||
|
- [Author](#author)
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- Minimum Ansible version: `2.10`
|
||||||
|
|
||||||
## Default Variables
|
## Default Variables
|
||||||
|
|
||||||
### sshd_allow_agent_forwarding
|
### sshd_allow_agent_forwarding
|
||||||
@ -272,6 +278,14 @@ sshd_permit_empty_passwords: no
|
|||||||
sshd_permit_root_login: yes
|
sshd_permit_root_login: yes
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### sshd_port
|
||||||
|
|
||||||
|
#### Default value
|
||||||
|
|
||||||
|
```YAML
|
||||||
|
sshd_port: 22
|
||||||
|
```
|
||||||
|
|
||||||
### sshd_protocol
|
### sshd_protocol
|
||||||
|
|
||||||
#### Default value
|
#### Default value
|
||||||
@ -312,8 +326,14 @@ sshd_use_dns: no
|
|||||||
sshd_x11_forwarding: yes
|
sshd_x11_forwarding: yes
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Dependencies
|
## Dependencies
|
||||||
|
|
||||||
None.
|
None.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT
|
||||||
|
|
||||||
|
## Author
|
||||||
|
|
||||||
|
[Robert Kaussow](https://gitea.rknet.org/xoxys)
|
62
defaults/main.yml
Normal file
62
defaults/main.yml
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
---
|
||||||
|
sshd_protocol: 2
|
||||||
|
sshd_port: 22
|
||||||
|
sshd_permit_root_login: "yes"
|
||||||
|
sshd_permit_empty_passwords: "no"
|
||||||
|
sshd_password_authentication: "no"
|
||||||
|
sshd_gssapi_authentication: "no"
|
||||||
|
sshd_strict_modes: "yes"
|
||||||
|
sshd_allow_groups: []
|
||||||
|
sshd_ignore_rhosts: "yes"
|
||||||
|
sshd_hostbased_authentication: "no"
|
||||||
|
sshd_client_alive_interval: 900
|
||||||
|
sshd_client_alive_count_max: 0
|
||||||
|
|
||||||
|
sshd_ciphers:
|
||||||
|
- chacha20-poly1305@openssh.com
|
||||||
|
- aes256-gcm@openssh.com
|
||||||
|
- aes128-gcm@openssh.com
|
||||||
|
- aes256-ctr
|
||||||
|
- aes192-ctr
|
||||||
|
- aes128-ctr
|
||||||
|
|
||||||
|
sshd_kex:
|
||||||
|
- curve25519-sha256@libssh.org
|
||||||
|
- diffie-hellman-group-exchange-sha256
|
||||||
|
|
||||||
|
sshd_moduli_minimum: 2048
|
||||||
|
|
||||||
|
sshd_macs:
|
||||||
|
- hmac-sha2-512-etm@openssh.com
|
||||||
|
- hmac-sha2-256-etm@openssh.com
|
||||||
|
- umac-128-etm@openssh.com
|
||||||
|
- hmac-sha2-512
|
||||||
|
- hmac-sha2-256
|
||||||
|
- umac-128@openssh.com
|
||||||
|
|
||||||
|
sshd_allow_agent_forwarding: "no"
|
||||||
|
sshd_x11_forwarding: "yes"
|
||||||
|
sshd_allow_tcp_forwarding: "yes"
|
||||||
|
sshd_compression: delayed
|
||||||
|
sshd_log_level: INFO
|
||||||
|
sshd_max_auth_tries: 6
|
||||||
|
sshd_max_sessions: 10
|
||||||
|
sshd_tcp_keep_alive: "yes"
|
||||||
|
sshd_use_dns: "no"
|
||||||
|
sshd_login_grace_time: 60
|
||||||
|
sshd_max_startups: "10:30:60"
