Compare commits
No commits in common. "main" and "docs" have entirely different histories.
|
@ -1,11 +0,0 @@
|
||||||
# ---> Ansible
|
|
||||||
*.retry
|
|
||||||
plugins
|
|
||||||
library
|
|
||||||
|
|
||||||
# ---> Python
|
|
||||||
# Byte-compiled / optimized / DLL files
|
|
||||||
__pycache__/
|
|
||||||
*.py[cod]
|
|
||||||
*$py.class
|
|
||||||
|
|
15
.later.yml
15
.later.yml
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
ansible:
|
|
||||||
custom_modules:
|
|
||||||
- iptables_raw
|
|
||||||
- openssl_pkcs12
|
|
||||||
- proxmox_kvm
|
|
||||||
- ucr
|
|
||||||
- corenetworks_dns
|
|
||||||
- corenetworks_token
|
|
||||||
|
|
||||||
rules:
|
|
||||||
exclude_files:
|
|
||||||
- "LICENSE*"
|
|
||||||
- "**/*.md"
|
|
||||||
- "**/*.ini"
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
default: True
|
|
||||||
MD013: False
|
|
||||||
MD041: False
|
|
||||||
MD024: False
|
|
||||||
MD004:
|
|
||||||
style: dash
|
|
|
@ -1 +0,0 @@
|
||||||
LICENSE
|
|
|
@ -1,47 +0,0 @@
|
||||||
---
|
|
||||||
when:
|
|
||||||
- event: [pull_request]
|
|
||||||
- event: [push, manual]
|
|
||||||
branch:
|
|
||||||
- ${CI_REPO_DEFAULT_BRANCH}
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: generate
|
|
||||||
image: quay.io/thegeeklab/ansible-doctor
|
|
||||||
environment:
|
|
||||||
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
|
|
||||||
ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true"
|
|
||||||
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
|
|
||||||
ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME}
|
|
||||||
ANSIBLE_DOCTOR_TEMPLATE: readme
|
|
||||||
|
|
||||||
- name: format
|
|
||||||
image: quay.io/thegeeklab/alpine-tools
|
|
||||||
commands:
|
|
||||||
- prettier -w README.md
|
|
||||||
|
|
||||||
- name: diff
|
|
||||||
image: quay.io/thegeeklab/alpine-tools
|
|
||||||
commands:
|
|
||||||
- git diff --color=always README.md
|
|
||||||
|
|
||||||
- name: publish
|
|
||||||
image: quay.io/thegeeklab/wp-git-action
|
|
||||||
settings:
|
|
||||||
action:
|
|
||||||
- commit
|
|
||||||
- push
|
|
||||||
author_email: ci-bot@rknet.org
|
|
||||||
author_name: ci-bot
|
|
||||||
branch: main
|
|
||||||
message: "[skip ci] automated docs update"
|
|
||||||
netrc_machine: gitea.rknet.org
|
|
||||||
netrc_password:
|
|
||||||
from_secret: gitea_token
|
|
||||||
when:
|
|
||||||
- event: [push, manual]
|
|
||||||
branch:
|
|
||||||
- ${CI_REPO_DEFAULT_BRANCH}
|
|
||||||
|
|
||||||
depends_on:
|
|
||||||
- test
|
|
|
@ -1,30 +0,0 @@
|
||||||
---
|
|
||||||
when:
|
|
||||||
- event: [pull_request, tag]
|
|
||||||
- event: [push, manual]
|
|
||||||
branch:
|
|
||||||
- ${CI_REPO_DEFAULT_BRANCH}
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: ansible-later
|
|
||||||
image: quay.io/thegeeklab/ansible-later:4
|
|
||||||
commands:
|
|
||||||
- ansible-later
|
|
||||||
environment:
|
|
||||||
FORCE_COLOR: "1"
|
|
||||||
|
|
||||||
- name: python-format
|
|
||||||
image: docker.io/python:3.12
|
|
||||||
commands:
|
|
||||||
- pip install -qq ruff
|
|
||||||
- ruff format --check --diff .
|
|
||||||
environment:
|
|
||||||
PY_COLORS: "1"
|
|
||||||
|
|
||||||
- name: python-lint
|
|
||||||
image: docker.io/python:3.12
|
|
||||||
commands:
|
|
||||||
- pip install -qq ruff
|
|
||||||
- ruff .
