diff --git a/defaults/main.yml b/defaults/main.yml index 46c257e..d4477b4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,90 +1,4 @@ --- -openssh_client_settings: - Host: "*" - Port: "22" - Protocol: "2,1" - AddressFamily: "any" - ForwardAgent: "no" - ForwardX11: "no" - ForwardX11Timeout: "300" - ForwardX11Trusted: "no" - RhostsRSAAuthentication: "no" - RSAAuthentication: "no" - PasswordAuthentication: "yes" - HostbasedAuthentication: "no" - GSSAPIAuthentication: "no" - GSSAPIDelegateCredentials: "no" - GSSAPIKeyExchange: "no" - GSSAPITrustDNS: "no" - BatchMode: "no" - CheckHostIP: "yes" - ConnectTimeout: "30" - StrictHostKeyChecking: "ask" - Cipher: "aes256-cbc" - MACs: "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160" - EscapeChar: "~" - Tunnel: "no" - TunnelDevice: "any:any" - PermitLocalCommand: "no" - VisualHostKey: "no" - ChallengeResponseAuthentication: "yes" - Compression: "no" - CompressionLevel: "4" - ConnectionAttempts: "1" - ExitOnForwardFailure: "no" - GatewayPorts: "no" - UsePrivilegedPort: "no" - TCPKeepAlive: "no" +openssh_client_settings: {} -openssh_server_settings: - Port: "22" - AddressFamily: "any" - Protocol: "2" - UsePrivilegeSeparation: "yes" - KeyRegenerationInterval: "3600" - ServerKeyBits: "1024" - SyslogFacility: "AUTH" - LogLevel: "INFO" - LoginGraceTime: "120" - PermitRootLogin: "no" - StrictModes: "yes" - MaxAuthTries: "6" - MaxSessions: "10" - RSAAuthentication: "yes" - PubkeyAuthentication: "yes" - AuthorizedKeysFile: "%h/.ssh/authorized_keys" - IgnoreRhosts: "yes" - RhostsRSAAuthentication: "no" - HostbasedAuthentication: "no" - IgnoreUserKnownHosts: "no" - PermitEmptyPasswords: "no" - ChallengeResponseAuthentication: "no" - PasswordAuthentication: "no" - KerberosAuthentication: "no" - KerberosOrLocalPasswd: "yes" - KerberosTicketCleanup: "yes" - GSSAPIAuthentication: "no" - GSSAPICleanupCredentials: "yes" - X11Forwarding: "yes" - X11DisplayOffset: "10" - X11UseLocalhost: "yes" - PrintMotd: "no" - PrintLastLog: "yes" - TCPKeepAlive: "yes" - UseLogin: "no" - MaxStartups: "10:30:100" - Banner: "none" - AcceptEnv: "LANG LC_*" - Subsystem: "sftp /usr/lib/openssh/sftp-server" - UsePAM: "yes" - UseDNS: "no" - AllowAgentForwarding: "yes" - AllowTcpForwarding: "yes" - GatewayPorts: "no" - ClientAliveInterval: "1750" - ClientAliveCountMax: "0" - PermitUserEnvironment: "no" - Compression: "delayed" - PidFile: "/var/run/sshd.pid" - PermitTunnel: "no" - ChrootDirectory: "none" +openssh_server_settings: {} diff --git a/meta/main.yml b/meta/main.yml index 0c2fa97..4e8a7aa 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: author: pjan vandaele company: ANXS description: "Install and configure openssh" - min_ansible_version: 2.3 + min_ansible_version: 2.7 license: MIT platforms: - name: Ubuntu diff --git a/tasks/main.yml b/tasks/main.yml index 4cc7ef7..4f27a11 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,10 +1,35 @@ --- -- name: OpenSSH | Make sure server and client packages are installed +- name: "default dist is xenial" + set_fact: + openssh_dist_config: "{{openssh_dist_default}}" + +- name: "check for dist overrides" + stat: + path: "{{role_path}}/vars/{{ansible_distribution_release|lower}}.yml" + connection: local + delegate_to: localhost + register: openssh_dist_override + become: false + +- name: "override dist config" + set_fact: + openssh_dist_config: "{{ansible_distribution_release|lower}}" + when: openssh_dist_override.stat.exists + +- name: "include dist overrides" + include_vars: "{{openssh_dist_config}}.yml" + +- name: "Make sure server and client packages are installed" apt: pkg: "{{openssh_deps}}" state: present -- name: OpenSSH | Configure OpenSSH Client +- name: "Set configuration with overrides" + set_fact: + openssh_client_config: "{{openssh_client_default|combine(openssh_client_dist|default({}))|combine(openssh_client_settings)}}" + openssh_server_config: "{{openssh_server_default|combine(openssh_server_dist|default({}))|combine(openssh_server_settings)}}" + +- name: "Configure OpenSSH Client" template: src: etc_ssh_ssh_config.j2 dest: /etc/ssh/ssh_config @@ -12,7 +37,7 @@ group: root mode: 0644 -- name: OpenSSH | Configure OpenSSH Server +- name: "Configure OpenSSH Server" template: src: etc_ssh_sshd_config.j2 dest: /etc/ssh/sshd_config @@ -22,16 +47,16 @@ notify: - restart ssh -- name: OpenSSH | Determine if previously generated host keys +- name: "Determine if previously generated host keys" stat: path: "{{openssh_hostkey_file}}" register: anxs_openssh_hostkeys -- name: OpenSSH | Ensure all host keys are generated +- name: "Ensure all host keys are generated" command: ssh-keygen -A when: not anxs_openssh_hostkeys.stat.exists -- name: OpenSSH | Remember we generated host keys +- name: "Remember we generated host keys" file: dest: "{{openssh_hostkey_file}}" state: touch diff --git a/templates/etc_ssh_ssh_config.j2 b/templates/etc_ssh_ssh_config.j2 index 869f9fc..6309442 100644 --- a/templates/etc_ssh_ssh_config.j2 +++ b/templates/etc_ssh_ssh_config.j2 @@ -1,3 +1,4 @@ -{% for key, value in openssh_client_settings.iteritems() %} -{{key|e}} {{value|e}} +Host * +{% for key, value in openssh_client_config.items() %} +{{' '}}{{key|e}} {{value|e}} {% endfor %} diff --git a/templates/etc_ssh_sshd_config.j2 b/templates/etc_ssh_sshd_config.j2 index 775493e..4126fbe 100644 --- a/templates/etc_ssh_sshd_config.j2 +++ b/templates/etc_ssh_sshd_config.j2 @@ -1,3 +1,3 @@ -{% for key, value in openssh_server_settings.iteritems() %} +{% for key, value in openssh_server_config.items() %} {{key|e}} {{value|e}} {% endfor %} diff --git a/vagrant/roles/openssh b/vagrant/roles/openssh deleted file mode 120000 index 6581736..0000000 --- a/vagrant/roles/openssh +++ /dev/null @@ -1 +0,0 @@ -../../ \ No newline at end of file diff --git a/vars/bionic.yml b/vars/bionic.yml new file mode 100644 index 0000000..61b0b3a --- /dev/null +++ b/vars/bionic.yml @@ -0,0 +1,9 @@ +--- +openssh_client_dist: + Cipher: "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc" + +openssh_server_dist: + RekeyLimit: "default none" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" diff --git a/vars/bullseye.yml b/vars/bullseye.yml new file mode 100644 index 0000000..4c70b0f --- /dev/null +++ b/vars/bullseye.yml @@ -0,0 +1,6 @@ +--- +openssh_server_dist: + RekeyLimit: "default none" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" diff --git a/vars/buster.yml b/vars/buster.yml new file mode 100644 index 0000000..ffd487c --- /dev/null +++ b/vars/buster.yml @@ -0,0 +1,4 @@ +--- +openssh_client_dist: + Cipher: "aes256-cbc" + RSAAuthentication: "yes" diff --git a/vars/focal.yml b/vars/focal.yml new file mode 100644 index 0000000..4c70b0f --- /dev/null +++ b/vars/focal.yml @@ -0,0 +1,6 @@ +--- +openssh_server_dist: + RekeyLimit: "default none" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" diff --git a/vars/main.yml b/vars/main.yml index c52ac6d..4a66b76 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,85 @@ --- +openssh_dist_default: "focal" openssh_deps: - openssh-client - openssh-server openssh_hostkey_file: /var/run/anxs-openssh-hostkeys + +openssh_client_default: + Port: "22" + Protocol: "2" + AddressFamily: "any" + ForwardAgent: "no" + ForwardX11: "no" + ForwardX11Timeout: "300" + ForwardX11Trusted: "no" + PasswordAuthentication: "yes" + HostbasedAuthentication: "no" + GSSAPIAuthentication: "no" + GSSAPIDelegateCredentials: "no" + GSSAPIKeyExchange: "no" + GSSAPITrustDNS: "no" + BatchMode: "no" + CheckHostIP: "yes" + ConnectTimeout: "30" + StrictHostKeyChecking: "ask" + MACs: "hmac-md5,hmac-sha1,umac-64@openssh.com" + EscapeChar: "~" + Tunnel: "no" + TunnelDevice: "any:any" + PermitLocalCommand: "no" + VisualHostKey: "no" + ChallengeResponseAuthentication: "yes" + Compression: "no" + ConnectionAttempts: "1" + ExitOnForwardFailure: "no" + GatewayPorts: "no" + UsePrivilegedPort: "no" + TCPKeepAlive: "no" + +openssh_server_default: + Port: "22" + AddressFamily: "any" + Protocol: "2" + SyslogFacility: "AUTH" + LogLevel: "INFO" + LoginGraceTime: "120" + PermitRootLogin: "no" + StrictModes: "yes" + MaxAuthTries: "6" + MaxSessions: "10" + PubkeyAuthentication: "yes" + AuthorizedKeysFile: "%h/.ssh/authorized_keys" + IgnoreRhosts: "yes" + HostbasedAuthentication: "no" + IgnoreUserKnownHosts: "no" + PermitEmptyPasswords: "no" + ChallengeResponseAuthentication: "no" + PasswordAuthentication: "no" + KerberosAuthentication: "no" + KerberosOrLocalPasswd: "yes" + KerberosTicketCleanup: "yes" + GSSAPIAuthentication: "no" + GSSAPICleanupCredentials: "yes" + X11Forwarding: "yes" + X11DisplayOffset: "10" + X11UseLocalhost: "yes" + PrintMotd: "no" + PrintLastLog: "yes" + TCPKeepAlive: "yes" + MaxStartups: "10:30:100" + Banner: "none" + AcceptEnv: "LANG LC_*" + Subsystem: "sftp /usr/lib/openssh/sftp-server" + UsePAM: "yes" + UseDNS: "no" + AllowAgentForwarding: "yes" + AllowTcpForwarding: "yes" + GatewayPorts: "no" + ClientAliveInterval: "1750" + ClientAliveCountMax: "0" + PermitUserEnvironment: "no" + Compression: "delayed" + PidFile: "/var/run/sshd.pid" + PermitTunnel: "no" + ChrootDirectory: "none" diff --git a/vars/xenial.yml b/vars/xenial.yml new file mode 100644 index 0000000..5ca91f9 --- /dev/null +++ b/vars/xenial.yml @@ -0,0 +1,11 @@ +--- +openssh_client_dist: + Cipher: "aes256-cbc" + RSAAuthentication: "yes" + +openssh_server_dist: + UsePrivilegeSeparation: "yes" + KeyRegenerationInterval: "3600" + ServerKeyBits: "1024" + UseLogin: "no" + KerberosGetAFSToken: "no"