diff options
| -rw-r--r-- | inventory/host_vars/calypso.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/dione.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/helene.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/sk2013.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/sk2016.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/telesto.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/thetys.yml | 2 | ||||
| -rw-r--r-- | roles/sshserver/tasks/main.yml | 22 |
8 files changed, 19 insertions, 17 deletions
diff --git a/inventory/host_vars/calypso.yml b/inventory/host_vars/calypso.yml index ff853586..8105a76b 100644 --- a/inventory/host_vars/calypso.yml +++ b/inventory/host_vars/calypso.yml @@ -7,4 +7,4 @@ base_packages_extra_host: admin_user_host: - "{{ equinox_user }}" -sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" +ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" diff --git a/inventory/host_vars/dione.yml b/inventory/host_vars/dione.yml index 75b289c2..0470b8b7 100644 --- a/inventory/host_vars/dione.yml +++ b/inventory/host_vars/dione.yml @@ -7,7 +7,7 @@ base_packages_extra_host: admin_user_host: - "{{ equinox_user }}" -sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" +ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" docker_lvm: vg: dione diff --git a/inventory/host_vars/helene.yml b/inventory/host_vars/helene.yml index b40fb069..3b01b589 100644 --- a/inventory/host_vars/helene.yml +++ b/inventory/host_vars/helene.yml @@ -7,7 +7,7 @@ base_packages_extra_host: admin_user_host: - "{{ equinox_user }}" -sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" +ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" docker_lvm: vg: helene diff --git a/inventory/host_vars/sk2013.yml b/inventory/host_vars/sk2013.yml index c1bf2728..21e2b29a 100644 --- a/inventory/host_vars/sk2013.yml +++ b/inventory/host_vars/sk2013.yml @@ -1,5 +1,5 @@ --- -sshserver_allowusers_host: +ssh_allowusers_host: - backuppc - equinox - dan diff --git a/inventory/host_vars/sk2016.yml b/inventory/host_vars/sk2016.yml index 73e59d75..d6bd5ae5 100644 --- a/inventory/host_vars/sk2016.yml +++ b/inventory/host_vars/sk2016.yml @@ -1,5 +1,5 @@ --- -sshserver_allowusers_host: +ssh_allowusers_host: - backuppc - equinox - dan diff --git a/inventory/host_vars/telesto.yml b/inventory/host_vars/telesto.yml index ff853586..8105a76b 100644 --- a/inventory/host_vars/telesto.yml +++ b/inventory/host_vars/telesto.yml @@ -7,4 +7,4 @@ base_packages_extra_host: admin_user_host: - "{{ equinox_user }}" -sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" +ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" diff --git a/inventory/host_vars/thetys.yml b/inventory/host_vars/thetys.yml index ff853586..8105a76b 100644 --- a/inventory/host_vars/thetys.yml +++ b/inventory/host_vars/thetys.yml @@ -7,4 +7,4 @@ base_packages_extra_host: admin_user_host: - "{{ equinox_user }}" -sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" +ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}" diff --git a/roles/sshserver/tasks/main.yml b/roles/sshserver/tasks/main.yml index cd4c5043..e638905b 100644 --- a/roles/sshserver/tasks/main.yml +++ b/roles/sshserver/tasks/main.yml @@ -6,24 +6,26 @@ - name: hardening ssh-server config lineinfile: - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + regexp: "^#?\\s*{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" dest: /etc/ssh/sshd_config mode: 0644 - with_items: - - { regexp: "^#?\\s*IgnoreRhosts", line: "IgnoreRhosts yes" } - - { regexp: "^#?\\s*PermitRootLogin", line: "PermitRootLogin without-password" } - - { regexp: "^#?\\s*PubkeyAuthentication", line: "PubkeyAuthentication yes" } - - { regexp: "^#?\\s*HostbasedAuthentication", line: "HostbasedAuthentication no" } - - { regexp: "^#?\\s*PermitEmptyPasswords", line: "PermitEmptyPasswords no" } - - { regexp: "^#?\\s*UseDNS", line: "UseDNS no" } + with_dict: + IgnoreRhosts: "yes" + PermitRootLogin: "without-password" + PubkeyAuthentication: "yes" + HostbasedAuthentication: "no" + PermitEmptyPasswords: "no" + UseDNS: "no" + loop_control: + label: "{{ item.key }}" notify: restart ssh - name: limit allowed users lineinfile: dest: /etc/ssh/sshd_config regexp: "^AllowUsers" - line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshserver_allowusers_group | default([])) | union(sshserver_allowusers_host | default([]))) }}" + line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}" notify: restart ssh - name: install ssh keys for root |