|
|
||||||
environment:
|
|
||||||
PY_COLORS: "1"
|
|
|
@ -1,26 +0,0 @@
|
||||||
---
|
|
||||||
when:
|
|
||||||
- event: [tag]
|
|
||||||
- event: [push, manual]
|
|
||||||
branch:
|
|
||||||
- ${CI_REPO_DEFAULT_BRANCH}
|
|
||||||
|
|
||||||
runs_on: [success, failure]
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: matrix
|
|
||||||
image: quay.io/thegeeklab/wp-matrix
|
|
||||||
settings:
|
|
||||||
homeserver:
|
|
||||||
from_secret: matrix_homeserver
|
|
||||||
password:
|
|
||||||
from_secret: matrix_password
|
|
||||||
roomid:
|
|
||||||
from_secret: matrix_roomid
|
|
||||||
username:
|
|
||||||
from_secret: matrix_username
|
|
||||||
when:
|
|
||||||
- status: [success, failure]
|
|
||||||
|
|
||||||
depends_on:
|
|
||||||
- docs
|
|
|
@ -1,25 +0,0 @@
|
||||||
---
|
|
||||||
when:
|
|
||||||
- event: [pull_request, tag]
|
|
||||||
- event: [push, manual]
|
|
||||||
branch:
|
|
||||||
- ${CI_REPO_DEFAULT_BRANCH}
|
|
||||||
|
|
||||||
variables:
|
|
||||||
- &molecule_base
|
|
||||||
image: quay.io/thegeeklab/molecule:6
|
|
||||||
group: molecule
|
|
||||||
secrets:
|
|
||||||
- source: molecule_hcloud_token
|
|
||||||
target: HCLOUD_TOKEN
|
|
||||||
environment:
|
|
||||||
PY_COLORS: "1"
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: molecule-default
|
|
||||||
<<: *molecule_base
|
|
||||||
commands:
|
|
||||||
- molecule test -s default
|
|
||||||
|
|
||||||
depends_on:
|
|
||||||
- lint
|
|
21
LICENSE
21
LICENSE
|
@ -1,21 +0,0 @@
|
||||||
MIT License
|
|
||||||
|
|
||||||
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
of this software and associated documentation files (the "Software"), to deal
|
|
||||||
in the Software without restriction, including without limitation the rights
|
|
||||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
copies of the Software, and to permit persons to whom the Software is furnished
|
|
||||||
to do so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice (including the next
|
|
||||||
paragraph) shall be included in all copies or substantial portions of the
|
|
||||||
Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
|
||||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
|
|
||||||
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
|
||||||
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
|
|
||||||
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
@ -1,61 +0,0 @@
|
||||||
---
|
|
||||||
sshd_protocol: 2
|
|
||||||
sshd_permit_root_login: "yes"
|
|
||||||
sshd_permit_empty_passwords: "no"
|
|
||||||
sshd_password_authentication: "no"
|
|
||||||
sshd_gssapi_authentication: "no"
|
|
||||||
sshd_strict_modes: "yes"
|
|
||||||
sshd_allow_groups: []
|
|
||||||
sshd_ignore_rhosts: "yes"
|
|
||||||
sshd_hostbased_authentication: "no"
|
|
||||||
sshd_client_alive_interval: 900
|
|
||||||
sshd_client_alive_count_max: 0
|
|
||||||
|
|
||||||
sshd_ciphers:
|
|
||||||
- chacha20-poly1305@openssh.com
|
|
||||||
- aes256-gcm@openssh.com
|
|
||||||
- aes128-gcm@openssh.com
|
|
||||||
- aes256-ctr
|
|
||||||
- aes192-ctr
|
|
||||||
- aes128-ctr
|
|
||||||
|
|
||||||
sshd_kex:
|
|
||||||
- curve25519-sha256@libssh.org
|
|
||||||
- diffie-hellman-group-exchange-sha256
|
|
||||||
|
|
||||||
sshd_moduli_minimum: 2048
|
|
||||||
|
|
||||||
sshd_macs:
|
|
||||||
- hmac-sha2-512-etm@openssh.com
|
|
||||||
- hmac-sha2-256-etm@openssh.com
|
|
||||||
- umac-128-etm@openssh.com
|
|
||||||
- hmac-sha2-512
|
|
||||||
- hmac-sha2-256
|
|
||||||
- umac-128@openssh.com
|
|
||||||
|
|
||||||
sshd_allow_agent_forwarding: "no"
|
|
||||||
sshd_x11_forwarding: "yes"
|
|
||||||
sshd_allow_tcp_forwarding: "yes"
|
|
||||||
sshd_compression: delayed
|
|
||||||
sshd_log_level: INFO
|
|
||||||
sshd_max_auth_tries: 6
|
|
||||||
sshd_max_sessions: 10
|
|
||||||
sshd_tcp_keep_alive: "yes"
|
|
||||||
sshd_use_dns: "no"
|
|
||||||
sshd_login_grace_time: 60
|
|
||||||
sshd_max_startups: "10:30:60"
