From 0a26c830f1d3cc7efc390499f4fa95ac1fb1d689 Mon Sep 17 00:00:00 2001 From: Andrew Wang Date: Sun, 3 Oct 2021 16:31:41 -0400 Subject: [PATCH] add ssh role --- mirror/main.yml | 1 + roles/mirror/tasks/main.yml | 16 +++- roles/ssh/tasks/main.yml | 73 +++++++++++++++++ roles/ssh/templates/ssh-mirror.service | 18 +++++ roles/ssh/templates/sshd_config | 70 +++++++++++++++++ roles/ssh/templates/sshd_mirror_config | 105 +++++++++++++++++++++++++ roles/system/tasks/main.yml | 42 ++++------ 7 files changed, 295 insertions(+), 30 deletions(-) create mode 100644 roles/ssh/tasks/main.yml create mode 100644 roles/ssh/templates/ssh-mirror.service create mode 100644 roles/ssh/templates/sshd_config create mode 100644 roles/ssh/templates/sshd_mirror_config diff --git a/mirror/main.yml b/mirror/main.yml index a75d42f..77359a5 100644 --- a/mirror/main.yml +++ b/mirror/main.yml @@ -8,4 +8,5 @@ # - "../roles/ftp" # - "../roles/nginx" # - "../roles/rsync" + # - "../roles/ssh" # TODO: - "../roles/mirrormanager" \ No newline at end of file diff --git a/roles/mirror/tasks/main.yml b/roles/mirror/tasks/main.yml index d75f2b9..a2728f7 100644 --- a/roles/mirror/tasks/main.yml +++ b/roles/mirror/tasks/main.yml @@ -102,5 +102,17 @@ follow: no force: yes -# TODO: copy over merlin.service and start/enable service -# this will create /mirror/merlin/run/merlin.sock \ No newline at end of file +- name: copy merlin.service + copy: + src: "{{ role_path }}/templates/mirror/merlin/merlin.service" + dest: "/etc/systemd/system/merlin.service" + owner: root + group: root + mode: "0644" + +# - name: start merlin.service +# # merlin is disabled on mirror +# systemd: +# name: merlin +# state: started +# # enabled: yes \ No newline at end of file diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..35d31f8 --- /dev/null +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,73 @@ +# TODO: create second virsh network interface +# for now we will just run the second ssh instance on port 23 + +- name: copy ssh daemon configs + copy: + src: "{{ role_path }}/templates/{{ item }}" + dest: "/etc/ssh/{{ item }}" + owner: root + group: root + mode: "0644" + loop: + - sshd_config + - sshd_mirror_config + +- name: copy ssh-mirror.service + copy: + src: "{{ role_path }}/templates/ssh-mirror.service" + dest: "/etc/systemd/system/ssh-mirror.service" + owner: root + group: root + mode: "0644" + +- name: generate keys for sshd + # is ssh_host_dsa_key or ssh_host_ecdsa_key used anywhere? + command: + cmd: > + ssh-keygen -q + -t {{ item.type }} + -f /etc/ssh/{{ item.file }} + -N "" + creates: /etc/ssh/{{ item.file }} + loop: + - { file: ssh_host_dsa_key, type: dsa } + - { file: ssh_host_ecdsa_key, type: ecdsa } + - { file: ssh_host_ed25519_key, type: ed25519 } + - { file: ssh_host_rsa_key, type: rsa } + - { file: ssh_mirror_ed25519_key, type: ed25519 } + - { file: ssh_mirror_rsa_key, type: rsa } + +- name: create .ssh for mirror and push + file: + path: "/home/{{ item }}/.ssh" + owner: "{{ item }}" + group: "{{ item }}" + mode: "0700" + state: directory + +- name: create authorized_keys files for mirror and push + file: + path: "/home/{{ item }}/.ssh/authorized_keys" + owner: "{{ item }}" + group: "{{ item }}" + mode: "0644" + +- name: generate key for mirror user + command: + cmd: > + ssh-keygen -q + -t rsa + -f /home/mirror/.ssh/id_rsa + -N "" + creates: /home/mirror/.ssh/id_rsa + +- name: start and enable ssh-mirror + systemd: + name: ssh-mirror + state: started + enabled: yes + +- name: restart ssh + systemd: + name: ssh + state: restarted \ No newline at end of file diff --git a/roles/ssh/templates/ssh-mirror.service b/roles/ssh/templates/ssh-mirror.service new file mode 100644 index 0000000..f026f24 --- /dev/null +++ b/roles/ssh/templates/ssh-mirror.service @@ -0,0 +1,18 @@ +[Unit] +Description=(Mirror) OpenBSD Secure Shell server +After=network.target auditd.service +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run + +[Service] +EnvironmentFile=-/etc/default/ssh +ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_mirror_config -D $SSHD_OPTS +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +SyslogIdentifier=sshd-mirror +Type=notify + +[Install] +WantedBy=multi-user.target +Alias=sshd-mirror.service diff --git a/roles/ssh/templates/sshd_config b/roles/ssh/templates/sshd_config new file mode 100644 index 0000000..5f5863b --- /dev/null +++ b/roles/ssh/templates/sshd_config @@ -0,0 +1,70 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# vm does not have multiple ips +# +# # What ports, IPs and protocols we listen for +# ListenAddress 10.15.134.71 +# ListenAddress 129.97.134.146 + +Port 22 + +# Use only protocol version 2 +Protocol 2 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + +# Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication +UsePAM yes +StrictModes yes +PermitRootLogin yes +LoginGraceTime 120 +MaxStartups 25:30:100 + +# password authentication via PAM (single sign-on initial case) +PasswordAuthentication yes +PermitEmptyPasswords no + +# keyboard-interactive authentication (like password, works with +needchange) +ChallengeResponseAuthentication yes + +# kerberos (single