From a47c5fd378caf0bb7ee641aa23b229c4f310b809 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Mon, 16 Oct 2017 02:29:26 +0200
Subject: [PATCH] now managing ssh root keys

---
 defaults/main.yml                     |  3 ++
 files/ansible-key.pub                 |  0
 tasks/main.yml                        | 41 +++++++++++++++++++++++----
 templates/ssh_config.j2               |  8 ++++++
 templates/ssh_root_authorized_keys.j2 |  7 +++++
 templates/ssh_sshd_config.j2          | 15 +++++++++-
 6 files changed, 67 insertions(+), 7 deletions(-)
 create mode 100644 defaults/main.yml
 delete mode 100644 files/ansible-key.pub
 create mode 100644 templates/ssh_config.j2
 create mode 100644 templates/ssh_root_authorized_keys.j2

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..09b81f3
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+sshuser: []
+rootpath: ''
diff --git a/files/ansible-key.pub b/files/ansible-key.pub
deleted file mode 100644
index e69de29..0000000
diff --git a/tasks/main.yml b/tasks/main.yml
index cb6d30f..09ec588 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,13 +2,42 @@
   - name: copy sshd config
     template:
       src: ssh_sshd_config.j2
-      dest: /etc/ssh/sshd_config
+      dest: "{{ rootpath }}/etc/ssh/sshd_config"
       owner: root
       mode: 0644
+    register: ssh_config
+  
+  - name: copy ssh config
+    template:
+      src: ssh_config.j2
+      dest: "{{ rootpath }}/etc/ssh/ssh_config"
+      owner: root
+      mode: 0644
+
+  - name: create ssh folder for user root
+    file:
+      path: "{{ rootpath }}/root/.ssh"
+      state: directory
+      owner: root
+      group: root
+      mode: 0700
+
+  - name: write authorized_keys file for user root
+    template:
+      src: ssh_root_authorized_keys.j2
+      dest: "{{ rootpath }}/root/.ssh/authorized_keys"
+      owner: root
+      group: root
+      mode: 0600
+
+  - name: create ssh host keys
+    shell: "prefix=\"{{ rootpath }}\"; ssh-keygen -N \"\" -t ed25519 -f \"${prefix}/etc/ssh/ssh_host_ed25519_key\"; ssh-keygen -N \"\" -b 4096 -t rsa -f \"${prefix}/etc/ssh/ssh_host_rsa_key\"; ssh-keygen -N \"\" -b 521 -t ecdsa -f \"${prefix}/etc/ssh/ssh_host_ecdsa_key\""
+    args:
+      creates: "{{ rootpath }}/etc/ssh/ssh_host_ed25519_key"
+    register: ssh_hostkeys
+
+  - name: maybe restart sshd
+    meta: noop
+    changed_when: (ssh_hostkeys|changed or ssh_config|changed) and not rootpath == ''
     notify:
     - restart sshd
-#  - name: add ansible key
-#    authorized_key:
-#      user: root
-#      key: "{{ lookup('file', 'ansible-key.pub') }}"
-#      manage_dir: yes
diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2
new file mode 100644
index 0000000..0662396
--- /dev/null
+++ b/templates/ssh_config.j2
@@ -0,0 +1,8 @@
+# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
+HashKnownHosts yes
+# Host keys the client accepts - order here is honored by OpenSSH
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
+ 
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
diff --git a/templates/ssh_root_authorized_keys.j2 b/templates/ssh_root_authorized_keys.j2
new file mode 100644
index 0000000..ab7f10b
--- /dev/null
+++ b/templates/ssh_root_authorized_keys.j2
@@ -0,0 +1,7 @@
+### AUTOGENERATED do not edit! edit /inventory/group_vars/all.yml in ansible ###
+
+{% for name, keys in admin_ssh_keys.items() %}
+#{{ name }}
+{{ keys }}
+
+{% endfor %}
diff --git a/templates/ssh_sshd_config.j2 b/templates/ssh_sshd_config.j2
index 7fedd12..7ddfc27 100644
--- a/templates/ssh_sshd_config.j2
+++ b/templates/ssh_sshd_config.j2
@@ -7,13 +7,17 @@ Port 22
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
 
 # Supported HostKey algorithms by order of preference.
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256@libssh.org
 
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
@@ -43,6 +47,15 @@ UsePrivilegeSeparation sandbox
 # We need sftp
 Subsystem sftp internal-sftp
 
+UsePam yes # needed to create home dirs with an ldap login
+
+AuthorizedKeysCommand /etc/ssh/ldap_sshpubkey.sh
+AuthorizedKeysCommandUser sshd
+
+AuthorizedKeysFile /root/.ssh/authorized_keys
+
+MaxAuthTries 10
+
 # add special rules for users defined in host variables
 
 {% for i in sshuser %}