add ssh role

mirror/main.yml

@@ -8,4 +8,5 @@
     # - "../roles/ftp"
     # - "../roles/nginx"
     # - "../roles/rsync"
+    # - "../roles/ssh"
     # TODO: - "../roles/mirrormanager"

roles/mirror/tasks/main.yml

@@ -102,5 +102,17 @@
     follow: no
     force: yes
 
-# TODO: copy over merlin.service and start/enable service 
-# this will create /mirror/merlin/run/merlin.sock
+- name: copy merlin.service
+  copy:
+    src: "{{ role_path }}/templates/mirror/merlin/merlin.service"
+    dest: "/etc/systemd/system/merlin.service"
+    owner: root
+    group: root
+    mode: "0644"
+
+# - name: start merlin.service
+#   # merlin is disabled on mirror
+#   systemd:
+#     name: merlin
+#     state: started
+#     # enabled: yes

roles/ssh/tasks/main.yml

@@ -0,0 +1,73 @@
+# TODO: create second virsh network interface
+# for now we will just run the second ssh instance on port 23
+
+- name: copy ssh daemon configs
+  copy:
+    src: "{{ role_path }}/templates/{{ item }}"
+    dest: "/etc/ssh/{{ item }}"
+    owner: root
+    group: root
+    mode: "0644"
+  loop:
+    - sshd_config
+    - sshd_mirror_config
+
+- name: copy ssh-mirror.service
+  copy:
+    src: "{{ role_path }}/templates/ssh-mirror.service"
+    dest: "/etc/systemd/system/ssh-mirror.service"
+    owner: root
+    group: root
+    mode: "0644"
+    
+- name: generate keys for sshd
+  # is ssh_host_dsa_key or ssh_host_ecdsa_key used anywhere?
+  command: 
+    cmd: >
+      ssh-keygen -q
+      -t {{ item.type }}
+      -f /etc/ssh/{{ item.file }}
+      -N ""
+    creates: /etc/ssh/{{ item.file }}
+  loop:
+    - { file: ssh_host_dsa_key,       type: dsa }
+    - { file: ssh_host_ecdsa_key,     type: ecdsa }
+    - { file: ssh_host_ed25519_key,   type: ed25519 }
+    - { file: ssh_host_rsa_key,       type: rsa }
+    - { file: ssh_mirror_ed25519_key, type: ed25519 }
+    - { file: ssh_mirror_rsa_key,     type: rsa }
+
+- name: create .ssh for mirror and push
+  file:
+    path: "/home/{{ item }}/.ssh"
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    mode: "0700"
+    state: directory
+
+- name: create authorized_keys files for mirror and push
+  file:
+    path: "/home/{{ item }}/.ssh/authorized_keys"
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    mode: "0644"
+
+- name: generate key for mirror user
+  command:
+    cmd: >
+      ssh-keygen -q
+      -t rsa
+      -f /home/mirror/.ssh/id_rsa
+      -N ""
+    creates: /home/mirror/.ssh/id_rsa
+
+- name: start and enable ssh-mirror
+  systemd:
+    name: ssh-mirror
+    state: started
+    enabled: yes
+
+- name: restart ssh
+  systemd:
+    name: ssh
+    state: restarted

roles/ssh/templates/ssh-mirror.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=(Mirror) OpenBSD Secure Shell server
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_mirror_config -D $SSHD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+SyslogIdentifier=sshd-mirror
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd-mirror.service

roles/ssh/templates/sshd_config

@@ -0,0 +1,70 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# vm does not have multiple ips
+#
+#   # What ports, IPs and protocols we listen for
+#   ListenAddress 10.15.134.71
+#   ListenAddress 129.97.134.146
+
+Port 22
+
+# Use only protocol version 2
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+
+# Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication
+UsePAM yes
+StrictModes yes
+PermitRootLogin yes
+LoginGraceTime 120
+MaxStartups 25:30:100
+
+# password authentication via PAM (single sign-on initial case)
+PasswordAuthentication yes
+PermitEmptyPasswords no
+
+# keyboard-interactive authentication (like password, works with +needchange)
+ChallengeResponseAuthentication yes
+
+# kerberos (single sign-on already authenticated case)
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+GSSAPIStrictAcceptorCheck no
+
+# public key authentication with authorized_keys
+PubkeyAuthentication yes
+
+# no single sign-on via hosts.equiv; we use kerberos
+HostbasedAuthentication no
+IgnoreRhosts yes
+
+# no builtin kerberos auth with password, we do the same via pam_krb5
+KerberosAuthentication no
+
+# allow X forwarding
+X11Forwarding yes
+X11DisplayOffset 10
+
+# PAM prints these already
+PrintMotd no
+PrintLastLog no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server

