blob: 1094e3cf85fec6ebdcdd04083112dc2b01d684a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
- name: "sshd role version"
shell: |
[ "{{ sshd_version }}" = "1" ] || \
(echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1)
- name: "sshd role configuration sanity check"
when: not sshd_allow_authorized_keys and sshd_user_ca_pub is not defined
shell: |
echo "You MUST define sshd_allow_authorized_keys OR sshd_user_ca_pub"
exit 1
- name: "Configure SSH server to read config files in sshd_config.d"
lineinfile:
path: /etc/ssh/sshd_config
regexp: "Include /etc/ssh/sshd_config.d"
line: "Include /etc/ssh/sshd_config.d/*.conf"
insertbefore: BOF
notify: sshd_restart
- name: "Set SSH host identity"
when: sshd_host_key is defined and sshd_host_cert is defined
copy:
content: |
{{ sshd_host_key }}
dest: /etc/ssh/ssh_host_key
owner: root
group: root
mode: 0600
notify: sshd_restart
- name: "Set SSH host certificate"
when: sshd_host_key is defined and sshd_host_cert is defined
copy:
content: |
{{ sshd_host_cert }}
dest: /etc/ssh/ssh_host_key-cert.pub
notify: sshd_restart
- name: "Configure SSH server host key"
when: sshd_host_key is defined and sshd_host_cert is defined
copy:
content: |
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
HostKey /etc/ssh/ssh_host_key
HostCertificate /etc/ssh/ssh_host_key-cert.pub
dest: /etc/ssh/sshd_config.d/host_id.conf
notify: sshd_restart
- name: "Remove old host key settings from /etc/ssh/sshd_config"
when: sshd_host_key is defined and sshd_host_cert is defined
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regex: "(?i)hostkey"
notify: sshd_restart
- name: "Remove old host cert settings from /etc/ssh/sshd_config"
when: sshd_host_key is defined and sshd_host_cert is defined
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regex: "(?i)hostcertificate"
notify: sshd_restart
- name: "Remove old user CA settings from /etc/ssh/sshd_config"
when: sshd_host_key is defined and sshd_host_cert is defined
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regex: "(?i)trustedusercakeys"
notify: sshd_restart
- name: "Remove obsolete SSH host keys and certificates"
when: sshd_host_key is defined and sshd_host_cert is defined
shell: |
find /etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
notify: sshd_restart
- name: "Configure SSH server port"
when: sshd_port is defined
copy:
content: |
Port {{ sshd_port }}
dest: /etc/ssh/sshd_config.d/port.conf
notify: sshd_restart
- name: "Configure user CA for SSH server"
when: sshd_user_ca_pub is defined
copy:
content: |
{{ sshd_user_ca_pub }}
dest: /etc/ssh/user_ca_pubs
notify: sshd_restart
- name: "Configure SSH server to accept user CA"
when: sshd_user_ca_pub is defined
copy:
content: |
TrustedUserCAKeys /etc/ssh/user_ca_pubs
dest: /etc/ssh/sshd_config.d/user_ca.conf
notify: sshd_restart
- name: "Configure SSH server to not use 'authorized_keys' files at all."
when: not sshd_allow_authorized_keys
copy:
content: |
AuthorizedKeysFile none
dest: /etc/ssh/sshd_config.d/authorized_keys.conf
notify: sshd_restart
|