|
|
|
---
|
|
|
|
|
|
|
|
- name: Ensure that the sshd_config file has desired options
|
|
|
|
blockinfile:
|
|
|
|
dest: /etc/ssh/sshd_config
|
|
|
|
marker: '# ANSIBLE_MANAGED_ssh_tunneling_role'
|
|
|
|
block: |
|
|
|
|
Match Group algo
|
|
|
|
AllowTcpForwarding remote
|
|
|
|
AllowAgentForwarding no
|
|
|
|
AllowStreamLocalForwarding no
|
|
|
|
PermitTunnel no
|
|
|
|
X11Forwarding no
|
|
|
|
notify:
|
|
|
|
- restart ssh
|
|
|
|
|
|
|
|
- name: Ensure that the algo group exist
|
|
|
|
group: name=algo state=present
|
|
|
|
|
|
|
|
- name: Ensure that the jail directory exist
|
|
|
|
file: path=/var/jail/ state=directory mode=0755 owner=root group=root
|
|
|
|
|
|
|
|
- name: Ensure that the SSH users exist
|
|
|
|
user:
|
|
|
|
name: "{{ item }}"
|
|
|
|
groups: algo
|
|
|
|
home: '/var/jail/{{ item }}'
|
|
|
|
createhome: yes
|
|
|
|
generate_ssh_key: yes
|
|
|
|
shell: /bin/false
|
|
|
|
ssh_key_type: rsa
|
|
|
|
ssh_key_bits: 2048
|
|
|
|
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
|
|
|
|
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
|
|
|
|
state: present
|
|
|
|
append: yes
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
- name: The authorized keys file created
|
|
|
|
file:
|
|
|
|
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
|
|
|
|
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
|
|
|
|
owner: "{{ item }}"
|
|
|
|
group: "{{ item }}"
|
|
|
|
state: link
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
- name: Generate SSH fingerprints
|
|
|
|
shell: >
|
|
|
|
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
|
|
|
|
register: ssh_fingerprints
|
|
|
|
|
|
|
|
- name: The known_hosts file created
|
|
|
|
template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
|
|
|
|
|
|
|
|
- name: Fetch users SSH private keys
|
|
|
|
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
- name: Fetch the known_hosts file
|
|
|
|
fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes
|