From 6649efc76e22f5a2cbd762bd3811c7424de12ca4 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 21 Feb 2022 17:36:20 +0100 Subject: [PATCH] update.. --- group_vars/sprachenatelier.yml | 9 + roles/common/tasks/main.yml | 8 +- roles/common/tasks/sshd.yml | 2 +- .../templates/etc/ssh/sshd_config.ubuntu.j2 | 315 ++++++++++++++++++ 4 files changed, 329 insertions(+), 5 deletions(-) create mode 100644 roles/common/templates/etc/ssh/sshd_config.ubuntu.j2 diff --git a/group_vars/sprachenatelier.yml b/group_vars/sprachenatelier.yml index 9d4204c..3bfaee4 100644 --- a/group_vars/sprachenatelier.yml +++ b/group_vars/sprachenatelier.yml @@ -190,6 +190,13 @@ nis_user: is_samba_user: true password: '270988' + - name: jessica + groups: + - intern + - buero + is_samba_user: true + password: '200594' + - name: konstantin groups: - intern @@ -443,6 +450,7 @@ samba_shares: - daniel - eva - isadora + - jessica - konstantin - lara - linda @@ -479,6 +487,7 @@ samba_shares: - daniel - eva - isadora + - jessica - konstantin - lara - linda diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1c67a3b..35e09c8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -207,10 +207,10 @@ # tags supported inside mount_samba_shares.yml: # -#- import_tasks: mount_samba_shares.yml -# when: "groups['client_pc']|string is search(inventory_hostname)" -# tags: -# - samba-shares +- import_tasks: mount_samba_shares.yml + when: "groups['client_pc']|string is search(inventory_hostname)" + tags: + - samba-shares # Tasks: Configure VNC (x11vnc) for Ubuntu systems diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index 8af827d..bc77c88 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -65,7 +65,7 @@ - name: (sshd.yml) Create new sshd_config from template sshd_config.j2 template: - src: etc/ssh/sshd_config.j2 + src: etc/ssh/sshd_config.ubuntu.j2 dest: /etc/ssh/sshd_config owner: root group: root diff --git a/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2 b/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2 new file mode 100644 index 0000000..7970d0c --- /dev/null +++ b/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2 @@ -0,0 +1,315 @@ +# {{ ansible_managed }} + +#----------------------------- +# Daemon +#----------------------------- + +# What ports, IPs and protocols we listen for +{% for item in sshd_ports %} +Port {{ item }} +{% endfor %} + +# Specifies the local addresses sshd(8) should listen on. The following forms may be used: +# +# ListenAddress host|IPv4_addr|IPv6_addr +# ListenAddress host|IPv4_addr:port +# ListenAddress [host|IPv6_addr]:port +# +# If port is not specified, sshd will listen on the address and all Port options specified. The default +# is to listen on all local addresses. Multiple ListenAddress options are permitted. +# +# ListenAddress :: +# ListenAddress 0.0.0.0 +# ListenAddress 159.69.72.24 +# ListenAddress 2a01:4f8:231:171f::2 +# +{% if (sshd_listen_address is defined) and sshd_listen_address %} +{% for item in sshd_listen_address %} +ListenAddress {{ item }} +{% endfor %} +{% endif %} + +# Specifies the protocol versions sshd(8) supports. +# The possible values are ‘1’ , `2' and ‘1,2’. +# The default is ‘2’. +Protocol 2 + +# HostKeys for protocol version 2 +{% for item in sshd_host_keys %} +HostKey {{ item }} +{% endfor %} + +# Lifetime and size of ephemeral version 1 server key +# +# Note: +# Deprecated option KeyRegenerationInterval +# Deprecated option ServerKeyBits +# +#KeyRegenerationInterval 3600 +#ServerKeyBits 768 + +# Specifies the maximum number of concurrent unauthenticated connections +# to the SSH daemon. See sshd_config(5) for specifiing the three colon +# separated values. +# The default is 10. +#MaxStartups 10:30:100 +#MaxStartups 3 +MaxStartups {{ sshd_max_startups }} + +# Specifies the maximum number of authentication attempts permitted per +# connection. +# The default is 6. +MaxAuthTries {{ sshd_max_auth_tries }} + +# Specifies the maximum number of open sessions permitted per network +# connection. +# The default is 10. +MaxSessions {{ sshd_max_sessions }} + + +#----------------------------- +# Authentication +#----------------------------- + +# Specifies whether sshd(8) separates privileges by creating an unprivileged +# child process to deal with incoming network traffic. +# The default is "yes" (for security). +{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %} +# +# Note: (Release 7.5) +# Deprecated option UsePrivilegeSeparation +# Privilege separation has been on by default for almost 15 years +# sandboxing has been on by default for almost the last five +# +#UsePrivilegeSeparation sandbox +{% else %} +UsePrivilegeSeparation {{ sshd_use_privilege_separation }} +{% endif %} + +# The server disconnects after this time if the user has not +# successfully logged in. +# The default is 120 seconds. +LoginGraceTime 120 + +# Specifies whether root can log in using ssh(1). +# The default is "yes". +# Possible values: yes, no, prohibit-password (or teh older one: without-password) +#PermitRootLogin yes +PermitRootLogin {{ sshd_permit_root_login }} + +# Specifies whether sshd(8) should check file modes and ownership of the +# user's files and home directory before accepting login. This is normally +# desirable because novices sometimes accidentally leave their directory or +# files world-writable. Note that this does not apply to ChrootDirectory, +# whose permissions and ownership are checked unconditionally. +# The default is “yes”. +StrictModes yes + +# Specifies whether pure RSA authentication is allowed. This option +# applies to protocol version 1 only. +# The default is “yes”. +# +# Note: +# Deprecated option RSAAuthentication +# +#RSAAuthentication yes + +# Specifies whether public key authentication is allowed. Note that this +# option applies to protocol version 2 only. +# The default is “yes”. +PubkeyAuthentication {{ sshd_pubkey_authentication }} + +# Specifies the file that contains the public keys that can be used for +# user authentication. The format is described in the AUTHORIZED_KEYS FILE +# FORMAT section of sshd(8). +# AuthorizedKeysFile may contain tokens of the form %T which are substituted +# during connection setup. The following tokens are defined: %% is replaced +# by a