Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/pip/ansible-9.4.0
dependabot/github_actions/actions/setup-python-5.1.0
fix/14704
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e8947f318b'
${ noResults }
algo/roles/ssh_tunneling/tasks/main.yml

106 lines
2.9 KiB
YAML
Raw Blame History

---
- block:
- name: Ensure that the sshd_config file has desired options
blockinfile:
dest: /etc/ssh/sshd_config
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
block: |
Match Group algo
AllowTcpForwarding local
AllowAgentForwarding no
AllowStreamLocalForwarding no
PermitTunnel no
X11Forwarding no
notify:
- restart ssh
- name: Ensure that the algo group exist
group: name=algo state=present
- name: Ensure that the jail directory exist
file:
path: /var/jail/
state: directory
mode: 0755
owner: root
group: "{{ root_group|default('root') }}"
- name: Ensure that the SSH users exist
user:
name: "{{ item }}"
groups: algo
home: '/var/jail/{{ item }}'
createhome: yes
generate_ssh_key: yes
shell: /bin/false
ssh_key_type: ecdsa
ssh_key_bits: 256
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
ssh_key_passphrase: "{{ p12_export_password }}"
update_password: on_create
state: present
append: yes
with_items: "{{ users }}"
tags: update-users
- name: The authorized keys file created
file:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
owner: "{{ item }}"
group: "{{ item }}"
state: link
with_items: "{{ users }}"
tags: update-users
- name: Generate SSH fingerprints
shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints
- name: Fetch users SSH private keys
fetch:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
flat: yes
mode: "0600"
with_items: "{{ users }}"
tags: update-users
- name: Fetch the known_hosts file
local_action:
module: template
src: known_hosts.j2
dest: configs/{{ IP_subject_alt_name }}/known_hosts
become: no
- name: Build the client ssh config
local_action:
module: template
src: ssh_config.j2
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh_config
mode: 0600
become: false
tags: update-users
with_items: "{{ users }}"
- name: SSH | Get active system users
shell: >
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
register: valid_users
tags: update-users
- name: SSH | Delete non-existing users
user:
name: "{{ item }}"
state: absent
remove: yes
force: yes
when: item not in users
with_items: "{{ valid_users.stdout_lines | default('null') }}"
tags: update-users
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
Reference in New Issue View Git Blame Copy Permalink