From d375846d9da17cb94485c5c309d6721e8bba24e2 Mon Sep 17 00:00:00 2001 From: nd Date: Mon, 16 Oct 2017 02:26:16 +0200 Subject: [PATCH] initial commit --- files/ansible-key.pub | 0 handlers/main.yml | 2 ++ tasks/main.yml | 14 ++++++++++ templates/ssh_sshd_config.j2 | 51 ++++++++++++++++++++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 files/ansible-key.pub create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/ssh_sshd_config.j2 diff --git a/files/ansible-key.pub b/files/ansible-key.pub new file mode 100644 index 0000000..e69de29 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..d63f84c --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart sshd + service: name=sshd state=restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..cb6d30f --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,14 @@ +--- + - name: copy sshd config + template: + src: ssh_sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + mode: 0644 + notify: + - restart sshd +# - name: add ansible key +# authorized_key: +# user: root +# key: "{{ lookup('file', 'ansible-key.pub') }}" +# manage_dir: yes diff --git a/templates/ssh_sshd_config.j2 b/templates/ssh_sshd_config.j2 new file mode 100644 index 0000000..7fedd12 --- /dev/null +++ b/templates/ssh_sshd_config.j2 @@ -0,0 +1,51 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 + + +# Supported HostKey algorithms by order of preference. +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# KeyRegenerationInternal is halved from the default as a precaution (optional). 1800 seconds is 30 minutes. +KeyRegenerationInterval 1800 + +# Password based logins are disabled - only public key based logins are allowed. +AuthenticationMethods publickey + +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE + +# Root login should not be allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: +# +# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. +# Additionally, only tools such as systemd and auditd record the process session id. +# On other OSes, the user session id is not necessarily recorded at all kernel-side. +# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track. +PermitRootLogin yes # but we need it to login from dom0 + +# Use kernel sandbox mechanisms where possible in unprivilegied processes +# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. +UsePrivilegeSeparation sandbox + +# We need sftp +Subsystem sftp internal-sftp + +# add special rules for users defined in host variables + +{% for i in sshuser %} +Match User {{ i['user'] }} + AuthorizedKeysFile {{ i['AuthorizedKeysFile'] }} +{% endfor %}