sign-on already authenticated case) +GSSAPIAuthentication yes +GSSAPIKeyExchange yes +GSSAPICleanupCredentials yes +GSSAPIStrictAcceptorCheck no + +# public key authentication with authorized_keys +PubkeyAuthentication yes + +# no single sign-on via hosts.equiv; we use kerberos +HostbasedAuthentication no +IgnoreRhosts yes + +# no builtin kerberos auth with password, we do the same via pam_krb5 +KerberosAuthentication no + +# allow X forwarding +X11Forwarding yes +X11DisplayOffset 10 + +# PAM prints these already +PrintMotd no +PrintLastLog no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/roles/ssh/templates/sshd_mirror_config b/roles/ssh/templates/sshd_mirror_config new file mode 100644 index 0000000..2ea3621 --- /dev/null +++ b/roles/ssh/templates/sshd_mirror_config @@ -0,0 +1,105 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# vm does not have multiple ips +# this instance of sshd listens to port 23 +# +# # What ports, IPs and protocols we listen for +# ListenAddress 129.97.134.71 +# ListenAddress 2620:101:f000:4901:c5c::f:1055 +# +# Port 22 + +Port 23 + +# Use only protocol version 2 +Protocol 2 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_mirror_host_ed25519_key +HostKey /etc/ssh/ssh_mirror_host_rsa_key +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + +# Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication +UsePAM yes +StrictModes yes +PermitRootLogin no +LoginGraceTime 120 +MaxStartups 25:30:100 + +# allow password auth +# # password authentication via PAM (single sign-on initial case) +# PasswordAuthentication no +PasswordAuthentication yes +PermitEmptyPasswords no + +# keyboard-interactive authentication (like password, works with +needchange) +ChallengeResponseAuthentication no + +# kerberos (single sign-on already authenticated case) +GSSAPIAuthentication no +GSSAPIKeyExchange no +GSSAPICleanupCredentials yes +GSSAPIStrictAcceptorCheck no + +# public key authentication with authorized_keys +PubkeyAuthentication yes + +# no single sign-on via hosts.equiv; we use kerberos +HostbasedAuthentication no +IgnoreRhosts yes + +# no builtin kerberos auth with password, we do the same via pam_krb5 +KerberosAuthentication no + +# allow X forwarding +X11Forwarding no +X11DisplayOffset 10 + +# PAM prints these already +PrintMotd no +PrintLastLog no + +# Allow client to pass locale environment variables +# AcceptEnv LANG LC_* + +#Subsystem sftp /usr/lib/openssh/sftp-server + +# Disallow forwarding +AllowTcpForwarding no +AllowStreamLocalForwarding no +AllowAgentForwarding no + +# Don't execute rc +PermitUserRC no + +# Disable TTY (might need to re-enable if needed) +PermitTTY no + +# Don't print the last log, pointless in this environment +PrintLastLog no + +# UseDNS +# To restrict keys to a certain host +UseDNS yes + +# Allow users of the mirror group +AllowGroups push +DenyUsers mirror + +# chroot +# we may want this +ChrootDirectory /mirror/merlin + +Match group push + AuthorizedKeysFile /home/%u/.ssh/authorized_keys + diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml index c5df269..c5add08 100755 --- a/roles/system/tasks/main.yml +++ b/roles/system/tasks/main.yml @@ -9,28 +9,23 @@ - { group: syscom, gid: 10001 } - { group: csc-mirror, gid: 10014 } -- name: create push user - # push home should be / - user: - uid: 1002 - name: push - group: push - shell: /bin/sh - create_home: no - -- name: create other users +- name: create users # syscom and csc-mirror homes are on /users + # can login to every user using password user: uid: "{{ item.uid }}" name: "{{ item.user }}" group: "{{ item.user }}" - shell: /bin/bash + shell: "{{ item.shell }}" create_home: "{{ item.home }}" + password: "{{ 'password' | password_hash('sha512') }}" + update_password: on_create loop: - - { user: local, uid: 1000, home: yes } - - { user: mirror, uid: 1001, home: yes } - - { user: syscom, uid: 10001, home: no } - - { user: csc-mirror, uid: 10014, home: no } + - { user: local, uid: 1000, shell: /bin/bash, home: yes } + - { user: mirror, uid: 1001, shell: /bin/bash, home: yes } + - { user: push, uid: 1002, shell: /bin/sh, home: no } + - { user: syscom, uid: 10001, shell: /bin/bash, home: no } + - { user: csc-mirror, uid: 10014, shell: /bin/bash, home: no } - name: add mirror to push group user: @@ -38,11 +33,6 @@ groups: push append: yes -# TODO: ssh to push user should chroot to /mirror/merlin -# mirror does not have entry in sshd_config as would have expected - -# why are the file permissions like this? - - name: create /mirror file: path: /mirror @@ -68,14 +58,14 @@ mode: "0775" - name: create zfs mountpoint -# inconsistency: only .cscmirror1 is owned by mirror -# .cscmirror(2|3) is owned by root +# only .cscmirror1 is owned by mirror +# .cscmirror(2|3) are owned by root file: path: /mirror/root/.cscmirror + state: directory owner: mirror group: mirror mode: "0755" - state: directory - name: install zfs apt: @@ -119,8 +109,4 @@ cscmirror raidz2 {{ disk_arg }} - when: zpool_exists.rc != 0 - -# - name: mount zool -# command: zfs mount -a -# when: zpool_exists.rc != 0 \ No newline at end of file + when: zpool_exists.rc != 0 \ No newline at end of file