changed ssh key deployment to ensure exclusive access

common/files/keys-removed/jens.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV0A9/518e6ET6Q31zIEbgTPm4xnZgTUuCgcmPgbkaad+SiTZ6laSAaOrhSkKw6HUMpBmBg5Fwz2wvrY552LZot4lywzuzyuX6FRDofcfY6MKwYgxkeosf0iWjeorHF2nBa1xA+9EZFVO4yQvqub3FmgA31zy5GZAFOxbdYRrl+TYku554+OP7wzEENnjrCqiCFDApFU2bmD182imMJNKDjOF+dJXgquczP3oLtLnHXE7ogenPiXybT8oCQORTHYlCeI/xd7V3ma606+kxHyZLLDsPs01zqRXQQEogM1i+5sBDaunqAkcANXgpb//5Kccn/rinQuQwBnKHpNhuT077 jensbrandt@X61t

common/files/keys-removed/jensFS.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ezDqffwh1fRZn6Ae/DGnGEUzOzjcMnw7HSo09GT2R1e6/XuPVWRlBkjFgvRG1L+qr0uzLnYF+Os5E3pl57pwZw3dnST8HhAxHYlQdxu2046pUpbnDs0RtBYKnU+Wvaj+9cZMKgZvSu/ifb5qMJejivOgVxyaOu/EE7jIB6jnpyRao7l8GbBZ6h2DGOQWQZChxls3rI14QmYLGIUHmk38Zv+rU9DdT//GFd7SxnWsDp4hVEeqtdYOcQICv1MrPy2PVJsyPua89BrBFqXx0TfXcO40JR5PSQE/iXQlQlcLh3xVsmQT8ZYISTXTCpYKmcR/u4FfUXZsxxUPckcFyLYX jens@portal.fsmpi.rwth-aachen.de

common/files/keys-removed/konstantin.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAqSGg7VTXDcivuV1KfdD2e+a1IkhjWnWZCaIPUk1NYoratF/SxKvVY0XWF/FG4HcMkPCNLdKukIzEoZhu3kQ0Qo7CfQ54fZkhkYhIKE+yzrOwc1X02s/roBPamY5TAr+rk15TBdDNssXkt5ZCjITL4J80GUhv52wb6hfkPUHZT1LGZFfdNdVkEcwCT3RWDM0GSx+qc+8z+w2N5Vcv3s0CPXWn+mt2ScALPnTxgImZi6osnIPL4r/vDNX1wFYU9bJP+Yag1UKhv86M/nbB3gqhj6q8ZkoIQ7wXcZdms5XSNTCsDQ0FYKLujXETRPdGHlm9fAh6TlztK7P0cNmogLjNpQ==

common/files/keys-removed/marcel.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0+PCSlrG2mrPjE181QL7MmdNSBciVG+MBJpZN5385YJOU1nxDQ7Bi/P6hQh7y+iKJbrMN/zgThZGgfwptkr8ZpFspOgiycy84dK8MuKbr6epLhyrmbb0Xt21mENgVy+G7mOxak6bLgCOYvpGxVjKGNZHKIT0LT3NR9cFpDKaqlLUI9H2+1pwint6qdQfFNPH3YFMJ/8IO6LJb2klJMHaMNhKnMD18XFthDLZWnvbSRRMuuB70lFn+raFdzNZ+kT2QDC5TGRlmdW3R7nnw95B1/stuNsBVZXnvINsX4cKcyT7usUwkGlpeSz/w0LVEKVg0g3akBWkK3yK5qa6WDdGfQ== marcel@portal.fsmpi.rwth-aachen.de

common/files/keys-removed/marcelHome.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfuaq8bmktvuZ4B5OajMmpJNj6ddaM4Q4495ddZfQUG6cauvzEoWVdw782a6chrjvPrJOmcL9Qcoc8lTuZu3NxwFRebIjDLrahpe/GZPceBcUF/PW6+pLjuMuOuSworfkBl48ILoQFlRX0hvT7043kJRXwSIKn98bQZAmS3Fw+GFDlTWv4a5r8eAbipEmPoAmvOGQ9zQcTHEOVpZsY4c05Sfiy+TQmapYPqCkkteG1Hv64W2owH924AWrx2ZWNSPSI5R9Y+WEWJpXZfNLxtmzTPp3igoLyGpfswW/7+RluUQ6L0CD425kySyZ6GldPET99bXzXqxD3e624PwzhIGyD marcel@mobilux.ac.straub-nv.de

