diff options
Diffstat (limited to 'roles/core/sshd/base')
-rw-r--r-- | roles/core/sshd/base/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/core/sshd/base/handlers/main.yml | 5 | ||||
-rw-r--r-- | roles/core/sshd/base/tasks/main.yml | 71 | ||||
-rw-r--r-- | roles/core/sshd/base/vars/Debian.yml | 3 | ||||
-rw-r--r-- | roles/core/sshd/base/vars/OpenBSD.yml | 2 |
5 files changed, 83 insertions, 0 deletions
diff --git a/roles/core/sshd/base/defaults/main.yml b/roles/core/sshd/base/defaults/main.yml new file mode 100644 index 00000000..50cc0f15 --- /dev/null +++ b/roles/core/sshd/base/defaults/main.yml @@ -0,0 +1,2 @@ +--- +sshd_allow_any_user: false diff --git a/roles/core/sshd/base/handlers/main.yml b/roles/core/sshd/base/handlers/main.yml new file mode 100644 index 00000000..ea76595a --- /dev/null +++ b/roles/core/sshd/base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart ssh + service: + name: "{{ sshd_service_name }}" + state: restarted diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml new file mode 100644 index 00000000..d7524ef7 --- /dev/null +++ b/roles/core/sshd/base/tasks/main.yml @@ -0,0 +1,71 @@ +--- +- name: load os/distrubtion/version specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + +- name: hardening ssh-server config + vars: + sshd_options: + IgnoreRhosts: "yes" + PermitRootLogin: "without-password" + PubkeyAuthentication: "yes" + HostbasedAuthentication: "no" + PermitEmptyPasswords: "no" + UseDNS: "no" + loop: "{{ sshd_options | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?\\s*{{ item.key }}\\s" + line: "{{ item.key }} {{ item.value }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: limit allowed users + when: not sshd_allow_any_user | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: allow any user + when: sshd_allow_any_user | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + state: absent + notify: restart ssh + +- name: install config barriers for other roles to use + loop: + - line: "### ansible core/sshd/base config barrier ###" + insertbefore: "### ansible core/sshd config barrier ###" + - line: "### ansible core/sshd config barrier ###" + insertafter: "### ansible core/sshd/base config barrier ###" + loop_control: + label: "{{ item.line }}" + lineinfile: + dest: /etc/ssh/sshd_config + line: "{{ item.line }}" + insertbefore: "{{ item.insertbefore | default(omit) }}" + insertafter: "{{ item.insertafter | default(omit) }}" + notify: restart ssh + +- name: install ssh keys for root + authorized_key: + user: root + key: "{{ ssh_keys_root | union(ssh_keys_root_extra) | join('\n') }}" + exclusive: yes + +- name: delete root password + when: sshd_disabled_password is defined + user: + name: root + password: "{{ sshd_disabled_password }}" diff --git a/roles/core/sshd/base/vars/Debian.yml b/roles/core/sshd/base/vars/Debian.yml new file mode 100644 index 00000000..abbccabc --- /dev/null +++ b/roles/core/sshd/base/vars/Debian.yml @@ -0,0 +1,3 @@ +--- +sshd_service_name: ssh +sshd_disabled_password: '!' diff --git a/roles/core/sshd/base/vars/OpenBSD.yml b/roles/core/sshd/base/vars/OpenBSD.yml new file mode 100644 index 00000000..abdaf180 --- /dev/null +++ b/roles/core/sshd/base/vars/OpenBSD.yml @@ -0,0 +1,2 @@ +--- +sshd_service_name: sshd |