blob: 78c094d406aa8f99a56d789194ae0d3837cd897d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
---
- name: load os/distrubtion/version specific variables
with_first_found:
- files:
- "{{ ansible_distribution_release }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
include_vars: "{{ item }}"
- name: install config barriers for other roles to use
loop:
- line: "### ansible core/sshd/base config barrier ###"
insertbefore: "### ansible core/sshd config barrier ###"
- line: "### ansible core/sshd config barrier ###"
insertafter: "### ansible core/sshd/base config barrier ###"
loop_control:
label: "{{ item.line }}"
lineinfile:
dest: /etc/ssh/sshd_config
line: "{{ item.line }}"
insertbefore: "{{ item.insertbefore | default(omit) }}"
insertafter: "{{ item.insertafter | default(omit) }}"
notify: restart ssh
- name: hardening ssh-server config
vars:
sshd_options:
IgnoreRhosts: "yes"
PermitRootLogin: "without-password"
PubkeyAuthentication: "yes"
HostbasedAuthentication: "no"
PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}"
PermitEmptyPasswords: "no"
UseDNS: "no"
MACs: "-umac-64@openssh.com,umac-64-etm@openssh.com"
loop: "{{ sshd_options | dict2items }}"
loop_control:
label: "{{ item.key }} = {{ item.value }}"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^(#\\s*)?{{ item.key }}\\s"
line: "{{ item.key }} {{ item.value }}"
insertbefore: '^### ansible core/sshd/base config barrier ###'
notify: restart ssh
- name: limit allowed users
when: not (sshd_allow_any_user | bool)
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers\\s"
line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host) | union(sshd_jump_users | default({}) | list) | sort) }}"
insertbefore: '^### ansible core/sshd/base config barrier ###'
notify: restart ssh
- name: allow any user
when: sshd_allow_any_user | bool
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers\\s"
state: absent
notify: restart ssh
- name: limit allowed groups
when: not (sshd_allow_any_group | bool)
block:
- name: verify sshd allow-groups are configured
assert:
that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0
msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host
- name: set AllowGroups option
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowGroups\\s"
line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host) | sort) }}"
insertbefore: '^### ansible core/sshd/base config barrier ###'
notify: restart ssh
- name: allow any group
when: sshd_allow_any_group | bool
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowGroups\\s"
state: absent
notify: restart ssh
- name: install ssh keys for root
authorized_key:
user: root
key: "{{ ssh_keys_root | union(ssh_keys_root_extra) | join('\n') }}"
exclusive: yes
- name: delete root password
when: sshd_disabled_password is defined
user:
name: root
password: "{{ sshd_disabled_password }}"
|