|
|
||||||
|
|
||||||
sshd_crypto_policy_enabled: True
|
|
||||||
|
|
||||||
# @var sshd_challenge_response_authentication:description: >
|
|
||||||
# If you disable password auth you should disable ChallengeResponseAuth also.
|
|
||||||
# @end
|
|
||||||
sshd_challenge_response_authentication: "no"
|
|
||||||
|
|
||||||
# @var sshd_google_auth_enabled:description: >
|
|
||||||
# Google Authenticator required ChallengeResponseAuth!
|
|
||||||
# @end
|
|
||||||
sshd_google_auth_enabled: False
|
|
||||||
# @var sshd_google_auth_exclude_group:description: Exclude a group from 2FA auth
|
|
||||||
# @var sshd_google_auth_exclude_group:example: $ "my_group"
|
|
||||||
# @var sshd_google_auth_exclude_group: $ "_unset_"
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart ssh server
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: sshd
|
|
||||||
state: restarted
|
|
||||||
listen: __sshd_restart
|
|
|
@ -1,13 +1,14 @@
|
||||||
# xoxys.sshd
|
---
|
||||||
|
title: sshd
|
||||||
|
type: docs
|
||||||
|
---
|
||||||
|
|
||||||
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd)
|
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.sshd) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.sshd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.sshd) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
|
||||||
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
|
|
||||||
|
|
||||||
Configure sshd server.
|
Configure sshd server.
|
||||||
|
|
||||||
## Table of content
|
<!--more-->
|
||||||
|
|
||||||
- [Requirements](#requirements)
|
|
||||||
- [Default Variables](#default-variables)
|
- [Default Variables](#default-variables)
|
||||||
- [sshd_allow_agent_forwarding](#sshd_allow_agent_forwarding)
|
- [sshd_allow_agent_forwarding](#sshd_allow_agent_forwarding)
|
||||||
- [sshd_allow_groups](#sshd_allow_groups)
|
- [sshd_allow_groups](#sshd_allow_groups)
|
||||||
|
@ -40,15 +41,9 @@ Configure sshd server.
|
||||||
- [sshd_use_dns](#sshd_use_dns)
|
- [sshd_use_dns](#sshd_use_dns)
|
||||||
- [sshd_x11_forwarding](#sshd_x11_forwarding)
|
- [sshd_x11_forwarding](#sshd_x11_forwarding)
|
||||||
- [Dependencies](#dependencies)
|
- [Dependencies](#dependencies)
|
||||||
- [License](#license)
|
|
||||||
- [Author](#author)
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Requirements
|
|
||||||
|
|
||||||
- Minimum Ansible version: `2.10`
|
|
||||||
|
|
||||||
## Default Variables
|
## Default Variables
|
||||||
|
|
||||||
### sshd_allow_agent_forwarding
|
### sshd_allow_agent_forwarding
|
||||||
|
@ -317,14 +312,8 @@ sshd_use_dns: no
|
||||||
sshd_x11_forwarding: yes
|
sshd_x11_forwarding: yes
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Dependencies
|
## Dependencies
|
||||||
|
|
||||||
None.
|
None.
