21h
/
ansible-ssh-management
Watch 1
Star 1
Fork 0
Code Releases 0 Wiki Activity
Browse Source

Изменить 'readme.md'

master
Vladimir Smagin 1 year ago
parent
456001874e
commit
89a8cd11cd
1 changed files with 1 additions and 54 deletions
Split View Show Diff Stats
  1. 1
    54
      readme.md

+ 1
- 54
readme.md View File

@@ -2,61 +2,7 @@

Installation: ```git clone https://git.blindage.org/21h/ansible-ssh-management.git```

Now you can configure your security with this simple ansible playbook. Remember that dicts in parent group merges with dicts in child groups.

Infrastructure:

```
|- hetzner-balancers
|- hetzner-nodes
```

All servers will be available to the administrator and assistant, servers must have own internal key for files copying. Configuring parent ```hetzner```group:

```
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
interserver: { keypath: "../keys/interserver.pub", username: "root" }

secret_list:
interserver: { keypath: "../keys/interserver.pem", username: "root" }
```

You want to make additional access to all nodes for developer guy. Configuring child ```hetzner-nodes``` group:

```
access_list:
developer: { keypath: "../keys/developer.pub", username: "dev" }
```

Some stupid manager ruined your day, now you want to stop him

```
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
stupid_manager: { keypath: "../keys/stupid_manager.pub", username: "ubuntu", key_state: "absent" }
```

You can set additional SSHd options like code below, see defaults of ssh_config role.

```
sshd_config_path: "/etc/ssh/sshd_config"

sshd_options:
PubkeyAuthentication: "yes"
PasswordAuthentication: "no"
```

No need to make additional config for ```hetzner-balancers``` because access list will be inherited, only admins accessible.

**Using master key**

Warning! Playbook will delete all public keys in root's ```.ssh/authorized_keys``` file and setup own **super** key, only after this public keys in group_vars and host_vars will be added into assigned users ```.ssh/authorized_keys``` files. If you do not want to lost already installed pubkeys then add all of them to this playbook before first run.

**Security issue!** You need to generate your own super key! Run ```ssh-keygen -f superkey``` and replace keys in ```secret/``` directory. DO NOT USE DEMO KEY!
Read documentation on wiki pages here https://git.blindage.org/21h/ansible-ssh-management/wiki/


---

Write Preview
Loading…
Cancel
Save