21h
/
ansible-ssh-management
1
0
Fork 0
Code Releases 0 Wiki Activity
Ansible playbook that you can use to control ssh access to your linux servers. You can install or remove keys, tune sshd options and install additional software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22 Commits
2 Branches
193 KiB
 
 
Tree: 32b9c057d6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '32b9c057d6'
${ noResults }
 ZIP  TAR.GZ
Vladimir Smagin 32b9c057d6 new features: control OS users, create ssh tunnels 2 years ago
group_vars new features: control OS users, create ssh tunnels 2 years ago
host_vars new features: control OS users, create ssh tunnels 2 years ago
roles new features: control OS users, create ssh tunnels 2 years ago
secrets import ssh 2 years ago
.gitignore import ssh 2 years ago
ansible.cfg import ssh 2 years ago
inventory.ini import ssh 2 years ago
readme.md import 2 years ago
ssh-keys.sh import ssh 2 years ago
ssh-keys.yml added key_state to delete installed public key 2 years ago

readme.md

Ansible centralized keys management

Installation: git clone https://git.blindage.org/21h/ansible-ssh-management.git

Now you can configure your security with this simple ansible playbook. Remember that dicts in parent group merges with dicts in child groups.

Infrastructure:

-- hetzner --|
             |- hetzner-balancers
             |- hetzner-nodes

All servers will be available to the administrator and assistant, servers must have own internal key for files copying. Configuring parent hetznergroup:

    access_list:
      admin: { keypath: "../keys/admin.pub", username: "root" }
      techguy: { keypath: "../keys/techguy.pub", username: "root" }
      interserver: { keypath: "../keys/interserver.pub", username: "root" }

    secret_list:
      interserver: { keypath: "../keys/interserver.pem", username: "root" }

You want to make additional access to all nodes for developer guy. Configuring child hetzner-nodes group:

    access_list:
      developer: { keypath: "../keys/developer.pub", username: "dev" }

Some stupid manager ruined your day, now you want to stop him

    access_list:
      admin: { keypath: "../keys/admin.pub", username: "root" }
      techguy: { keypath: "../keys/techguy.pub", username: "root" }
      stupid_manager: { keypath: "../keys/stupid_manager.pub", username: "ubuntu", key_state: "absent" }

You can set additional SSHd options like code below, see defaults of ssh_config role.

sshd_config_path: "/etc/ssh/sshd_config"

sshd_options:
  PubkeyAuthentication: "yes"
  PasswordAuthentication: "no"

No need to make additional config for hetzner-balancers because access list will be inherited, only admins accessible.

Using master key

Warning! Playbook will delete all public keys in root's .ssh/authorized_keys file and setup own super key, only after this public keys in group_vars and host_vars will be added into assigned users .ssh/authorized_keys files. If you do not want to lost already installed pubkeys then add all of them to this playbook before first run.

Security issue! You need to generate your own super key! Run ssh-keygen -f superkey and replace keys in secret/ directory. DO NOT USE DEMO KEY!

Copyright by Vladimir Smagin, 2018 http://blindage.org 21h@blindage.org