|
||||||
|
|
||||||
|
sshd_crypto_policy_enabled: True
|
||||||
|
|
||||||
|
# @var sshd_challenge_response_authentication:description: >
|
||||||
|
# If you disable password auth you should disable ChallengeResponseAuth also.
|
||||||
|
# @end
|
||||||
|
sshd_challenge_response_authentication: "no"
|
||||||
|
|
||||||
|
# @var sshd_google_auth_enabled:description: >
|
||||||
|
# Google Authenticator required ChallengeResponseAuth!
|
||||||
|
# @end
|
||||||
|
sshd_google_auth_enabled: False
|
||||||
|
# @var sshd_google_auth_exclude_group:description: Exclude a group from 2FA auth
|
||||||
|
# @var sshd_google_auth_exclude_group:example: $ "my_group"
|
||||||
|
# @var sshd_google_auth_exclude_group: $ "_unset_"
|
6
handlers/main.yml
Normal file
6
handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Restart ssh server
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
||||||
|
listen: __sshd_restart
|
23
meta/main.yml
Normal file
23
meta/main.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
galaxy_info:
|
||||||
|
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
|
||||||
|
author: Robert Kaussow <mail@thegeeklab.de>
|
||||||
|
namespace: xoxys
|
||||||
|
role_name: sshd
|
||||||
|
# @meta description: >
|
||||||
|
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd)
|
||||||
|
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
|
||||||
|
#
|
||||||
|
# Configure sshd server.
|
||||||
|
# @end
|
||||||
|
description: Configure sshd server
|
||||||
|
license: MIT
|
||||||
|
min_ansible_version: "2.10"
|
||||||
|
platforms:
|
||||||
|
- name: EL
|
||||||
|
versions:
|
||||||
|
- "9"
|
||||||
|
galaxy_tags:
|
||||||
|
- sshd
|
||||||
|
- security
|
||||||
|
dependencies: []
|
5
molecule/default/converge.yml
Normal file
5
molecule/default/converge.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
roles:
|
||||||
|
- role: xoxys.sshd
|
17
molecule/default/molecule.yml
Normal file
17
molecule/default/molecule.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
driver:
|
||||||
|
name: molecule_hetznercloud
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
options:
|
||||||
|
role-file: requirements.yml
|
||||||
|
requirements-file: requirements.yml
|
||||||
|
platforms:
|
||||||
|
- name: "rocky9-sshd"
|
||||||
|
server_type: "cx22"
|
||||||
|
image: "rocky-9"
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
log: False
|
||||||
|
verifier:
|
||||||
|
name: testinfra
|
11
molecule/default/prepare.yml
Normal file
11
molecule/default/prepare.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
gather_facts: False
|
||||||
|
tasks:
|
||||||
|
- name: Bootstrap Python for Ansible
|
||||||
|
ansible.builtin.raw: |
|
||||||
|
command -v python3 python ||
|
||||||
|
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
||||||
|
echo "Warning: Python not boostrapped due to unknown platform.")
|
||||||
|
changed_when: False
|
16
molecule/default/tests/test_default.py
Normal file
16
molecule/default/tests/test_default.py
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
|
import testinfra.utils.ansible_runner
|
||||||
|
|
||||||
|
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||||
|
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||||
|
).get_hosts("all")
|
||||||
|
|
||||||
|
|
||||||
|
def test_sshd_config_file(host):
|
||||||
|
sshd = host.file("/etc/ssh/sshd_config")
|
||||||
|
|
||||||
|
assert sshd.exists
|
||||||
|
assert sshd.user == "root"
|
||||||
|
assert sshd.group == "root"
|
||||||
|
assert sshd.mode == 0o600
|
17
pyproject.toml
Normal file
17
pyproject.toml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
[tool.ruff]
|
||||||
|
exclude = [".git", "__pycache__"]
|
||||||
|
|
||||||
|
line-length = 99
|
||||||
|
