diff options
| author |  Johannes Christ <[email protected]> | 2024-05-01 18:35:53 +0200 |
|---|---|---|
| committer | jchristgit <[email protected]> | 2024-05-01 18:44:56 +0200 |
| commit | ff5f3d8b8957295d7d1ed2c9f51cf9e15c42eda6 (patch) | |
| tree | c1a7fd317d3c450b10649f9e37088ad2a4aa6628 | |
| parent | Depend on ansible-core instead of Ansible (diff) | |
Harden SSH security and prevent some misconfigurations
Disable agent forwarding and X11 forwarding in the default
configuration. Users can still forward this if they really want to by
installing a custom forwarder and utilizing their shell access to spawn
it, but with this, we're making it impossible for people to accidentally
forward their agent or their X socket to the remote server.
Additionally, change the SSH configuration such that only the Python
Discord users are allowed to log in.
| -rw-r--r-- | ansible/roles/common/handlers/main.yml | 8 | ||||
| -rw-r--r-- | ansible/roles/common/meta/main.yml | 3 | ||||
| -rw-r--r-- | ansible/roles/common/tasks/main.yml | 17 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/meta/main.yml | 3 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/tasks/main.yml | 15 | ||||
| -rw-r--r-- | ansible/roles/ssh/handlers/main.yml | 7 |
6 files changed, 45 insertions, 8 deletions
diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml index 68db0ad..2b4beea 100644 --- a/ansible/roles/common/handlers/main.yml +++ b/ansible/roles/common/handlers/main.yml @@ -1,10 +1,4 @@ -- name: Reload ssh - service: - name: ssh - state: reloaded - tags: - - role::common - +--- - name: Restart systemd-timesyncd service: name: systemd-timesyncd diff --git a/ansible/roles/common/meta/main.yml b/ansible/roles/common/meta/main.yml new file mode 100644 index 0000000..5526b6b --- /dev/null +++ b/ansible/roles/common/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - ssh diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 4cfae85..8b5fd19 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -14,16 +14,31 @@ tags: - role::common +# Temporary cleanup task. Can be removed later. +- name: Remove old SSH daemon options file + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/pydis.conf + state: absent + tags: + - role::common + - name: Configure SSH daemon options ansible.builtin.copy: content: | # Ansible managed + # Logins PasswordAuthentication no PermitRootLogin no + + # Forwarding + AllowAgentForwarding no + X11Forwarding no + + # Connection keepalive ClientAliveInterval 300 ClientAliveCountMax 3 - dest: /etc/ssh/sshd_config.d/pydis.conf + dest: /etc/ssh/sshd_config.d/hardening.conf owner: root group: root mode: "0444" diff --git a/ansible/roles/pydis-users/meta/main.yml b/ansible/roles/pydis-users/meta/main.yml new file mode 100644 index 0000000..5526b6b --- /dev/null +++ b/ansible/roles/pydis-users/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - ssh diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml index 8378af8..c9642d7 100644 --- a/ansible/roles/pydis-users/tasks/main.yml +++ b/ansible/roles/pydis-users/tasks/main.yml @@ -25,3 +25,18 @@ loop: "{{ pydis_users__users | dict2items }}" tags: - role::pydis-users + +- name: Allow SSH logins for pydis users + ansible.builtin.copy: + content: | + # Ansible managed + + AllowUsers {{ pydis_users__users | sort | join(' ') }} + dest: /etc/ssh/sshd_config.d/pydis-users-login.conf + owner: root + group: root + mode: "0444" + notify: + - Reload ssh + tags: + - role::pydis-users diff --git a/ansible/roles/ssh/handlers/main.yml b/ansible/roles/ssh/handlers/main.yml new file mode 100644 index 0000000..7b582d9 --- /dev/null +++ b/ansible/roles/ssh/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Reload ssh + service: + name: ssh + state: reloaded + tags: + - role::ssh |