add ssh-enforcement playbook

2020-08-22 15:47:16 -04:00 · 2020-08-22 15:47:16 -04:00 · 2bfed5b9ed
parent b6946a3e26
commit 2bfed5b9ed
5 changed files with 54 additions and 0 deletions
--- a/ubuntu/roles/ssh-enforcement/files/authorized_keys
+++ b/ubuntu/roles/ssh-enforcement/files/authorized_keys
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2DmG7640FmD9QDLDrydiU5kmhJM/ScKOhhHPYndWEdFGMmfnJpqyoPOq5a6cDwLAFyl6ALTjVr6+y4U2hqHmqIs/ds9SeiNzOnPsMUp1DkuVoNyH4WekaA9oXgsb9ZCjHSXB+W3rOgvGYTAuC8GyLYGppInrd6+OKoyZtgx01JYAatfSWGncerNw+x8LiQaF+o62cCDq+3OpyZBbGpLg/wNMtg/Wsaton7fwo2hi8lOkQjzJZPUvPaOcpezK9SLXExyUl+oIcMmGqmExHpXwhA8+TuwbeM5XXT5RJCOw4c2WlMTb93FmdCjtXtInUYc/M80SftdLPokmbzc7uWDV+PX5XVoQCp7JiYS92gkAdlv8aeNMzpbGvd9uUjGKm08dh1aT76I9b9O4sA+vL2PwW2lKdsesksiseF92446kqvOEumB/wh+7yd1N9yOS3Vggasl2iEYgbNiDoCqyXnH6GSHkdxr9CwAyuWy5vmqR5zdV1UsQnRzECrQIFbJpFU98rLfuRM1L9qN4kqxuciv+DAPRm17WAhrjhoZL5xh5+t8TfaO+7qMmjvNO1oRbeTkM0JqdlvcvTUFB7sxDIPuCySIMfi2KTTUpk0i9HHRfJrOr1K02VvwKC302GkFnVEDYKPlXivoI6i1bLaubSZHqDIgUuZeGLTXhG47ner6dMKw== Network Management
--- a/ubuntu/roles/ssh-enforcement/files/sshd_config
+++ b/ubuntu/roles/ssh-enforcement/files/sshd_config
@ -0,0 +1,26 @@
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Password based logins are disabled - only public key based logins are allowed.
+AuthenticationMethods publickey
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Some of the Debian specific options sans X11 Forwarding
+# X11 Forwarding is turned off because we don't run X11 on servers
+ChallengeResponseAuthentication no
+PrintMotd no
+AcceptEnv LANG LC_*
+UsePAM yes
--- a/ubuntu/roles/ssh-enforcement/handlers/main.yml
+++ b/ubuntu/roles/ssh-enforcement/handlers/main.yml
@ -0,0 +1,5 @@
+- name: restart sshd
+  service:
+    name: ssh
+    state: restarted
+    enabled: yes
--- a/ubuntu/roles/ssh-enforcement/tasks/main.yml
+++ b/ubuntu/roles/ssh-enforcement/tasks/main.yml
@ -0,0 +1,15 @@
+---
+# This task enforces our OpenSSH server config and authorized_keys for
+# cloud servers
+
+- name: Copy our authorized_keys
+  copy:
+    src: authorized_keys
+    dest: /root/.ssh/authorized_keys
+
+- name: Copy our sshd_config
+  copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+  notify:
+    - restart sshd
--- a/ubuntu/site.yml
+++ b/ubuntu/site.yml
@ -73,3 +73,10 @@

  roles:
    - ipset-deploy
+
+- name: SSH Enforcement
+  hosts: cloud
+  user: root
+
+  roles:
+    - ssh-enforcement
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2DmG7640FmD9QDLDrydiU5kmhJM/ScKOhhHPYndWEdFGMmfnJpqyoPOq5a6cDwLAFyl6ALTjVr6+y4U2hqHmqIs/ds9SeiNzOnPsMUp1DkuVoNyH4WekaA9oXgsb9ZCjHSXB+W3rOgvGYTAuC8GyLYGppInrd6+OKoyZtgx01JYAatfSWGncerNw+x8LiQaF+o62cCDq+3OpyZBbGpLg/wNMtg/Wsaton7fwo2hi8lOkQjzJZPUvPaOcpezK9SLXExyUl+oIcMmGqmExHpXwhA8+TuwbeM5XXT5RJCOw4c2WlMTb93FmdCjtXtInUYc/M80SftdLPokmbzc7uWDV+PX5XVoQCp7JiYS92gkAdlv8aeNMzpbGvd9uUjGKm08dh1aT76I9b9O4sA+vL2PwW2lKdsesksiseF92446kqvOEumB/wh+7yd1N9yOS3Vggasl2iEYgbNiDoCqyXnH6GSHkdxr9CwAyuWy5vmqR5zdV1UsQnRzECrQIFbJpFU98rLfuRM1L9qN4kqxuciv+DAPRm17WAhrjhoZL5xh5+t8TfaO+7qMmjvNO1oRbeTkM0JqdlvcvTUFB7sxDIPuCySIMfi2KTTUpk0i9HHRfJrOr1K02VvwKC302GkFnVEDYKPlXivoI6i1bLaubSZHqDIgUuZeGLTXhG47ner6dMKw== Network Management