From 452bee1cf1775e2654567f9f64132468a4e6690b Mon Sep 17 00:00:00 2001 From: Corbin Bartsch Date: Mon, 4 Apr 2022 00:28:09 -0400 Subject: [PATCH] Added cbarts-ssh role --- defaults/main.yaml | 44 +++++++++++++++++++++++++++++++ tasks/main.yaml | 9 +++++++ tasks/template_config.yaml | 26 ++++++++++++++++++ templates/issue.net.j2 | 26 ++++++++++++++++++ templates/sshd_config.j2 | 54 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 159 insertions(+) create mode 100644 defaults/main.yaml create mode 100644 tasks/main.yaml create mode 100644 tasks/template_config.yaml create mode 100644 templates/issue.net.j2 create mode 100644 templates/sshd_config.j2 diff --git a/defaults/main.yaml b/defaults/main.yaml new file mode 100644 index 0000000..d342715 --- /dev/null +++ b/defaults/main.yaml @@ -0,0 +1,44 @@ +--- + +sshd_config_path: /etc/ssh + +ssh_port: 22 +ssh_address_family: any +ssh_listen_addresses: + - 0.0.0.0 + +ssh_host_key_file: /etc/ssh/ssh_host_ed25519_key + +ssh_allow_groups: ssh +ssh_login_grace_time: 20 +ssh_permit_root_login: 'no' +ssh_strict_modes: 'yes' +ssh_max_auth_tries: 3 +ssh_max_sessions: 2 + +ssh_pubkey_authentication: 'yes' + +ssh_authorized_keys_file: .ssh/authorized_keys + +ssh_hostbased_authentication: 'no' +ssh_password_authentication: 'no' +ssh_permit_empty_passwords: 'no' +ssh_challenge_response_authentication: 'no' +ssh_kerberos_authentication: 'no' +ssh_gssapi_authentication: 'no' +ssh_use_pam: 'yes' + +ssh_allow_agent_forwarding: 'no' +ssh_permit_tunnel: 'no' + +ssh_x11_forwarding: 'no' + +ssh_print_motd: 'no' + +ssh_permit_user_env: False +ssh_accept_env: + - LANG + - 'LC_*' + +ssh_banner: True +ssh_banner_file: /etc/issue.net diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..ef7e14c --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,9 @@ +--- + +- name: Ensure ssh server is installed + package: + name: openssh-server + state: present + +- name: Create sshd_config file + include_tasks: template_config.yaml diff --git a/tasks/template_config.yaml b/tasks/template_config.yaml new file mode 100644 index 0000000..33ca2f3 --- /dev/null +++ b/tasks/template_config.yaml @@ -0,0 +1,26 @@ +--- + +- name: Ensure destination for sshd_config exists + file: + path: "{{ sshd_config_path }}" + state: directory + +- name: Write sshd_config file + template: + src: ../templates/sshd_config.j2 + dest: "{{ sshd_config_path }}/sshd_config" + become: true + register: sshd_config_file + +- name: Restart service + systemd: + name: sshd + enabled: yes + state: restarted + when: sshd_config_file.changed + +- name: Write banner file + template: + src: ../templates/issue.net.j2 + dest: "{{ ssh_banner_file }}" + when: ssh_banner diff --git a/templates/issue.net.j2 b/templates/issue.net.j2 new file mode 100644 index 0000000..90a838c --- /dev/null +++ b/templates/issue.net.j2 @@ -0,0 +1,26 @@ +*************************************************************************** + NOTICE TO USERS + + +This computer system is the private property of its owner, whether +individual, corporate or government. It is for authorized use only. +Users (authorized or unauthorized) have no explicit or implicit +expectation of privacy. + +Any or all uses of this system and all files on this system may be +intercepted, monitored, recorded, copied, audited, inspected, and +disclosed to your employer, to authorized site, government, and law +enforcement personnel, as well as authorized officials of government +agencies, both domestic and foreign. + +By using this system, the user consents to such interception, monitoring, +recording, copying, auditing, inspection, and disclosure at the +discretion of such personnel or officials. Unauthorized or improper use +of this system may result in civil and criminal penalties and +administrative or disciplinary action, as appropriate. By continuing to +use this system you indicate your awareness of and consent to these terms +and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the +conditions stated in this warning. + +**************************************************************************** + diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 new file mode 100644 index 0000000..ca7fa41 --- /dev/null +++ b/templates/sshd_config.j2 @@ -0,0 +1,54 @@ +# {{ ansible_managed }} + +Port {{ ssh_port }} +AddressFamily {{ ssh_address_family }} +{% for a in ssh_listen_addresses %} +ListenAddress {{ a }} +{% endfor %} + +HostKey {{ ssh_host_key_file }} + +AllowGroups {{ ssh_allow_groups }} +LoginGraceTime {{ ssh_login_grace_time }} +PermitRootLogin {{ ssh_permit_root_login }} +StrictModes {{ ssh_strict_modes }} +MaxAuthTries {{ ssh_max_auth_tries }} +MaxSessions {{ ssh_max_sessions }} + +PubkeyAuthentication {{ ssh_pubkey_authentication }} +AuthorizedKeysFile {{ ssh_authorized_keys_file }} + +HostbasedAuthentication {{ ssh_hostbased_authentication }} + +PasswordAuthentication {{ ssh_password_authentication }} +PermitEmptyPasswords {{ ssh_permit_empty_passwords }} +ChallengeResponseAuthentication {{ ssh_challenge_response_authentication }} +KerberosAuthentication {{ ssh_kerberos_authentication }} +GSSAPIAuthentication {{ ssh_gssapi_authentication }} +UsePAM {{ ssh_use_pam }} + +AllowAgentForwarding {{ ssh_allow_agent_forwarding }} +PermitTunnel {{ ssh_permit_tunnel }} + +X11Forwarding {{ ssh_x11_forwarding }} +PrintMotd {{ ssh_print_motd }} + +{% if ssh_banner == true %} +Banner {{ ssh_banner_file }} +{% endif %} + +{% if ssh_permit_user_env == true %} +PermitUserEnvironment yes + +{% for e in ssh_accept_env %} +AcceptEnv {{ e }} +{% endfor %} +{% else %} +PermitUserEnvironment no +{% endif %} + +{% if ansible_facts['os_family'] == 'RedHat' %} +Subsystem sftp /usr/libexec/openssh/sftp-server +{% elif ansible_facts['os_family'] == 'Debian' %} +Subsystem sftp /usr/lib/openssh/sftp-server +{% endif %}