indent-width = 4
|
||||||
|
|
||||||
|
[tool.ruff.lint]
|
||||||
|
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
|
||||||
|
select = ["F", "E", "I", "W", "S"]
|
||||||
|
|
||||||
|
[tool.ruff.format]
|
||||||
|
quote-style = "double"
|
||||||
|
indent-style = "space"
|
||||||
|
line-ending = "lf"
|
||||||
|
|
||||||
|
[tool.pytest.ini_options]
|
||||||
|
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]
|
7
requirements.yml
Normal file
7
requirements.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
collections:
|
||||||
|
- name: https://gitea.rknet.org/ansible/xoxys.general
|
||||||
|
type: git
|
||||||
|
version: main
|
||||||
|
|
||||||
|
roles: []
|
14
tasks/main.yml
Normal file
14
tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
- name: Configure sshd
|
||||||
|
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
|
||||||
|
vars:
|
||||||
|
params:
|
||||||
|
files:
|
||||||
|
- "ssh_{{ ansible_lsb.id | default('') | lower }}.yml"
|
||||||
|
- "ssh_{{ ansible_os_family | lower }}.yml"
|
||||||
|
- "ssh_default.yml"
|
||||||
|
paths:
|
||||||
|
- "tasks"
|
||||||
|
- name: Configure sshd 2FA
|
||||||
|
ansible.builtin.include_tasks: ssh_2fa.yml
|
||||||
|
when: sshd_google_auth_enabled | bool
|
39
tasks/ssh_2fa.yml
Normal file
39
tasks/ssh_2fa.yml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
- name: Install google authenticator PAM module
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: google-authenticator
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Add google auth module to PAM
|
||||||
|
community.general.pamd:
|
||||||
|
name: sshd
|
||||||
|
type: account
|
||||||
|
control: required
|
||||||
|
module_path: pam_nologin.so
|
||||||
|
new_type: auth
|
||||||
|
new_control: required
|
||||||
|
new_module_path: pam_google_authenticator.so
|
||||||
|
state: before
|
||||||
|
|
||||||
|
- name: Skip google auth for specific group
|
||||||
|
community.general.pamd:
|
||||||
|
name: sshd
|
||||||
|
type: auth
|
||||||
|
control: required
|
||||||
|
module_path: pam_google_authenticator.so
|
||||||
|
new_type: auth
|
||||||
|
new_control: "[success=done default=ignore]"
|
||||||
|
new_module_path: pam_succeed_if.so
|
||||||
|
module_arguments:
|
||||||
|
- user
|
||||||
|
- ingroup
|
||||||
|
- "{{ sshd_google_auth_exclude_group }}"
|
||||||
|
state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"
|
||||||
|
|
||||||
|
- name: Remove password auth from PAM
|
||||||
|
community.general.pamd:
|
||||||
|
name: sshd
|
||||||
|
type: auth
|
||||||
|
control: substack
|
||||||
|
module_path: password-auth
|
||||||
|
state: absent
|
53
tasks/ssh_default.yml
Normal file
53
tasks/ssh_default.yml
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
---
|
||||||
|
- name: Gather package facts
|
||||||
|
ansible.builtin.package_facts:
|
||||||
|
check_mode: False
|
||||||
|
|
||||||
|
- name: Hardening sshd config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: etc/ssh/sshd_config.j2
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
notify: __sshd_restart
|
||||||
|
|
||||||
|
- name: Check if /etc/ssh/moduli contains weak DH parameters
|
||||||
|
ansible.builtin.shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
|
||||||
|
register: __sshd_register_moduli
|
||||||
|
changed_when: False
|
||||||
|
check_mode: False
|
||||||
|
|
||||||
|
- name: Remove all small primes
|
||||||
|
ansible.builtin.shell:
|
||||||
|
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
||||||
|
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
||||||
|
register: __sshd_register_moduli
|
||||||
|
changed_when: __sshd_register_moduli.rc != 0
|
||||||
|
notify: __sshd_restart
|
||||||
|
when: __sshd_register_moduli.stdout
|