|
||||||
|
|
||||||
## License
|
|
||||||
|
|
||||||
MIT
|
|
||||||
|
|
||||||
## Author
|
|
||||||
|
|
||||||
[Robert Kaussow](https://gitea.rknet.org/xoxys)
|
|
|
@ -1,26 +0,0 @@
|
||||||
---
|
|
||||||
galaxy_info:
|
|
||||||
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
|
|
||||||
author: Robert Kaussow <mail@thegeeklab.de>
|
|
||||||
namespace: xoxys
|
|
||||||
role_name: sshd
|
|
||||||
# @meta description: >
|
|
||||||
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd)
|
|
||||||
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE)
|
|
||||||
#
|
|
||||||
# Configure sshd server.
|
|
||||||
# @end
|
|
||||||
description: Configure sshd server
|
|
||||||
license: MIT
|
|
||||||
min_ansible_version: "2.10"
|
|
||||||
platforms:
|
|
||||||
- name: EL
|
|
||||||
versions:
|
|
||||||
- "9"
|
|
||||||
galaxy_tags:
|
|
||||||
- sshd
|
|
||||||
- security
|
|
||||||
dependencies: []
|
|
||||||
collections:
|
|
||||||
- xoxys.general
|
|
||||||
- community.general
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- name: Converge
|
|
||||||
hosts: all
|
|
||||||
roles:
|
|
||||||
- role: xoxys.sshd
|
|
|
@ -1,17 +0,0 @@
|
||||||
---
|
|
||||||
driver:
|
|
||||||
name: molecule_hetznercloud
|
|
||||||
dependency:
|
|
||||||
name: galaxy
|
|
||||||
options:
|
|
||||||
role-file: molecule/requirements.yml
|
|
||||||
requirements-file: molecule/requirements.yml
|
|
||||||
platforms:
|
|
||||||
- name: "rocky9-sshd"
|
|
||||||
server_type: "cx11"
|
|
||||||
image: "rocky-9"
|
|
||||||
provisioner:
|
|
||||||
name: ansible
|
|
||||||
log: False
|
|
||||||
verifier:
|
|
||||||
name: testinfra
|
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
- name: Prepare
|
|
||||||
hosts: all
|
|
||||||
gather_facts: False
|
|
||||||
tasks:
|
|
||||||
- name: Bootstrap Python for Ansible
|
|
||||||
ansible.builtin.raw: |
|
|
||||||
command -v python3 python ||
|
|
||||||
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
|
||||||
echo "Warning: Python not boostrapped due to unknown platform.")
|
|
||||||
changed_when: False
|
|
|
@ -1,16 +0,0 @@
|
||||||
import os
|
|
||||||
|
|
||||||
import testinfra.utils.ansible_runner
|
|
||||||
|
|
||||||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
|
||||||
os.environ["MOLECULE_INVENTORY_FILE"]
|
|
||||||
).get_hosts("all")
|
|
||||||
|
|
||||||
|
|
||||||
def test_sshd_config_file(host):
|
|
||||||
sshd = host.file("/etc/ssh/sshd_config")
|
|
||||||
|
|
||||||
assert sshd.exists
|
|
||||||
assert sshd.user == "root"
|
|
||||||
assert sshd.group == "root"
|
|
||||||
assert sshd.mode == 0o600
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
collections: []
|
|
||||||
|
|
||||||
roles: []
|
|
|
@ -1,17 +0,0 @@
|
||||||
[tool.ruff]
|
|
||||||
exclude = [".git", "__pycache__"]
|
|
||||||
|
|
||||||
line-length = 99
|
|
||||||
indent-width = 4
|
|
||||||
|
|
||||||
[tool.ruff.lint]
|
|
||||||
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
|
|
||||||
select = ["F", "E", "I", "W", "S"]
|
|
||||||
|
|
||||||
[tool.ruff.format]
|
|
||||||
quote-style = "double"
|
|
||||||
indent-style = "space"
|
|
||||||
line-ending = "lf"
|
|
||||||
|
|
||||||
[tool.pytest.ini_options]
|
|
||||||
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]
|
|
|
@ -1,12 +0,0 @@
|
||||||
---
|
|
||||||
- ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
|
|
||||||
vars:
|
|
||||||
