From 79610f53d3bdf8b45bbf8acac44b27e2cf296f57 Mon Sep 17 00:00:00 2001 From: binary Date: Wed, 18 Nov 2020 09:40:44 +0100 Subject: Per dsitribution network rules --- playbooks/network.yml | 2 +- playbooks/p.yml | 13 ----- playbooks/site.yml | 3 +- playbooks/sshdns.yml | 1 - roles/ssh/templates/sshd_config.j2 | 100 ++++++------------------------------- 5 files changed, 19 insertions(+), 100 deletions(-) delete mode 100644 playbooks/p.yml diff --git a/playbooks/network.yml b/playbooks/network.yml index 98a66ae..c9ddecf 100644 --- a/playbooks/network.yml +++ b/playbooks/network.yml @@ -10,7 +10,7 @@ name: ssh tasks_from: generate_dns.yml -- hosts: all +- hosts: servers roles: - ssh diff --git a/playbooks/p.yml b/playbooks/p.yml deleted file mode 100644 index 49c3200..0000000 --- a/playbooks/p.yml +++ /dev/null @@ -1,13 +0,0 @@ - -# p.yml -# Execute only one role - ---- - -- hosts: "{{ host }}" - - tasks: - - - include_role: - name: "{{ role }}" - tasks_from: "{{ task }}.yml" diff --git a/playbooks/site.yml b/playbooks/site.yml index f493eb1..0775b58 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -5,4 +5,5 @@ - hosts: servers roles: - - common + - { role : common } + - { role: tools } diff --git a/playbooks/sshdns.yml b/playbooks/sshdns.yml index a73624c..d343cf4 100644 --- a/playbooks/sshdns.yml +++ b/playbooks/sshdns.yml @@ -5,7 +5,6 @@ --- - hosts: localhost - tasks: - include_role: diff --git a/roles/ssh/templates/sshd_config.j2 b/roles/ssh/templates/sshd_config.j2 index 4f7f608..a11268e 100644 --- a/roles/ssh/templates/sshd_config.j2 +++ b/roles/ssh/templates/sshd_config.j2 @@ -1,93 +1,25 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. +# ssh ~~ /etc/ssh/sshd_config +# managed by Ansible -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m +# security PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes +MaxAuthTries 6 +MaxSessions 10 -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! +# auth +AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed ClientAliveInterval 180 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +{% if ansible_facts["os_family"] == "OpenBSD" or ansible_facts["os_family"] == "Alpine" %} +Subsystem sftp /usr/libexec/sftp-server +{% elif ansible_facts["os_family"] == "Debian" %} +ChallengeResponseAuthentication no +UsePAM yes +PrintMotd no +UsePrivilegeSeparation sandbox +Subsystem sftp /usr/lib/ssh/sftp-server +{% endif %} -- cgit v1.2.3