Browse Source

added key_state to delete installed public key

master
Vladimir Smagin 2 years ago
parent
commit
440ae05c0b
6 changed files with 46 additions and 9 deletions
  1. +6
    -0
      group_vars/hetzner-nodes.yml
  2. +17
    -3
      readme.md
  3. +1
    -0
      roles/ssh_access/defaults/main.yml
  4. +4
    -1
      roles/ssh_access/tasks/main.yml
  5. +2
    -1
      roles/ssh_config/defaults/main.yml
  6. +16
    -4
      ssh-keys.yml

+ 6
- 0
group_vars/hetzner-nodes.yml View File

@ -1,11 +1,17 @@
# If you want to disable key just add key_state: "absent"
# Example: stupid_manager: { keypath: "../keys/stupid_manager.pub", username: "ubuntu", key_state: "absent" }
access_list:
git: { keypath: "../keys/project-git.pub", username: "root" }
dev1: { keypath: "../keys/developer1.pub", username: "root" }
dev2: { keypath: "../keys/developer2.pub", username: "root" }
# use non-standart sshd config
sshd_config_path: "/var/local/etc/ssh/sshd_config"
# allow password auth instead of defaults
# change defaults here roles/ssh_config/defaults/main.yml
sshd_options:
PasswordAuthentication: "yes"

+ 17
- 3
readme.md View File

@ -2,9 +2,7 @@
Installation: ```git clone https://git.blindage.org/21h/ansible-library.git -b centralized-keys```
Now you can configure your security. Remember that dicts in parent group merges with dicts in child groups. Warning! Playbook will delete all public keys in root's ```.ssh/authorized_keys``` file and setup own **super** key, only after this public keys in group_vars and host_vars will be added into assigned users ```.ssh/authorized_keys``` files. If you do not want to lost already installed pubkeys add all of them before playbook first run.
**Security issue!** You need to generate your own super key! Run ```ssh-keygen -f superkey``` and replace keys in ```secret/``` directory.
Now you can configure your security with this simple ansible playbook. Remember that dicts in parent group merges with dicts in child groups.
Infrastructure:
@ -33,6 +31,15 @@ You want to make additional access to all nodes for developer guy. Configuring c
developer: { keypath: "../keys/developer.pub", username: "dev" }
```
Some stupid manager ruined your day, now you want to stop him
```
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
stupid_manager: { keypath: "../keys/stupid_manager.pub", username: "ubuntu", key_state: "absent" }
```
You can set additional SSHd options like code below, see defaults of ssh_config role.
```
@ -45,6 +52,13 @@ sshd_options:
No need to make additional config for ```hetzner-balancers``` because access list will be inherited, only admins accessible.
**Using master key**
Warning! Playbook will delete all public keys in root's ```.ssh/authorized_keys``` file and setup own **super** key, only after this public keys in group_vars and host_vars will be added into assigned users ```.ssh/authorized_keys``` files. If you do not want to lost already installed pubkeys then add all of them to this playbook before first run.
**Security issue!** You need to generate your own super key! Run ```ssh-keygen -f superkey``` and replace keys in ```secret/``` directory. DO NOT USE DEMO KEY!
---
Copyright by Vladimir Smagin, 2018
http://blindage.org

+ 1
- 0
roles/ssh_access/defaults/main.yml View File

@ -0,0 +1 @@
default_key_state: "present"

+ 4
- 1
roles/ssh_access/tasks/main.yml View File

@ -2,7 +2,10 @@
- name: Set authorized keys
become: true
become_user: "{{ item.value.username }}"
authorized_key: user="{{ item.value.username }}" key="{{ lookup('file', item.value.keypath) }}" state=present
authorized_key:
user: "{{ item.value.username }}"
key: "{{ lookup('file', item.value.keypath) }}"
state: "{{ item.value.key_state | default(default_key_state) }}"
with_dict: "{{ access_list }}"
when: access_list != None and access_list is defined

+ 2
- 1
roles/ssh_config/defaults/main.yml View File

@ -7,4 +7,5 @@ sshd_config_path: "/etc/ssh/sshd_config"
sshd_options:
PubkeyAuthentication: "yes"
PasswordAuthentication: "no"
PasswordAuthentication: "no"
# PermitRootLogin: "prohibit-password"

+ 16
- 4
ssh-keys.yml View File

@ -8,15 +8,27 @@
vars:
ansible_python_interpreter: /usr/bin/python3
roles:
- python2
# install python 2 and pip, use only for python3-only hosts
#- python2
# Ok, now magic begins
- hosts: all
gather_facts: True
roles:
- master_key
- preinstall
- upgrade_pip
# use master key only if you realy want it
# playbook install it only for root and delete others! allow root auth with key
#- master_key
# upgrade pip before python libs installation in preinstall role
#- upgrade_pip
# preinstall required libs and apps before first server use
#- preinstall
# this role reconfigures sshd server
- ssh_config
# add/remove public keys from servers
- ssh_access

Loading…
Cancel
Save