From ff5f3d8b8957295d7d1ed2c9f51cf9e15c42eda6 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Wed, 1 May 2024 18:35:53 +0200 Subject: Harden SSH security and prevent some misconfigurations Disable agent forwarding and X11 forwarding in the default configuration. Users can still forward this if they really want to by installing a custom forwarder and utilizing their shell access to spawn it, but with this, we're making it impossible for people to accidentally forward their agent or their X socket to the remote server. Additionally, change the SSH configuration such that only the Python Discord users are allowed to log in. --- ansible/roles/common/handlers/main.yml | 8 +------- ansible/roles/common/meta/main.yml | 3 +++ ansible/roles/common/tasks/main.yml | 17 ++++++++++++++++- ansible/roles/pydis-users/meta/main.yml | 3 +++ ansible/roles/pydis-users/tasks/main.yml | 15 +++++++++++++++ ansible/roles/ssh/handlers/main.yml | 7 +++++++ 6 files changed, 45 insertions(+), 8 deletions(-) create mode 100644 ansible/roles/common/meta/main.yml create mode 100644 ansible/roles/pydis-users/meta/main.yml create mode 100644 ansible/roles/ssh/handlers/main.yml (limited to 'ansible') diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml index 68db0ad..2b4beea 100644 --- a/ansible/roles/common/handlers/main.yml +++ b/ansible/roles/common/handlers/main.yml @@ -1,10 +1,4 @@ -- name: Reload ssh - service: - name: ssh - state: reloaded - tags: - - role::common - +--- - name: Restart systemd-timesyncd service: name: systemd-timesyncd diff --git a/ansible/roles/common/meta/main.yml b/ansible/roles/common/meta/main.yml new file mode 100644 index 0000000..5526b6b --- /dev/null +++ b/ansible/roles/common/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - ssh diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 4cfae85..8b5fd19 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -14,16 +14,31 @@ tags: - role::common +# Temporary cleanup task. Can be removed later. +- name: Remove old SSH daemon options file + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/pydis.conf + state: absent + tags: + - role::common + - name: Configure SSH daemon options ansible.builtin.copy: content: | # Ansible managed + # Logins PasswordAuthentication no PermitRootLogin no + + # Forwarding + AllowAgentForwarding no + X11Forwarding no + + # Connection keepalive ClientAliveInterval 300 ClientAliveCountMax 3 - dest: /etc/ssh/sshd_config.d/pydis.conf + dest: /etc/ssh/sshd_config.d/hardening.conf owner: root group: root mode: "0444" diff --git a/ansible/roles/pydis-users/meta/main.yml b/ansible/roles/pydis-users/meta/main.yml new file mode 100644 index 0000000..5526b6b --- /dev/null +++ b/ansible/roles/pydis-users/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - ssh diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml index 8378af8..c9642d7 100644 --- a/ansible/roles/pydis-users/tasks/main.yml +++ b/ansible/roles/pydis-users/tasks/main.yml @@ -25,3 +25,18 @@ loop: "{{ pydis_users__users | dict2items }}" tags: - role::pydis-users + +- name: Allow SSH logins for pydis users + ansible.builtin.copy: + content: | + # Ansible managed + + AllowUsers {{ pydis_users__users | sort | join(' ') }} + dest: /etc/ssh/sshd_config.d/pydis-users-login.conf + owner: root + group: root + mode: "0444" + notify: + - Reload ssh + tags: + - role::pydis-users diff --git a/ansible/roles/ssh/handlers/main.yml b/ansible/roles/ssh/handlers/main.yml new file mode 100644 index 0000000..7b582d9 --- /dev/null +++ b/ansible/roles/ssh/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Reload ssh + service: + name: ssh + state: reloaded + tags: + - role::ssh -- cgit v1.2.3