||||||
|
|
||||||
|
- name: Create SSH usergroup
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
loop: "{{ sshd_allow_groups }}"
|
||||||
|
|
||||||
|
- name: Configure SSH crypto policy usage
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: etc/sysconfig/sshd.j2
|
||||||
|
dest: /etc/sysconfig/sshd
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0640"
|
||||||
|
when: ('crypto-policies' in ansible_facts.packages)
|
||||||
|
|
||||||
|
- name: Ensure seport matches sshd config
|
||||||
|
seport:
|
||||||
|
ports: "{{ sshd_port }}"
|
||||||
|
proto: "tcp"
|
||||||
|
setype: "ssh_port_t"
|
||||||
|
state: "present"
|
||||||
|
when:
|
||||||
|
- ansible_selinux is defined
|
||||||
|
- ansible_selinux.status == "enabled"
|
46
tasks/ssh_univention.yml
Normal file
46
tasks/ssh_univention.yml
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
---
|
||||||
|
- name: Hardening sshd config
|
||||||
|
xoxys.general.ucr:
|
||||||
|
path: "{{ item.path }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
loop:
|
||||||
|
- path: sshd/permitroot
|
||||||
|
value: "{{ sshd_permit_root_login | default('') }}"
|
||||||
|
- path: sshd/PermitEmptyPasswords
|
||||||
|
value: "{{ sshd_permit_empty_passwords | default('') }}"
|
||||||
|
- path: sshd/permitroot
|
||||||
|
value: "{{ sshd_permit_root_login | default('') }}"
|
||||||
|
- path: sshd/passwordauthentication
|
||||||
|
value: "{{ sshd_password_authentication | default('') }}"
|
||||||
|
- path: sshd/challengeresponse
|
||||||
|
value: "{{ sshd_password_authentication | default('') }}"
|
||||||
|
- path: sshd/IgnoreRhosts
|
||||||
|
value: "{{ sshd_ignore_rhosts | default('') }}"
|
||||||
|
- path: sshd/HostbasedAuthentication
|
||||||
|
value: "{{ sshd_hostbased_authentication | default('') }}"
|
||||||
|
- path: sshd/ClientAliveInterval
|
||||||
|
value: "{{ sshd_client_alive_interval | default('') }}"
|
||||||
|
- path: sshd/ClientAliveCountMax
|
||||||
|
value: "{{ sshd_client_alive_count_max | default('') }}"
|
||||||
|
- path: sshd/Ciphers
|
||||||
|
value: "{{ sshd_ciphers | default('[]') | join(',') }}"
|
||||||
|
- path: sshd/KexAlgorithms
|
||||||
|
value: "{{ sshd_kex | default('[]') | join(',') }}"
|
||||||
|
- path: sshd/MACs
|
||||||
|
value: "{{ sshd_macs | default('[]') | join(',') }}"
|
||||||
|
loop_control:
|
||||||
|
label: "variable: {{ item.path }}={{ item.value }}"
|
||||||
|
notify: __sshd_restart
|
||||||
|
|
||||||
|
- name: Set allowed ssh groups
|
||||||
|
xoxys.general.ucr:
|
||||||
|
path: "auth/sshd/group/{{ item }}"
|
||||||
|
value: "yes"
|
||||||
|
loop: "{{ sshd_allow_groups }}"
|
||||||
|
|
||||||
|
- name: Create SSH Usergroup
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ item }}"
|
||||||
|
system: "yes"
|
||||||
|
state: present
|
||||||
|
loop: "{{ sshd_allow_groups }}"
|
166
templates/etc/ssh/sshd_config.j2
Normal file
166
templates/etc/ssh/sshd_config.j2
Normal file
@ -0,0 +1,166 @@
|
|||||||
|
#jinja2: lstrip_blocks: True
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# This is the sshd server system-wide configuration file.
|
||||||
|
# See sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
||||||
|
|
||||||
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
|
# OpenSSH is to specify options with their default value where
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
# If you want to change the port on a SELinux system, you have to tell
|
||||||
|
# SELinux about this change.
|
||||||
|
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||||
|
#
|
||||||
|
Port {{ sshd_port }}
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
{% if ansible_os_family | lower == "redhat" and ansible_distribution_major_version is version('8', '<') %}