params:
|
|
||||||
files:
|
|
||||||
- "ssh_{{ ansible_lsb.id | default('') | lower }}.yml"
|
|
||||||
- "ssh_{{ ansible_os_family | lower }}.yml"
|
|
||||||
- "ssh_default.yml"
|
|
||||||
paths:
|
|
||||||
- "tasks"
|
|
||||||
- ansible.builtin.include_tasks: ssh_2fa.yml
|
|
||||||
when: sshd_google_auth_enabled | bool
|
|
|
@ -1,39 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install google authenticator PAM module
|
|
||||||
ansible.builtin.package:
|
|
||||||
name: google-authenticator
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Add google auth module to PAM
|
|
||||||
community.general.pamd:
|
|
||||||
name: sshd
|
|
||||||
type: account
|
|
||||||
control: required
|
|
||||||
module_path: pam_nologin.so
|
|
||||||
new_type: auth
|
|
||||||
new_control: required
|
|
||||||
new_module_path: pam_google_authenticator.so
|
|
||||||
state: before
|
|
||||||
|
|
||||||
- name: Skip google auth for specific group
|
|
||||||
community.general.pamd:
|
|
||||||
name: sshd
|
|
||||||
type: auth
|
|
||||||
control: required
|
|
||||||
module_path: pam_google_authenticator.so
|
|
||||||
new_type: auth
|
|
||||||
new_control: "[success=done default=ignore]"
|
|
||||||
new_module_path: pam_succeed_if.so
|
|
||||||
module_arguments:
|
|
||||||
- user
|
|
||||||
- ingroup
|
|
||||||
- "{{ sshd_google_auth_exclude_group }}"
|
|
||||||
state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"
|
|
||||||
|
|
||||||
- name: Remove password auth from PAM
|
|
||||||
community.general.pamd:
|
|
||||||
name: sshd
|
|
||||||
type: auth
|
|
||||||
control: substack
|
|
||||||
module_path: password-auth
|
|
||||||
state: absent
|
|
|
@ -1,41 +0,0 @@
|
||||||
---
|
|
||||||
- name: Gather package facts
|
|
||||||
ansible.builtin.package_facts:
|
|
||||||
check_mode: False
|
|
||||||
|
|
||||||
- name: Hardening sshd config
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: etc/ssh/sshd_config.j2
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0600"
|
|
||||||
notify: __sshd_restart
|
|
||||||
|
|
||||||
- name: Check if /etc/ssh/moduli contains weak DH parameters
|
|
||||||
ansible.builtin.shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
|
|
||||||
register: __sshd_register_moduli
|
|
||||||
changed_when: False
|
|
||||||
check_mode: False
|
|
||||||
|
|
||||||
- name: Remove all small primes
|
|
||||||
ansible.builtin.shell:
|
|
||||||
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
|
||||||
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
|
||||||
notify: __sshd_restart
|
|
||||||
when: __sshd_register_moduli.stdout
|
|
||||||
|
|
||||||
- name: Create SSH usergroup
|
|
||||||
ansible.builtin.group:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
loop: "{{ sshd_allow_groups }}"
|
|
||||||
|
|
||||||
- name: Configure SSH crypto policy usage
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: etc/sysconfig/sshd.j2
|
|
||||||
dest: /etc/sysconfig/sshd
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0640"
|
|
||||||
when: ('crypto-policies' in ansible_facts.packages)
|
|
|
@ -1,46 +0,0 @@
|
||||||
---
|
|
||||||
- name: Hardening sshd config
|
|
||||||
ucr:
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
value: "{{ item.value }}"
|
|
||||||
loop:
|
|
||||||
- path: sshd/permitroot
|
|
||||||
value: "{{ sshd_permit_root_login | default('') }}"
|
|
||||||
- path: sshd/PermitEmptyPasswords