common/files/keys-removed/marcelWork.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOrDiWcsSYcJouAfuTaY/AGAx9kkz1QqOuzKb6lKmF7WGfC0Yh3yZdNzUNpq2fo6OzIup9dZggy9QFKi69I05jd82+4Wyown0Xs44Y1u+MS/G5+7voPtrdY8Cxhm/eKsiCRxl3BTGaRcsiGCuqv1dbaRmsn+Bl7Y81rYjZvBv0jwOi1bKvu5fF+05wyPNuocVQ7yZISWXPjluV8jcW+qZzcXtkIIR5Ze/Cb26bCixY2WlRzbulBhVa/1yj0SCbcSSPYfmfhSnck4Tw/rCImfmdVCspoWZyWFVFyHn8eyXzMrp84sovzooOWLjuAOihNIoORo3z1K/DOC2BvAzDH2u9 marcel@mpiTux.pmi.rwth-aachen.de

common/files/keys-removed/patrick.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvdnGYcsNG3WLbRYVDnCDMdx53pGji2MiGsOQTtTLlUZ1OlSGf6XyvNzIYhaQABjvw7spRAqrDxwOKXo9Kd4hqVencrbMpIo0CLSZWMMjwzfye+F4hlZVEooWEZrG8wSMb+oYjCCbBUBlgFmnz1Khx6NnacnlAV/OqzJNPoLcovmZm/E/ftJp3WoMaYIkvZDVfUnY92R+iprW4gRfPJzjMPF+5Y3+LlfVCcZMNQ1UsRT8U/A8zTOkorvyBy8nsR1g+zWoCaHMKhX9pedFHj4NaHJI9vDMiXwhgNDsf43nj8Dd6mWPLZlPbcXmnVz200wIL0ysz0PjLIBhvmZYYkYNh ilmig@smaug

common/files/keys/lars.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1QrgcrkyXbJKo90kwzUVyMjTvjSjvNpZhAdeH15DmvnyVcjxBOsfubtjlMchCl7SCg0HrHw7bmrVHXD8rWlN4RwzkDa25LfTdUocsd1ifuvV6d9x/UwBkYyenVxWxqZxkzSmyVXEJltUE7bzGFgU83Du/VIW4NoAQILLVwAb7mmExBXu3lgwadp3d59bm+alPkV1oTsjmHvq8MTvATHJgfjRRT+62VEGoTJFU6RuV1WRw246rb8hAjX1X6yzKH9NgTkC51A3vYj6dFPtmZKvZF3EWaFnbWhic7gnZKB6Lo6dkXiQjk10wAkWLdKdXFKEKGBho3YbX0WZBvXUjZzwKpDmkmrcGdO1dF17+Q+i8ybBqASHibQLUwle3zd0aM+IiqHJlghCopfAoDZP+nq01LAa2c9DX0bVLRKiPqyIl7MAOJuHLI0UazsN4pp9sKoIPYPwcDGHUF5JP1ZmxAw1zhgU2Lwsqt5AXwtkgeGFzJvllmo87RZrT/lGIYZ22o7+Qb3wTLZx60PG7+dUe+uGk0dDNbwCZxoo3GHbaKzjAi+KLWQBMzCe4CJ5gEoFunytiwJkQZKJdTKMLZ0+Im46v9VvTI9fSSNKQece88BZ6kmcgxuetWCYxjuH2amji0k/COLn31uNOqnlRZSNPCcKawYxdmw+EghwjrQtfg89QJw== lars@forge-2011-11-09

common/files/keys/lars@aurora.pub

-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwG9nY4C3knP7ABJMsyqu9ij+tH+sL/ekGFlydugE5/ lars@aurora

common/files/keys/rikus.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdSBzhclr9x4cVkOQ9c9qF3Fh3XWYYhVwK/GZwg46IXyhrKNx2c083ciNqke8vh+yTALbONhwyOlV/D6RsfYye+nSdsr/Cd68vRknt4S410Zd32/ug+w9WgSj3MWIuOVHwb75/BA2zbeKJf0PrBhBSPfkQXfPXkzXXjd678TgDYisz4hO4a41ELaIEzqEKMO4PMEetPBqEQ3SBAbtIReftznD2d60Uk4z/IS6WjdJM+TLyKwGE1tFt/w/+T8f+bGg8N5KIyLQPCGb5HLfmgJUcdfCSqAqADuMz4TMGkw2Gf/b8rDjjckbszQoUvqgt68usgvdwYwsAH9B9amzZZ99J hinrikus.wolf@x220

