From 14b7b6d2ef7e0ec7ba6f021444fc392546aa63ad Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 28 Jan 2020 20:39:42 +0000 Subject: [PATCH] Internalise SSH config and make it generic to all hosts --- .gitmodules | 3 - ansible/files/ssh | 1 - ansible/main.yml | 6 +- ansible/roles/ssh/files/sshd_config | 86 +++++++++++++++++++ .../roles/{ssh-bastion => ssh}/tasks/main.yml | 2 +- 5 files changed, 92 insertions(+), 6 deletions(-) delete mode 100644 .gitmodules delete mode 160000 ansible/files/ssh create mode 100644 ansible/roles/ssh/files/sshd_config rename ansible/roles/{ssh-bastion => ssh}/tasks/main.yml (92%) diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 329b634..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "ansible/files/ssh"] - path = ansible/files/ssh - url = https://github.com/RealOrangeOne/ansible-ssh-bastion diff --git a/ansible/files/ssh b/ansible/files/ssh deleted file mode 160000 index 02c8000..0000000 --- a/ansible/files/ssh +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 02c8000af47f8db2fb9ca32324a26ddf8c7ec405 diff --git a/ansible/main.yml b/ansible/main.yml index cfbb073..d63cc68 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -4,5 +4,9 @@ - hosts: casey roles: - - ssh-bastion + - ssh - gateway + +- hosts: intersect + roles: + - ssh diff --git a/ansible/roles/ssh/files/sshd_config b/ansible/roles/ssh/files/sshd_config new file mode 100644 index 0000000..ff0cc11 --- /dev/null +++ b/ansible/roles/ssh/files/sshd_config @@ -0,0 +1,86 @@ +# TCP port to bind to +# Change to a high/odd port if this server is exposed to the internet directly +Port 7743 + +# Deny all other users besides the following +AllowUsers {{ user }} + +# Bind to all interfaces (change to specific interface if needed) +ListenAddress 0.0.0.0 + +# Force SSHv2 Protocol +Protocol 2 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256 + +# Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Public key authentication + Password authentication +# Two-Factor Authentication in OpenSSH v6.2+ +RSAAuthentication yes +PubkeyAuthentication yes +AuthenticationMethods publickey + +# Disable root SSH access +PermitRootLogin no + +# Client timeout (5 minutes) +ClientAliveInterval 300 +ClientAliveCountMax 0 + +# Compression (only after authentication) +Compression delayed + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication must happen within 30 seconds +LoginGraceTime 30 + +PermitEmptyPasswords no + +# Check user folder permissions before allowing access +StrictModes yes + +# Message Authentication Code (Hash, only SHA2-512) +# SHA-256 included for compat with PuTTY-WinCrypt clients +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com + +# Ciphers (only secure AES-256) +Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com + +# Key Exchange algorithms (Elliptic Curve Diffie-Hellman) +# DH-SHA-256 included for compat with PuTTY-WinCrypt clients +KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org + +# Don’t read the user’s ~/.rhosts and ~/.shosts files +IgnoreRhosts yes + +# Disable unused authentication schemes +RhostsRSAAuthentication no +HostbasedAuthentication no +ChallengeResponseAuthentication no +KerberosAuthentication no +GSSAPIAuthentication no +UsePAM no + +# X11 support +X11Forwarding no + +# Don’t show Message of the Day +PrintMotd yes + +# TCPKeepAlive (non-tunneled, disabled) +TCPKeepAlive no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp internal-sftp diff --git a/ansible/roles/ssh-bastion/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml similarity index 92% rename from ansible/roles/ssh-bastion/tasks/main.yml rename to ansible/roles/ssh/tasks/main.yml index 9a58f5f..d091dbe 100644 --- a/ansible/roles/ssh-bastion/tasks/main.yml +++ b/ansible/roles/ssh/tasks/main.yml @@ -11,7 +11,7 @@ - name: SSH config template: - src: files/ssh/sshd_config_bastion + src: files/sshd_config dest: /etc/ssh/sshd_config validate: /usr/sbin/sshd -t -f %s backup: yes