|
|
||||||
value: "{{ sshd_permit_empty_passwords | default('') }}"
|
|
||||||
- path: sshd/permitroot
|
|
||||||
value: "{{ sshd_permit_root_login | default('') }}"
|
|
||||||
- path: sshd/passwordauthentication
|
|
||||||
value: "{{ sshd_password_authentication | default('') }}"
|
|
||||||
- path: sshd/challengeresponse
|
|
||||||
value: "{{ sshd_password_authentication | default('') }}"
|
|
||||||
- path: sshd/IgnoreRhosts
|
|
||||||
value: "{{ sshd_ignore_rhosts | default('') }}"
|
|
||||||
- path: sshd/HostbasedAuthentication
|
|
||||||
value: "{{ sshd_hostbased_authentication | default('') }}"
|
|
||||||
- path: sshd/ClientAliveInterval
|
|
||||||
value: "{{ sshd_client_alive_interval | default('') }}"
|
|
||||||
- path: sshd/ClientAliveCountMax
|
|
||||||
value: "{{ sshd_client_alive_count_max | default('') }}"
|
|
||||||
- path: sshd/Ciphers
|
|
||||||
value: "{{ sshd_ciphers | default('[]') | join(',') }}"
|
|
||||||
- path: sshd/KexAlgorithms
|
|
||||||
value: "{{ sshd_kex | default('[]') | join(',') }}"
|
|
||||||
- path: sshd/MACs
|
|
||||||
value: "{{ sshd_macs | default('[]') | join(',') }}"
|
|
||||||
loop_control:
|
|
||||||
label: "variable: {{ item.path }}={{ item.value }}"
|
|
||||||
notify: __sshd_restart
|
|
||||||
|
|
||||||
- name: Set allowed ssh groups
|
|
||||||
ucr:
|
|
||||||
path: "auth/sshd/group/{{ item }}"
|
|
||||||
value: "yes"
|
|
||||||
loop: "{{ sshd_allow_groups }}"
|
|
||||||
|
|
||||||
- name: Create SSH Usergroup
|
|
||||||
ansible.builtin.group:
|
|
||||||
name: "{{ item }}"
|
|
||||||
system: "yes"
|
|
||||||
state: present
|
|
||||||
loop: "{{ sshd_allow_groups }}"
|
|
|
@ -1,166 +0,0 @@
|
||||||
#jinja2: lstrip_blocks: True
|
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# This is the sshd server system-wide configuration file.
|
|
||||||
# See sshd_config(5) for more information.
|
|
||||||
|
|
||||||
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
|
||||||
|
|
||||||
# The strategy used for options in the default sshd_config shipped with
|
|
||||||
# OpenSSH is to specify options with their default value where
|
|
||||||
# possible, but leave them commented. Uncommented options override the
|
|
||||||
# default value.
|
|
||||||
|
|
||||||
# If you want to change the port on a SELinux system, you have to tell
|
|
||||||
# SELinux about this change.
|
|
||||||
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
|
||||||
#
|
|
||||||
#Port 22
|
|
||||||
#AddressFamily any
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
{% if ansible_os_family | lower == "redhat" and ansible_distribution_major_version is version('8', '<') %}
|
|
||||||
|
|
||||||
Protocol {{ sshd_protocol }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
||||||
#RekeyLimit default none
|
|
||||||
|
|
||||||
{% if sshd_crypto_policy_enabled | bool %}
|
|
||||||
# This system is following system-wide crypto policy. The changes to
|
|
||||||
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
|
|
||||||
# They will be overridden by command-line options passed to the server
|
|
||||||
# on command line.
|
|
||||||
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
|
|
||||||
{% else %}
|
|
||||||
Ciphers {{ sshd_ciphers | join(',') }}
|
|
||||||
KexAlgorithms {{ sshd_kex | join(',') }}
|
|
||||||
MACs {{ sshd_macs | join(',') }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