common/files/keys/rikusfsmpi.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW+gTiH5WdKI6IQQEq1u7cMiQuWGjnd+fTUYrVoOpHcbTOcHI3LN+YbHZTiiYo79v36LLRDgPx0gbesWmyAm2lhRyPt+flzvt+KPQsPyz1H2+4tNu8NJpf/6iVbP5H3VwbkzECnEwjACrBoUOWmx6JO8OcEK2CSoyzkDmDL7Cx2eeQM0Tsty0KdrkaMI4MvpuMPHVZxUXUlk8N2wxVUPtFPYtGA6a466RUJuIvIt8rAzdnftLRPHJ3sAZLuAw4N1F89CWJ1K8iVI/6mAMyqv7YFsGoehJcmwMDCPm8ahkqyv+h9F56eSrVsdHmfv2b758Oh2mVVdHec3dYkoPYBt4QuzRwtHi+wlKpMk2EDFJHTa9DdL/1aW2MpttBtw6bmBsnvkERg6Wm23jWD6IXctrevqmcrgiHoU+1fLb778O1RZSvwutiRyA77fntyLm4X2hWZlTKbSnAsHK6ZK/oT9+TDof7pgJI5Gs78oiiC87VWWKrCZPVFK+L/a9ylKbTpHbxNAyJAEHsMFiHtBi429sMWwqt3hNYwhrP6b5Jjjkp6ZZsUtjBwqkJz1zymDeGZaSBYyVgUPbnsnUW2Ru2GqmzqxPbDFZqacCAFtO0Xl3iilrJRykDrNvLHpgbDVG9hKqXcOw/tQoBD9R/I/ld7dnyuTkn1cIW+3LqHxMlV0wOHQ== hinrikus@admin

common/files/keys/robin.pub

-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnhJfWZEL7BRjsCfqVxW9xOvaLmiKoPaihXpCGH/4dw robin@fsmpi.rwth-aachen.de

common/files/keys/robinfs.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDjB5Xk53wkDFn0h4Uh7L7A0JwpO9G63qNmo1OcUUIH5ZtC6j+nY8lN3aofAXK5Chg64uLoASLFgSQ5EPpfTCltSg7dQkkm0+yIrHbE54pa1Znev4ZsgqHsQeg39+7JBL2X9bLq+S9Bh55spBOhnd9K4lnzSxzLXgvZXviujvO+cSZxiyzNal2nOzSxzpC4vfkPgUeXPcP0iLeLHoAI5cQLFNoCjxuYo53HnJZ+zQHcK2VbI6kBkFbA4W/zE6ryA9LweLZvmLV9Ee1ZC8iTmAApIyi+XrkpkODs15zs+T6szRtxym3EI8h/NxVjbP0PP1+9pKtLOOSGNowSpVBVExmo7eq/TeKFB7nC76env2ZOpP2WD40WYFvqcWL7avo/l3UCY14q7qxKl5zFmImtQwmxVvQuwBz+KcZVpaLdBnTrNi3nxPAlTfjOKUrcy9RvONfWvO7FMXJEbxEcD+Zrb+2Wik/dm1oKxqi7t7dIxqIqkYZgsX4UDJ3bf6MZ4TSzkJEP64cEfjydS5HuB/HazZ8FP3Auoif346PS5gBgVSlJYLvju2Z8wk88djMIw0bdDpVNMjtG1PcNhN0njDzRj3gdA4UqqJQxYWpfvbIUrM9nwmnmQnSyLVeuo28twrXkx6NzvrsAAHHlrrFfXNFiUSuvVAHSCQorOVrJrCr/0seTQ== robin@fsmpi.rwth-aachen.de

common/files/keys/robinrsa.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXVsaWglPMJ+jnfvXWy3u+FOwkTe0C9mrATcW9ei6vUl2euBZocz3IuPeK37e53YKcji6RrukY2HYzx5MQgGdv29DFwSlpR5aWmwmTklWFnlneEuD1sbgq/lYD+HJRLRRDl8TbWbza8gS/Vd9UXS0ueAbZiE69HPaDmn/1Ah0lm2b7xzL1b6FuDUqR49gs5/FDMlpyXKu4pbD/WH9xuxMi21sf+71wRB3+Gr+c7LJtLBSqItzZKyMWJ4FiLQLHZfqLaPALsjRPEs9j9ZvarLzqkZ+pXCscJe/nzIlEbga7vtcgLs+b5oPNc4ONitmGKuzHZicKp+SbXiNLDe/b6mt robin@fsmpi.rwth-aachen.de

