diff options
Diffstat (limited to 'roles/sshd')
-rw-r--r-- | roles/sshd/README | 23 | ||||
-rw-r--r-- | roles/sshd/defaults/main.yml | 9 | ||||
-rw-r--r-- | roles/sshd/handlers/main.yml | 4 | ||||
-rw-r--r-- | roles/sshd/subplot.md | 27 | ||||
-rw-r--r-- | roles/sshd/tasks/main.yml | 112 |
5 files changed, 175 insertions, 0 deletions
diff --git a/roles/sshd/README b/roles/sshd/README new file mode 100644 index 0000000..4b155c8 --- /dev/null +++ b/roles/sshd/README @@ -0,0 +1,23 @@ +This role, sshd, configures an SSH server on a Debian. Specifically +may: + +- set host key and certificate +- set user CA +- set port on which server listens + +To use, define variables below: + +- `sshd_version`---must match the current version for the role +- `sshd_host_key` and `sshd_host_cert`---the host key and + corresponding certificate + - note that you must define both for either to work + - rationale: there's little point in just setting the host key, as + it will still force people to accept it the first time; a host + certificate removes that need and allows the key to change at will +- `sshd_port`---the port where the SSH server should listen + - rationale: on public-facing servers, the default port gets tons of + login attempts by attackers trying to guess passwords +- `sshd_user_ca_pub`---the public keys of the SSH CAs trusted to + certify users + - rationale: using a user CA removes the need to maintain, or have, + `authorized_keys` files diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml new file mode 100644 index 0000000..20c9563 --- /dev/null +++ b/roles/sshd/defaults/main.yml @@ -0,0 +1,9 @@ +# The user of the role MUST define the version they want to use. If +# it's not what the version of unix_users being used actually +# provides, the role will fail. +sshd_version: null + + +# Allow SSH server to use `authorized_keys` files? +sshd_allow_authorized_keys: yes + diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..c4898c0 --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: sshd_restart + systemd: + name: ssh + state: restarted diff --git a/roles/sshd/subplot.md b/roles/sshd/subplot.md new file mode 100644 index 0000000..e86e513 --- /dev/null +++ b/roles/sshd/subplot.md @@ -0,0 +1,27 @@ +# Role `sshd` – configure an SSH server + +This role sets up a Debian system so that it can be managed with +Ansible in a reasonable way. + +## Version history + +### Version 1 + +First version. Supports `sshd_version`, `sshd_port`, `sshd_host_key`, +`sshd_host_cert`, and `sshd_user_ca_pub`. + +# Configure SSH + +~~~scenario +given a host running Debian +when I use role sshd +and I use variables from sshd.yml +and I run the playbook +then stdout contains "sshd role version" +~~~ + +~~~{#sshd.yml .file .yaml} +ansible_python_interpreter: /usr/bin/python3 + +sshd_version: 1 +~~~ diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..ff77c40 --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,112 @@ +- name: "sshd role version" + shell: | + [ "{{ sshd_version }}" = "1" ] || \ + (echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1) + +- name: "sshd role configuration sanity check" + when: not sshd_allow_authorized_keys and sshd_user_ca_pub is not defined + shell: | + echo "You MUST define sshd_allow_authorized_keys OR sshd_user_ca_pub" + exit 1 + +- name: "Configure SSH server to read config files in sshd_config.d" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "Include /etc/ssh/sshd_config.d" + line: "Include /etc/ssh/sshd_config.d/*.conf" + insertbefore: BOF + notify: sshd_restart + +- name: "Set SSH host identity" + when: sshd_host_key is defined and sshd_host_cert is defined + copy: + content: | + {{ sshd_host_key }} + dest: /etc/ssh/ssh_host_key + owner: root + group: root + mode: 0600 + notify: sshd_restart + +- name: "Set SSH host certificate" + when: sshd_host_key is defined and sshd_host_cert is defined + copy: + content: | + {{ sshd_host_cert }} + dest: /etc/ssh/ssh_host_key-cert.pub + notify: sshd_restart + +- name: "Configure SSH server host key" + when: sshd_host_key is defined and sshd_host_cert is defined + copy: + content: | + HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com + HostKey /etc/ssh/ssh_host_key + HostCertificate /etc/ssh/ssh_host_key-cert.pub + dest: /etc/ssh/sshd_config.d/host_id.conf + notify: sshd_restart + +- name: "Remove old host key settings from /etc/ssh/sshd_config" + when: sshd_host_key is defined and sshd_host_cert is defined + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regex: "(?i)hostkey" + notify: sshd_restart + +- name: "Remove old host cert settings from /etc/ssh/sshd_config" + when: sshd_host_key is defined and sshd_host_cert is defined + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regex: "(?i)hostcertificate" + notify: sshd_restart + +- name: "Remove old user CA settings from /etc/ssh/sshd_config" + when: sshd_host_key is defined and sshd_host_cert is defined + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regex: "(?i)trustedusercakeys" + notify: sshd_restart + +- name: "Remove obsolete SSH host keys and certificates" + when: sshd_host_key is defined and sshd_host_cert is defined + shell: | + find /etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete + notify: sshd_restart + +- name: "Configure SSH server port" + when: sshd_port is defined + copy: + content: | + Port {{ sshd_port }} + dest: /etc/ssh/sshd_config.d/port.conf + notify: sshd_restart + +- name: "Configure user CA for SSH server" + when: sshd_user_ca_pub is defined + copy: + content: | + {{ sshd_user_ca_pub }} + dest: /etc/ssh/user_ca_pubs + notify: sshd_restart + +- name: "Configure SSH server to accept user CA" + when: sshd_user_ca_pub is defined + copy: + content: | + TrustedUserCAKeys /etc/ssh/user_ca_pubs + dest: /etc/ssh/sshd_config.d/user_ca.conf + notify: sshd_restart + +- name: "Configure SSH server to not use 'authorized_keys' files at all." + when: not sshd_allow_authorized_keys + copy: + content: | + AuthorizedKeysFile none + dest: /etc/ssh/sshd_config.d/authorized_keys.conf + notify: sshd_restart + +- name: "Run handlers" + meta: flush_handlers |