roles/ssh/templates/sshd_mirror_config

@@ -0,0 +1,105 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# vm does not have multiple ips
+# this instance of sshd listens to port 23
+#
+#   # What ports, IPs and protocols we listen for
+#   ListenAddress 129.97.134.71
+#   ListenAddress 2620:101:f000:4901:c5c::f:1055
+#  
+#   Port 22
+
+Port 23
+
+# Use only protocol version 2
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_mirror_host_ed25519_key
+HostKey /etc/ssh/ssh_mirror_host_rsa_key
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+
+# Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication
+UsePAM yes
+StrictModes yes
+PermitRootLogin no
+LoginGraceTime 120
+MaxStartups 25:30:100
+
+# allow password auth
+#   # password authentication via PAM (single sign-on initial case)
+#   PasswordAuthentication no
+PasswordAuthentication yes
+PermitEmptyPasswords no
+
+# keyboard-interactive authentication (like password, works with +needchange)
+ChallengeResponseAuthentication no
+
+# kerberos (single sign-on already authenticated case)
+GSSAPIAuthentication no
+GSSAPIKeyExchange no
+GSSAPICleanupCredentials yes
+GSSAPIStrictAcceptorCheck no
+
+# public key authentication with authorized_keys
+PubkeyAuthentication yes
+
+# no single sign-on via hosts.equiv; we use kerberos
+HostbasedAuthentication no
+IgnoreRhosts yes
+
+# no builtin kerberos auth with password, we do the same via pam_krb5
+KerberosAuthentication no
+
+# allow X forwarding
+X11Forwarding no
+X11DisplayOffset 10
+
+# PAM prints these already
+PrintMotd no
+PrintLastLog no
+
+# Allow client to pass locale environment variables
+# AcceptEnv LANG LC_*
+
+#Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Disallow forwarding
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+AllowAgentForwarding no
+
+# Don't execute rc
+PermitUserRC no
+
+# Disable TTY (might need to re-enable if needed)
+PermitTTY no
+
+# Don't print the last log, pointless in this environment
+PrintLastLog no
+
+# UseDNS
+# To restrict keys to a certain host
+UseDNS yes
+
+# Allow users of the mirror group
+AllowGroups push
+DenyUsers mirror
+
+# chroot
+# we may want this 
+ChrootDirectory /mirror/merlin
+
+Match group push
+  AuthorizedKeysFile /home/%u/.ssh/authorized_keys
+

roles/system/tasks/main.yml

@@ -9,28 +9,23 @@
     - { group: syscom,      gid: 10001 }
     - { group: csc-mirror,  gid: 10014 }
 
-- name: create push user
-  # push home should be /
-  user:
-    uid: 1002
-    name: push
-    group: push
-    shell: /bin/sh
-    create_home: no
-
-- name: create other users
+- name: create users
   # syscom and csc-mirror homes are on /users
+  # can login to every user using password
   user:
     uid: "{{ item.uid }}"
     name: "{{ item.user }}"
     group: "{{ item.user }}"
-    shell: /bin/bash
+    shell: "{{ item.shell }}"
     create_home: "{{ item.home }}"
+    password: "{{ 'password' | password_hash('sha512') }}"
+    update_password: on_create
   loop:
-    - { user: local,      uid: 1000,  home: yes }
-    - { user: mirror,     uid: 1001,  home: yes }
-    - { user: syscom,     uid: 10001, home: no }
-    - { user: csc-mirror, uid: 10014, home: no }
+    - { user: local,      uid: 1000,  shell: /bin/bash, home: yes }
+    - { user: mirror,     uid: 1001,  shell: /bin/bash, home: yes }
+    - { user: push,       uid: 1002,  shell: /bin/sh,   home: no }
+    - { user: syscom,     uid: 10001, shell: /bin/bash, home: no }
+    - { user: csc-mirror, uid: 10014, shell: /bin/bash, home: no }
 
 - name: add mirror to push group
   user:
@@ -38,11 +33,6 @@
     groups: push
     append: yes
 
-# TODO: ssh to push user should chroot to /mirror/merlin
-# mirror does not have entry in sshd_config as would have expected
-
-# why are the file permissions like this?
-
 - name: create /mirror
   file:
     path: /mirror
@@ -68,14 +58,14 @@
     mode: "0775"
 
 - name: create zfs mountpoint
-# inconsistency: only .cscmirror1 is owned by mirror
-# .cscmirror(2|3) is owned by root
+# only .cscmirror1 is owned by mirror
+# .cscmirror(2|3) are owned by root
   file:
     path: /mirror/root/.cscmirror
+    state: directory
     owner: mirror
     group: mirror
     mode: "0755"
-    state: directory
 
 - name: install zfs
   apt:
@@ -119,8 +109,4 @@
     cscmirror 
     raidz2 
     {{ disk_arg }}
-  when: zpool_exists.rc != 0
-
-# - name: mount zool
-#   command: zfs mount -a 
-#   when: zpool_exists.rc != 0
+  when: zpool_exists.rc != 0