From 67fd8b3ecf09fd60fa681d495169b8be1f2b6123 Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Thu, 13 Jul 2017 19:58:55 +0200
Subject: [PATCH] modify some sshd config details, remove marcel's last keys
move pam mkhomedir from ad-auth, rename variables, set defaults, add
variables, move molly-guard
---
common/defaults/main.yml | 6 +++++
common/files/pam/mkhomedir | 6 +++++
common/files/pam/sshd | 3 ---
common/handlers/main.yml | 3 +++
common/tasks/software.yml | 16 -------------
common/tasks/sshd.yml | 41 +++++++++++++++++++++++++++++++--
common/templates/sshd_config.j2 | 12 ++++------
7 files changed, 59 insertions(+), 28 deletions(-)
create mode 100644 common/files/pam/mkhomedir
diff --git a/common/defaults/main.yml b/common/defaults/main.yml
index 7bf674b..afa7d3a 100644
--- a/common/defaults/main.yml
+++ b/common/defaults/main.yml
@@ -3,3 +3,9 @@
apt_use_updates: yes
apt_use_backports: yes
+ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
+ssh_mkhomedir: yes
+ssh_strong_crypto: yes
+ssh_gssapi: yes
+ssh_sftp_options: ""
+ssh_allow_groups: []
diff --git a/common/files/pam/mkhomedir b/common/files/pam/mkhomedir
new file mode 100644
index 0000000..be7b765
--- /dev/null
+++ b/common/files/pam/mkhomedir
@@ -0,0 +1,6 @@
+Name: Create home directory during login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+ required pam_mkhomedir.so umask=0077 skel=/etc/skel
diff --git a/common/files/pam/sshd b/common/files/pam/sshd
index 6468e83..d70b384 100644
--- a/common/files/pam/sshd
+++ b/common/files/pam/sshd
@@ -27,9 +27,6 @@ session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
-# create home dir
-session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
-
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
diff --git a/common/handlers/main.yml b/common/handlers/main.yml
index d4c2e73..eaae134 100644
--- a/common/handlers/main.yml
+++ b/common/handlers/main.yml
@@ -21,3 +21,6 @@
- name: update timezone
command: dpkg-reconfigure --frontend noninteractive tzdata
+
+- name: regenerate pam config
+ shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
diff --git a/common/tasks/software.yml b/common/tasks/software.yml
index e2e54a8..a0c6604 100644
--- a/common/tasks/software.yml
+++ b/common/tasks/software.yml
@@ -36,22 +36,6 @@
# tags:
# - packages
-- name: ensure we got ourselves protected from sleepiness
- apt: name=molly-guard state=latest
- tags:
- - molly
- - packages
- - shell
- - ssh
-
-- name: ensure screen does not interfere with sleepiness
- copy: src=molly-guard dest=/etc/molly-guard/rc
- tags:
- - molly
- - config
- - shell
- - ssh
-
- name: remove unused packages
command: apt-get autoremove -y
tags:
diff --git a/common/tasks/sshd.yml b/common/tasks/sshd.yml
index d1dea60..45b7b0a 100644
--- a/common/tasks/sshd.yml
+++ b/common/tasks/sshd.yml
@@ -24,7 +24,7 @@
- ssh
- config
-- name: ensure home dir creation on first login
+- name: ensure standard pam configuration for sshd
copy:
src: pam/sshd
dest: /etc/pam.d/sshd
@@ -37,6 +37,20 @@
- ssh
- config
+- name: ensure pam creates a home dir if necessary
+ copy:
+ src: pam/mkhomedir
+ dest: /usr/share/pam-configs/mkhomedir
+ owner: root
+ group: root
+ mode: 0644
+ when: "ssh_mkhomedir"
+ notify:
+ - regenerate pam config
+ tags:
+ - pam
+ - config
+
- name: ensure sshd is running and enabled
service:
name: ssh
@@ -65,7 +79,7 @@
group: root
mode: 0600
remote_src: False
- src: "{{ authorized_keys }}"
+ src: "{{ ssh_authorized_keys }}"
backup: True
ignore_hidden: True
regexp: "([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub"
@@ -80,3 +94,26 @@
tags:
- ssh
- packages
+
+- name: ensure we got ourselves protected from sleepiness
+ apt:
+ name: molly-guard
+ state: installed
+ tags:
+ - molly
+ - packages
+ - shell
+ - ssh
+
+- name: ensure screen does not interfere with sleepiness
+ copy:
+ src: molly-guard
+ dest: /etc/molly-guard/rc
+ owner: root
+ group: root
+ mode: 0644
+ tags:
+ - molly
+ - config
+ - shell
+ - ssh
diff --git a/common/templates/sshd_config.j2 b/common/templates/sshd_config.j2
index b6a2164..0fadada 100644
--- a/common/templates/sshd_config.j2
+++ b/common/templates/sshd_config.j2
@@ -7,9 +7,11 @@ Port 22
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
+{% if ssh_strong_crypto %}
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+{% endif %}
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
@@ -59,7 +61,7 @@ ChallengeResponseAuthentication no
#KerberosTicketCleanup yes
# GSSAPI options
-#GSSAPIAuthentication no
+GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
#GSSAPICleanupCredentials yes
X11Forwarding yes
@@ -75,11 +77,7 @@ Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
-{% if sftpoptions is defined %}
-Subsystem sftp /usr/lib/openssh/sftp-server {{ sftpoptions }}
-{% else %}
-Subsystem sftp /usr/lib/openssh/sftp-server
-{% endif %}
+Subsystem sftp /usr/lib/openssh/sftp-server {{ ssh_sftp_options }}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -92,6 +90,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
-{% for group in allowedgroups %}
+{% for group in ssh_allow_groups %}
AllowGroups {{ group }}
{% endfor %}
--
GitLab