literal '%', %h is replaced by the home directory of the user being +# authenticated, and %u is replaced by the username of that user. After +# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative +# to the user's home directory. Multiple files may be listed, separated by +# whitespace. +# The default is “.ssh/authorized_keys .ssh/authorized_keys2”. +#AuthorizedKeysFile %h/.ssh/authorized_keys +AuthorizedKeysFile {{ sshd_authorized_keys_file }} + +# Specifies whether password authentication is allowed. +# Change to no to disable tunnelled clear text passwords +# The default is "yes". +#PasswordAuthentication yes +PasswordAuthentication {{ sshd_password_authentication }} + +# When password authentication is allowed, it specifies whether the +# server allows login to accounts with empty password strings. +# The default is “no”. +PermitEmptyPasswords no + +# Specifies whether challenge-response authentication is allowed (e.g. via PAM). +# The default is “yes”. +ChallengeResponseAuthentication no + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +# +# Note: +# Deprecated option RhostsRSAAuthentication +# +#RhostsRSAAuthentication no + +# similar for protocol version 2 +HostbasedAuthentication no + +# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts +# during RhostsRSAAuthentication or HostbasedAuthentication. +# The default is “no”. +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# If specified, login is allowed only for user names that match one of +# the patterns. +# The allow/deny directives are processed in the following order: DenyUsers, +# AllowUsers, DenyGroups, and finally AllowGroups. +# By default, login is allowed for all users. +{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %} +AllowUsers {{ fact_sshd_allowed_users }} +{% else %} +#AllowUsers back chris sysadm cityslang christoph +{% endif %} + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM {{ sshd_use_pam }} + +# Specifies whether login(1) is used for interactive login sessions. +# Note that login(1) is never used for remote command execution. +# Note also, that if this is enabled, X11Forwarding will be disabled +# because login(1) does not know how to handle xauth(1) cookies. If +# UsePrivilegeSeparation is specified, it will be disabled after +# authentication. +# The default is “no”. +#UseLogin no + + +#----------------------------- +# Cryptography +#----------------------------- + +# use default values for +# - KexAlgorithms +# - Ciphers +# - MACs + +#----------------------------- +# Logging +#----------------------------- + +# Gives the facility code that is used when logging messages from sshd(8). +# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +# The default is AUTH. +SyslogFacility AUTH + +# Gives the verbosity level that is used when logging messages from +# sshd(8). +# The default is INFO. +LogLevel INFO + + +#----------------------------- +# Behavior +#----------------------------- + +# Specifies whether the distribution-specified extra version suffix is included +# during initial protocol handshake. +# The default is "yes". +DebianBanner no + +# The contents of the specified file are sent to the remote user before +# authentication is allowed. +# By default, no banner is displayed. +#Banner /etc/issue.net + +# Specifies whether sshd(8) should print /etc/motd when a user logs in +# interactively. (On some systems it is also printed by the shell, +# /etc/profile, or equivalent.) +# The default is “yes”. +PrintMotd {{ sshd_print_motd }} + +# Specifies what environment variables sent by the client will be copied +# into the session's environ(7). +# The default is not to accept any environment variables. +AcceptEnv LANG LC_* + +# Configures an external subsystem (e.g. file transfer daemon). +# By default no subsystems are defined. +Subsystem sftp /usr/lib/openssh/sftp-server + +# Specifies whether sshd(8) should look up the remote host name and check +# that the resolved host name for the remote IP address maps back to the +# very same IP address. +# The default is “yes”. +UseDNS {{ sshd_use_dns }} + +# Specifies whether X11 forwarding is permitted. The argument must be +# “yes” or “no”. See sshd_config(5) for further expalnation +# The default is “no”. +#X11Forwarding yes + +# Specifies the first display number available for sshd(8)'s X11 +# forwarding. This prevents sshd from interfering with real X11 servers. +# The default is 10. +X11DisplayOffset 10 + +# Specifies whether the system should send TCP keepalive messages to the +# other side. If they are sent, death of the connection or crash of one +# of the machines will be properly noticed. However, this means +# that connections will die if the route is down temporarily, and some +# people find it annoying. On the other hand, if TCP keepalives are not +# sent, sessions may hang indefinitely on the server, leaving “ghost” users +# and consuming server resources. +# +# The default is “yes” (to send TCP keepalive messages), and the server +# will notice if the network goes down or the client host crashes. This +# avoids infinitely hanging sessions. +TCPKeepAlive yes + +#Specifies whether sshd(8) should print the date and time of the last +# user login when a user logs in interactively. +# The default is “yes”. +PrintLastLog yes + +# Specifies whether remote hosts are allowed to connect to ports forwarded for the client. +# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents +# other remote hosts from connecting to forwarded ports. +# +# GatewayPorts can be used to specify that sshd should allow remote port forwardings to +# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be +# no to force remote port forwardings to be available to the local host only, yes to force +# remote port forwardings to bind to the wildcard address, or clientspecified to allow the +# client to select the address to which the forwarding is bound. The default is no. +#GatewayPorts {{ sshd_gateway_ports }} + + +#----------------------------- +# Kerberos options +#----------------------------- +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + + +#----------------------------- +# GSSAPI options +#----------------------------- + +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes