modify some sshd config details, remove marcel's last keys

move pam mkhomedir from ad-auth, rename variables, set defaults, add variables, move molly-guard

modify some sshd config details, remove marcel's last keys
67fd8b3e · Lars Beckers · c65d1255 · 67fd8b3e · 67fd8b3e · 67fd8b3e
Commit 67fd8b3e authored 7 years ago by Lars Beckers
--- a/common/defaults/main.yml
+++ b/common/defaults/main.yml
@@ -3,3 +3,9 @@
 apt_use_updates: yes
 apt_use_backports: yes
+ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
+ssh_mkhomedir: yes
+ssh_strong_crypto: yes
+ssh_gssapi: yes
+ssh_sftp_options: ""
+ssh_allow_groups: []
--- a/common/files/pam/mkhomedir
+++ b/common/files/pam/mkhomedir
+Name: Create home directory during login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required        pam_mkhomedir.so umask=0077 skel=/etc/skel
--- a/common/files/pam/sshd
+++ b/common/files/pam/sshd
@@ -27,9 +27,6 @@ session    optional     pam_keyinit.so force revoke
 # Standard Un*x session setup and teardown.
 @include common-session
-# create home dir
-session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
 # Print the message of the day upon successful login.
 # This includes a dynamically generated part from /run/motd.dynamic
 # and a static (admin-editable) part from /etc/motd.

--- a/common/handlers/main.yml
+++ b/common/handlers/main.yml
@@ -21,3 +21,6 @@
 - name: update timezone
  command: dpkg-reconfigure --frontend noninteractive tzdata
+- name: regenerate pam config
+  shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
--- a/common/tasks/software.yml
+++ b/common/tasks/software.yml
@@ -36,22 +36,6 @@
 #  tags:
 #    - packages
- name: ensure we got ourselves protected from sleepiness
-  apt: name=molly-guard state=latest
-  tags:
-    - molly
-    - packages
-    - shell
-    - ssh
- name: ensure screen does not interfere with sleepiness
-  copy: src=molly-guard dest=/etc/molly-guard/rc
-  tags:
-    - molly
-    - config
-    - shell
-    - ssh
 - name: remove unused packages
  command: apt-get autoremove -y
  tags:

--- a/common/tasks/sshd.yml
+++ b/common/tasks/sshd.yml
@@ -24,7 +24,7 @@
    - ssh
    - config
- name: ensure home dir creation on first login
+- name: ensure standard pam configuration for sshd
  copy:
    src: pam/sshd
    dest: /etc/pam.d/sshd
@@ -37,6 +37,20 @@
    - ssh
    - config
+- name: ensure pam creates a home dir if necessary
+  copy:
+    src: pam/mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+    owner: root
+    group: root
+    mode: 0644
+  when: "ssh_mkhomedir"
+  notify:
+    - regenerate pam config
+  tags:
+    - pam
+    - config
 - name: ensure sshd is running and enabled
  service:
    name: ssh
@@ -65,7 +79,7 @@
    group: root
    mode: 0600
    remote_src: False
-    src: "{{ authorized_keys }}"
+    src: "{{ ssh_authorized_keys }}"
    backup: True
    ignore_hidden: True
    regexp: "([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub"
@@ -80,3 +94,26 @@
  tags:
    - ssh
    - packages
+- name: ensure we got ourselves protected from sleepiness
+  apt:
+    name: molly-guard
+    state: installed
+  tags:
+    - molly
+    - packages
+    - shell
+    - ssh
+- name: ensure screen does not interfere with sleepiness
+  copy:
+    src: molly-guard
+    dest: /etc/molly-guard/rc
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - molly
+    - config
+    - shell
+    - ssh
--- a/common/templates/sshd_config.j2
+++ b/common/templates/sshd_config.j2
@@ -7,9 +7,11 @@ Port 22
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
+{% if ssh_strong_crypto %}
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+{% endif %}
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
@@ -59,7 +61,7 @@ ChallengeResponseAuthentication no
 #KerberosTicketCleanup yes
 # GSSAPI options
-#GSSAPIAuthentication no
+GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
 #GSSAPICleanupCredentials yes
 X11Forwarding yes
@@ -75,11 +77,7 @@ Banner /etc/issue.net
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
-{% if sftpoptions is defined %}
+Subsystem sftp /usr/lib/openssh/sftp-server {{ ssh_sftp_options }}
-Subsystem sftp /usr/lib/openssh/sftp-server {{ sftpoptions }}
-{% else %}
-Subsystem sftp /usr/lib/openssh/sftp-server
-{% endif %}
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
@@ -92,6 +90,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
-{% for group in allowedgroups %}
+{% for group in ssh_allow_groups %}
 AllowGroups {{ group }}
 {% endfor %}