diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2021-04-13 01:26:11 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2021-04-13 01:26:11 +0200 |
| commit | 8accaf3930a4c009b22c9c040580e54e1eb096e8 (patch) | |
| tree | eb375733718f5ade9bf3b8b54ab997e8fdf31698 | |
| parent | upgrade collabora and nextcloud (diff) | |
sshd: disable password auth by default
| -rw-r--r-- | inventory/host_vars/ch-equinox-t450s.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ch-equinox-ws.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ch-jump.yml | 1 | ||||
| -rw-r--r-- | roles/core/sshd/base/defaults/main.yml | 8 | ||||
| -rw-r--r-- | roles/core/sshd/base/tasks/main.yml | 27 |
5 files changed, 39 insertions, 1 deletions
diff --git a/inventory/host_vars/ch-equinox-t450s.yml b/inventory/host_vars/ch-equinox-t450s.yml index 411ac061..e86b4660 100644 --- a/inventory/host_vars/ch-equinox-t450s.yml +++ b/inventory/host_vars/ch-equinox-t450s.yml @@ -25,6 +25,8 @@ network: base_modules_blacklist: "{{ base_modules_blacklist_none }}" +sshd_password_auth: yes + zsh_banner: equinox admin_users_host: diff --git a/inventory/host_vars/ch-equinox-ws.yml b/inventory/host_vars/ch-equinox-ws.yml index cb21940f..6b36ae1a 100644 --- a/inventory/host_vars/ch-equinox-ws.yml +++ b/inventory/host_vars/ch-equinox-ws.yml @@ -50,6 +50,8 @@ network: base_modules_blacklist: "{{ base_modules_blacklist_none }}" +sshd_password_auth: yes + zsh_banner: equinox admin_users_host: diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml index db54c6bb..5c041670 100644 --- a/inventory/host_vars/ch-jump.yml +++ b/inventory/host_vars/ch-jump.yml @@ -37,6 +37,7 @@ network: - name: mgmt0 address: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + sshd_jump_users: equinox: authorized_keys: "{{ users.equinox.ssh }}" diff --git a/roles/core/sshd/base/defaults/main.yml b/roles/core/sshd/base/defaults/main.yml index 50cc0f15..235f3962 100644 --- a/roles/core/sshd/base/defaults/main.yml +++ b/roles/core/sshd/base/defaults/main.yml @@ -1,2 +1,10 @@ --- +sshd_allowusers_host: [] +sshd_allowusers_group: [] sshd_allow_any_user: false + +sshd_allowgroups_host: [] +sshd_allowgroups_group: [] +sshd_allow_any_group: true + +sshd_password_auth: false diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml index e5c9f6a7..cf5862fa 100644 --- a/roles/core/sshd/base/tasks/main.yml +++ b/roles/core/sshd/base/tasks/main.yml @@ -14,6 +14,7 @@ PermitRootLogin: "without-password" PubkeyAuthentication: "yes" HostbasedAuthentication: "no" + PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}" PermitEmptyPasswords: "no" UseDNS: "no" loop: "{{ sshd_options | dict2items }}" @@ -21,7 +22,7 @@ label: "{{ item.key }} = {{ item.value }}" lineinfile: dest: /etc/ssh/sshd_config - regexp: "^#?\\s*{{ item.key }}\\s" + regexp: "^(#\\s*)?{{ item.key }}\\s" line: "{{ item.key }} {{ item.value }}" insertbefore: '^### ansible core/sshd/base config barrier ###' notify: restart ssh @@ -43,6 +44,30 @@ state: absent notify: restart ssh +- name: limit allowed groups + when: not sshd_allow_any_group | bool + block: + - name: verify sshd allow-groups are configured + assert: + that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0 + msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host + + - name: set AllowGroups option + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups\\s" + line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host)) }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: allow any group + when: sshd_allow_any_group | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups\\s" + state: absent + notify: restart ssh + - name: install config barriers for other roles to use loop: - line: "### ansible core/sshd/base config barrier ###" |