Ansible playbook that you can use to control ssh access to your linux servers. You can install or remove keys, tune sshd options and install additional software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Vladimir Smagin 097d28d245 become for pip upgrading 2 years ago
group_vars Set additional SSHd options, check if required by Ansible Python2 is installed, bugfixes 2 years ago
host_vars import ssh 2 years ago
roles become for pip upgrading 2 years ago
secrets import ssh 2 years ago
.gitignore import ssh 2 years ago
ansible.cfg import ssh 2 years ago
inventory.ini import ssh 2 years ago
readme.md + 2 years ago
ssh-keys.sh import ssh 2 years ago
ssh-keys.yml Set additional SSHd options, check if required by Ansible Python2 is installed, bugfixes 2 years ago

readme.md

Ansible centralized keys management

Installation: git clone https://git.blindage.org/21h/ansible-library.git -b centralized-keys

Now you can configure your security. Remember that dicts in parent group merges with dicts in child groups. Warning! Playbook will delete all public keys in root’s .ssh/authorized_keys file and setup own super key, only after this public keys in group_vars and host_vars will be added into assigned users .ssh/authorized_keys files. If you do not want to lost already installed pubkeys add all of them before playbook first run.

Security issue! You need to generate your own super key! Run ssh-keygen -f superkey and replace keys in secret/ directory.

Infrastructure:

-- hetzner --|
             |- hetzner-balancers
             |- hetzner-nodes

All servers will be available to the administrator and assistant, servers must have own internal key for files copying. Configuring parent hetznergroup:

    access_list:
      admin: { keypath: "../keys/admin.pub", username: "root" }
      techguy: { keypath: "../keys/techguy.pub", username: "root" }
      interserver: { keypath: "../keys/interserver.pub", username: "root" }

    secret_list:
      interserver: { keypath: "../keys/interserver.pem", username: "root" }

You want to make additional access to all nodes for developer guy. Configuring child hetzner-nodes group:

    access_list:
      developer: { keypath: "../keys/developer.pub", username: "dev" }

You can set additional SSHd options like code below, see defaults of ssh_config role.

sshd_config_path: "/etc/ssh/sshd_config"

sshd_options:
  PubkeyAuthentication: "yes"
  PasswordAuthentication: "no"

No need to make additional config for hetzner-balancers because access list will be inherited, only admins accessible.


Copyright by Vladimir Smagin, 2018 http://blindage.org 21h@blindage.org