From eae9a42b4bb3d583ca10332c83c32ef4494aa3a4 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Mon, 20 Aug 2018 09:31:11 -0500 Subject: [PATCH] Manage sshd config with ansible We write out a specific sshd config file. Let's do it with ansible. Change-Id: Ie92b6ec6c8772d31009d1c2a2f7d5558bb38f67a --- modules/openstack_project/manifests/server.pp | 8 -- .../roles/base-server/defaults/main.yaml | 1 + .../roles/base-server/handlers/main.yaml | 6 ++ playbooks/roles/base-server/tasks/main.yaml | 9 ++ .../base-server/templates/sshd_config.j2 | 95 +++++++++++++++++++ playbooks/roles/base-server/vars/Debian.yaml | 2 + playbooks/roles/base-server/vars/RedHat.yaml | 2 + .../roles/base-server/vars/Ubuntu.trusty.yaml | 2 + 8 files changed, 117 insertions(+), 8 deletions(-) create mode 100644 playbooks/roles/base-server/templates/sshd_config.j2 diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index 1bf65a20aa..6d8f357a28 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -29,14 +29,6 @@ class openstack_project::server ( include '::ntp' - ########################################################### - # Manage Root ssh - - class { 'ssh': - trusted_ssh_type => 'address', - trusted_ssh_source => '23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072,23.253.234.219,2001:4800:7817:103:be76:4eff:fe04:5a1d', - } - ########################################################### # Process if ( $high_level_directive ) blocks diff --git a/playbooks/roles/base-server/defaults/main.yaml b/playbooks/roles/base-server/defaults/main.yaml index 394dab26ad..e5189dd8f4 100644 --- a/playbooks/roles/base-server/defaults/main.yaml +++ b/playbooks/roles/base-server/defaults/main.yaml @@ -4,6 +4,7 @@ base_packages: - at - git - lvm2 + - openssh-server - parted - rsync - rsyslog diff --git a/playbooks/roles/base-server/handlers/main.yaml b/playbooks/roles/base-server/handlers/main.yaml index a80bac59a0..8c7e031768 100644 --- a/playbooks/roles/base-server/handlers/main.yaml +++ b/playbooks/roles/base-server/handlers/main.yaml @@ -2,3 +2,9 @@ service: name: rsyslog state: restarted + +- name: Restart ssh + service: + name: '{{ ssh_service_name }}' + state: restarted + when: not ansible_facts.is_chroot diff --git a/playbooks/roles/base-server/tasks/main.yaml b/playbooks/roles/base-server/tasks/main.yaml index b7ae08dc8f..c31b014260 100644 --- a/playbooks/roles/base-server/tasks/main.yaml +++ b/playbooks/roles/base-server/tasks/main.yaml @@ -41,6 +41,15 @@ key_options: | from="{{ bastion_ipv4 }},{{ bastion_ipv6 }},localhost" +- name: Install sshd config + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0444 + notify: Restart ssh + - name: Disable byobu file: path: /etc/profile.d/Z98-byobu.sh diff --git a/playbooks/roles/base-server/templates/sshd_config.j2 b/playbooks/roles/base-server/templates/sshd_config.j2 new file mode 100644 index 0000000000..8aa4f8531f --- /dev/null +++ b/playbooks/roles/base-server/templates/sshd_config.j2 @@ -0,0 +1,95 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp {{ sftp_path }} + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# allow ansible connections from puppetmaster host +Match address {{ bastion_ipv4 }},{{ bastion_ipv6 }} + PermitRootLogin without-password +# allow ansible connections from localhost +Match host localhost + PermitRootLogin without-password diff --git a/playbooks/roles/base-server/vars/Debian.yaml b/playbooks/roles/base-server/vars/Debian.yaml index 7ad2e9e6c1..3df5c620b0 100644 --- a/playbooks/roles/base-server/vars/Debian.yaml +++ b/playbooks/roles/base-server/vars/Debian.yaml @@ -3,3 +3,5 @@ distro_packages: - emacs-nox - iputils-ping - vim-nox +sftp_path: /usr/lib/openssh/sftp-server +ssh_service_name: ssh diff --git a/playbooks/roles/base-server/vars/RedHat.yaml b/playbooks/roles/base-server/vars/RedHat.yaml index b9d400d471..b787d335bd 100644 --- a/playbooks/roles/base-server/vars/RedHat.yaml +++ b/playbooks/roles/base-server/vars/RedHat.yaml @@ -9,3 +9,5 @@ distro_packages: - ntpdate - vim-minimal - yum-cron +sftp_path: /usr/libexec/openssh/sftp-server +ssh_service_name: sshd diff --git a/playbooks/roles/base-server/vars/Ubuntu.trusty.yaml b/playbooks/roles/base-server/vars/Ubuntu.trusty.yaml index e4af7be421..b9c4325a2f 100644 --- a/playbooks/roles/base-server/vars/Ubuntu.trusty.yaml +++ b/playbooks/roles/base-server/vars/Ubuntu.trusty.yaml @@ -3,3 +3,5 @@ distro_packages: - emacs23-nox - iputils-ping - vim-nox +sftp_path: /usr/lib/openssh/sftp-server +ssh_service_name: ssh