systems/ansible-ssh-bastion
Archived
1
Fork 0
Code Activity
Ansible playbook to setup an SSH bastion server and clients. Clients can be configured in 'standalone' mode.
This repository has been archived on 2026-05-18. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
21 commits 1 branch 0 tags 47 KiB
Find a file
Exact
Jake Howard 02c8000af4
 Disable password authentication 
Only really matters if the key gets compromised, in which case i'm
fucked anyway!
2020-01-26 18:44:43 +00:00
.circleci Specify hosts file when checking 2018-09-03 09:40:44 +01:00
.gitignore Init ansible playbook 2018-09-02 15:16:40 +01:00
bastion.yml Add configuration for standalone servers without bastion 2018-09-04 08:40:18 +01:00
hosts Add configuration for standalone servers without bastion 2018-09-04 08:40:18 +01:00
README.md Document standalone 2018-09-04 08:42:28 +01:00
sshd_config_bastion Disable password authentication 2020-01-26 18:44:43 +00:00
sshd_config_client Remove duplication in SSH configs 2018-09-03 09:12:26 +01:00
sshd_config_common Enable SFTP 2019-12-08 15:39:03 +00:00
sshd_config_standalone Add configuration for standalone servers without bastion 2018-09-04 08:40:18 +01:00
vars.yml add bastion IP to vars 2018-09-02 16:20:04 +01:00

README.md

Ansible SSH Config

Ansible playbook to setup an SSH bastion server and clients.

Security Features

  • Non-standard SSH port for bastion
  • Require key and password for bastion connections
  • 5 minute connection timeout
  • Login within 30 seconds of initial connection
  • Disable SSHv1
  • Separate key for connection to bastion and further hosts
  • No warnings from ssh-audit

Some of the hardening and configuration is based on https://joscor.com/blog/hardening-openssh-server-ubuntu-14-04/.

Usage

  1. Modify the values in vars.yml to match your requirements:
    • user is the user to be used on both the client and bastion machines
    • bastion_ssh_key is the key to use to connect to the bastion machine.
    • enable_root enables SSH connections as root to the bastion
    • bastion_ip is the IP of the bastion, to be baked into the config of the clients.
  2. Populate hosts with your required hosts. A single bastion, and however many clients. standalone can be used to configure clients who don't require connections through the bastion.
  3. Run the playbook with ansible-playbook bastion.yml -i hosts --ask-pass -K