|
||||||
|
|
||||||
|
Protocol {{ sshd_protocol }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
{% if sshd_crypto_policy_enabled | bool %}
|
||||||
|
# This system is following system-wide crypto policy. The changes to
|
||||||
|
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
|
||||||
|
# They will be overridden by command-line options passed to the server
|
||||||
|
# on command line.
|
||||||
|
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||||
|
{% else %}
|
||||||
|
Ciphers {{ sshd_ciphers | join(',') }}
|
||||||
|
KexAlgorithms {{ sshd_kex | join(',') }}
|
||||||
|
MACs {{ sshd_macs | join(',') }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
SyslogFacility AUTHPRIV
|
||||||
|
LogLevel {{ sshd_log_level }}
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
LoginGraceTime {{ sshd_login_grace_time }}
|
||||||
|
PermitRootLogin {{ sshd_permit_root_login }}
|
||||||
|
StrictModes {{ sshd_strict_modes }}
|
||||||
|
{% if sshd_allow_groups %}
|
||||||
|
AllowGroups {{ sshd_allow_groups|join(',') }}
|
||||||
|
{% endif %}
|
||||||
|
MaxAuthTries {{ sshd_max_auth_tries }}
|
||||||
|
MaxSessions {{ sshd_max_sessions }}
|
||||||
|
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
|
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
IgnoreRhosts {{ sshd_ignore_rhosts }}
|
||||||
|
|
||||||
|
{% if sshd_google_auth_enabled %}
|
||||||
|
# Force public key auth then ask for google auth code
|
||||||
|
AuthenticationMethods publickey,keyboard-interactive
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
PasswordAuthentication {{ sshd_password_authentication }}
|
||||||
|
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }}
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
#KerberosUseKuserok yes
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
|
||||||
|
GSSAPICleanupCredentials no
|
||||||
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
|
#GSSAPIKeyExchange no
|
||||||
|
#GSSAPIEnablek5users no
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
# WARNING: 'UsePAM no' is not supported on RH based systems and may
|
||||||
|
# cause several problems.
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
|
||||||
|
AllowTcpForwarding {{ sshd_allow_tcp_forwarding }}
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding {{ sshd_x11_forwarding }}
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
{% if ansible_os_family | lower == "redhat" and ansible_distribution_major_version is version('7', '>') %}
|
||||||
|
PrintMotd no
|
||||||
|
{% endif %}
|
||||||
|
#PrintLastLog no
|
||||||
|
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
||||||
|
#UseLogin no
|
||||||
|
{% if ansible_os_family | lower == "redhat" and ansible_distribution_major_version is version('8', '<') %}
|
||||||
|
UsePrivilegeSeparation sandbox
|
||||||
|
{% endif %}
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
Compression {{ sshd_compression }}
|
||||||
|
ClientAliveInterval {{ sshd_client_alive_interval }}
|
||||||
|
ClientAliveCountMax {{ sshd_client_alive_count_max }}
|
||||||
|
UseDNS {{ sshd_use_dns }}
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
MaxStartups {{ sshd_max_startups }}
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
# Accept locale-related environment variables
|
||||||
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
AcceptEnv XMODIFIERS
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
||||||
|
|
||||||
|
{% if sshd_google_auth_exclude_group is defined %}
|
||||||
|
Match User {{ sshd_google_auth_exclude_group }}
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
{% endif %}
|
21
templates/etc/sysconfig/sshd.j2
Normal file
21
templates/etc/sysconfig/sshd.j2
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#jinja2: lstrip_blocks: True
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# Configuration file for the sshd service.
|
||||||
|
|
||||||
|
# The server keys are automatically generated if they are missing.
|
||||||
|
# To change the automatic creation, adjust sshd.service options for
|
||||||
|
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
||||||
|
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
||||||
|
# creation.
|
||||||
|
|
||||||
|
# Do not change this option unless you have hardware random
|
||||||
|
# generator and you REALLY know what you are doing
|
||||||
|
|
||||||
|
SSH_USE_STRONG_RNG=0
|
||||||
|
# SSH_USE_STRONG_RNG=1
|
||||||
|
{% if not sshd_crypto_policy_enabled | bool %}
|
||||||
|
|
||||||
|
# Disable system-wide crypto policy
|
||||||
|
CRYPTO_POLICY=
|
||||||
|
{% endif %}
|
Loading…
Reference in New Issue
Block a user