SyslogFacility AUTHPRIV
|
|
||||||
LogLevel {{ sshd_log_level }}
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
LoginGraceTime {{ sshd_login_grace_time }}
|
|
||||||
PermitRootLogin {{ sshd_permit_root_login }}
|
|
||||||
StrictModes {{ sshd_strict_modes }}
|
|
||||||
{% if sshd_allow_groups %}
|
|
||||||
AllowGroups {{ sshd_allow_groups|join(',') }}
|
|
||||||
{% endif %}
|
|
||||||
MaxAuthTries {{ sshd_max_auth_tries }}
|
|
||||||
MaxSessions {{ sshd_max_sessions }}
|
|
||||||
|
|
||||||
#PubkeyAuthentication yes
|
|
||||||
|
|
||||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
||||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
|
||||||
AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
|
|
||||||
#AuthorizedPrincipalsFile none
|
|
||||||
|
|
||||||
#AuthorizedKeysCommand none
|
|
||||||
#AuthorizedKeysCommandUser nobody
|
|
||||||
|
|
||||||
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
|
||||||
#IgnoreUserKnownHosts no
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
||||||
IgnoreRhosts {{ sshd_ignore_rhosts }}
|
|
||||||
|
|
||||||
{% if sshd_google_auth_enabled %}
|
|
||||||
# Force public key auth then ask for google auth code
|
|
||||||
AuthenticationMethods publickey,keyboard-interactive
|
|
||||||
|
|
||||||
{% endif %}
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
PasswordAuthentication {{ sshd_password_authentication }}
|
|
||||||
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
|
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
|
||||||
ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }}
|
|
||||||
|
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
#KerberosOrLocalPasswd yes
|
|
||||||
#KerberosTicketCleanup yes
|
|
||||||
#KerberosGetAFSToken no
|
|
||||||
#KerberosUseKuserok yes
|
|
||||||
|
|
||||||
# GSSAPI options
|
|
||||||
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
|
|
||||||
GSSAPICleanupCredentials no
|
|
||||||
#GSSAPIStrictAcceptorCheck yes
|
|
||||||
#GSSAPIKeyExchange no
|
|
||||||
#GSSAPIEnablek5users no
|
|
||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
# be allowed through the ChallengeResponseAuthentication and
|
|
||||||
# PasswordAuthentication. Depending on your PAM configuration,
|
|
||||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
||||||
# the setting of "PermitRootLogin without-password".
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
# WARNING: 'UsePAM no' is not supported on RH based systems and may
|
|
||||||
# cause several problems.
|
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
|
|
||||||
AllowTcpForwarding {{ sshd_allow_tcp_forwarding }}
|
|
||||||
#GatewayPorts no
|
|
||||||
X11Forwarding {{ sshd_x11_forwarding }}
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
{% if ansible_os_family | lower == "redhat" and ansible_distribution_major_version is version('7', '>') %}
|
|
||||||
PrintMotd no
|
|
||||||
{% endif %}
|
|
||||||
#PrintLastLog no
|
|
||||||
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
|
||||||
#UseLogin no
|
|
||||||
{% if ansible_os_family | lower == "redhat" and ansible_distribution_major_version is version('8', '<') %}
|
|
||||||
UsePrivilegeSeparation sandbox
|
|
||||||
{% endif %}
|
|
||||||
#PermitUserEnvironment no
|
|
||||||
Compression {{ sshd_compression }}
|
|
||||||
ClientAliveInterval {{ sshd_client_alive_interval }}
|
|
||||||
ClientAliveCountMax {{ sshd_client_alive_count_max }}
|
|
||||||
UseDNS {{ sshd_use_dns }}
|
|
||||||
#PidFile /var/run/sshd.pid
|
|
||||||
MaxStartups {{ sshd_max_startups }}
|
|
||||||
#PermitTunnel no
|
|
||||||
#ChrootDirectory none
|
|
||||||
#VersionAddendum none
|
|
||||||
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
# Accept locale-related environment variables
|
|
||||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
AcceptEnv XMODIFIERS
|
|
||||||
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
||||||
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
||||||
# AllowTcpForwarding no
|
|
||||||
# PermitTTY no
|
|
||||||
# ForceCommand cvs server
|
|
||||||
|
|
||||||
{% if sshd_google_auth_exclude_group is defined %}
|
|
||||||
Match User {{ sshd_google_auth_exclude_group }}
|
|
||||||
AuthenticationMethods publickey
|
|
||||||
{% endif %}
|
|
|
@ -1,21 +0,0 @@
|
||||||
#jinja2: lstrip_blocks: True
|
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# Configuration file for the sshd service.
|
|
||||||
|
|
||||||
# The server keys are automatically generated if they are missing.
|
|
||||||
# To change the automatic creation, adjust sshd.service options for
|
|
||||||
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
|
||||||
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
|
||||||
# creation.
|
|
||||||
|
|
||||||
# Do not change this option unless you have hardware random
|
|
||||||
# generator and you REALLY know what you are doing
|
|
||||||
|
|
||||||
SSH_USE_STRONG_RNG=0
|
|
||||||
# SSH_USE_STRONG_RNG=1
|
|
||||||
{% if not sshd_crypto_policy_enabled | bool %}
|
|
||||||
|
|
||||||
# Disable system-wide crypto policy
|
|
||||||
CRYPTO_POLICY=
|
|
||||||
{% endif %}
|
|
Loading…
Reference in New Issue