common/files/keys/thomas.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDrhZNSJ7Yqr+DuwQLSRdZXcEPs0cnH87T+6tg4dbzZSVuxEWuGPeo1SR7XU0l7Ut4n/HhBLu1Lw+BeIsH2FbbeLP5QnYEWaCDpaQxy8SYb+6tn7x6GxG0at4hrdk3vm+UAltqhBQLvpZGfLEvGr+E1e0GfQq0y2MU6glqzmOP43h8XcJ7htTGkduuO947K7WTcv5QaN7Mc1uR+a1EvJ2N+t09x1Hl0sm6MwJvPv88AzrmmOWfikJre7XQspmb5XpecNzSAPZ187MQj8XTqzky4RQFo76/yzn++5XCdjJNGOiJb+W5ob+CXJqdwdBZGyo7n4ZNMfqNV3H1Me3XMunjwwnKczO6nN9iQzTQyjqeMsz4p51iz1ccjXvnKgo5NTff+FwU643LYNH3y9WdzqgLkoGR5R7Dy05qSOOQ2dGPGZi18h2iYTz5/OjjJsU+0bIaY0YGkIbVRhFDvToHew09VLSd7nWOqGIrnINwNsPYc7THOn0ys+RTcMPlxE92lIHaKBUl/+a+q5IGzwMEJfY9kuo2GtEiwfe1gWo7nX4O0hE/B1aqbQ9umrVo/CTNvqOHI+tr/LwQYoyWRFlKEZNqFtOdyw6lf+g4CvmupIct9IEYWMLi7L03i6vhnBUf8aQuguC3FCOC3lBdo2hecw29i8j0F87a1rsVRFm2CDHsOQQ== openpgp:0xB565044B

common/files/keys/thomas@fsmpi.pub

-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAMpP3qjdK1UX6Jj2RQACuBCBOVEBnw7cwZVFxbyhYFg thomas@fsmpi.rwth-aachen.de

common/tasks/sshd.yml

@@ -2,13 +2,22 @@
 # file: roles/common/tasks/sshd.yml
 
 - name: ensure sshd is installed
-  apt:  name=openssh-server state=latest
+  apt:
+    name: openssh-server
+    state: installed
   tags:
     - ssh
     - packages 
 
 - name: ensure sshd configured
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    backup: yes
+    validate: '/usr/sbin/sshd -t -f %s'
   notify:
     - restart sshd
   tags:
@@ -16,7 +25,12 @@
     - config
 
 - name: ensure home dir creation on first login
-  copy: src=pam/sshd dest=/etc/pam.d/sshd
+  copy:
+    src: pam/sshd
+    dest: /etc/pam.d/sshd
+    owner: root
+    group: root
+    mode: 0644
   notify:
     - restart sshd
   tags:
@@ -24,29 +38,45 @@
     - config
 
 - name: ensure sshd is running and enabled
-  service: name=ssh state=running enabled=yes
+  service:
+    name: ssh
+    state: started
+    enabled: yes
   tags:
     - ssh
     - service
 
-- name: ensure every ssh-key is installed
-  authorized_key: user=root key="{{ lookup('file', item) }}" state=present
-  with_fileglob:
-    - keys/*.pub
+- name: ensure a proper ssh environment for root
+  file:
+    state: directory
+    path: /root/.ssh
+    owner: root
+    group: root
+    mode: 0700
   tags:
     - ssh
     - root
 
-- name: ensure old ssh-keys are removed
-  authorized_key: user=root key="{{ lookup('file', item) }}" state=absent
-  with_fileglob:
-    - keys-removed/*.pub
+# filename syntax: name.pub or name+dest_host_1,...,dest_host_n.pub
+- name: ensure our and only our keys are authorized for root
+  assemble:
+    dest: /root/.ssh/authorized_keys
+    owner: root
+    group: root
+    mode: 0600
+    remote_src: False
+    src: "{{ authorized_keys }}"
+    backup: True
+    ignore_hidden: True
+    regexp: "([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub"
   tags:
     - ssh
     - root
 
 - name: ensure we fail2ban bad people
-  apt: name=fail2ban state=latest
+  apt:
+    name: fail2ban
+    state: installed
   tags:
     - ssh
     - packages