diff --git a/roles/global/install_ssh/README.md b/roles/global/install_ssh/README.md new file mode 100644 index 0000000..e69de29 diff --git a/roles/global/install_ssh/defaults/main.yml b/roles/global/install_ssh/defaults/main.yml new file mode 100644 index 0000000..69f7fe7 --- /dev/null +++ b/roles/global/install_ssh/defaults/main.yml @@ -0,0 +1,9 @@ +--- +install_ssh_ssh_port: 22 +install_ssh_permit_root_login: "yes" +install_ssh_password_authentication: "yes" +install_ssh_ssh_log_level: "INFO" +install_ssh_ssh_login_grace_time: "2m" +install_ssh_ssh_max_auth_tries: 6 +install_ssh_ssh_max_sessions: 10 +install_ssh_ssh_max_startups: "10:30:100" diff --git a/roles/global/install_ssh/files/.gitkeep b/roles/global/install_ssh/files/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/roles/global/install_ssh/handlers/main.yml b/roles/global/install_ssh/handlers/main.yml new file mode 100644 index 0000000..d0383c6 --- /dev/null +++ b/roles/global/install_ssh/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart SSH + ansible.builtin.service: + name: ssh + state: restarted diff --git a/roles/global/install_ssh/meta/main.yml b/roles/global/install_ssh/meta/main.yml new file mode 100644 index 0000000..f16bc34 --- /dev/null +++ b/roles/global/install_ssh/meta/main.yml @@ -0,0 +1,18 @@ +--- +galaxy_info: + author: Kevin Heyer + description: Role to install and configure SSH on Debian systems + company: Skull-IT Kevin Heyer + license: MIT + min_ansible_version: "2.9" + platforms: + - name: Debian + versions: + - buster + - bullseye + galaxy_tags: + - ssh + - debian + - security + +dependencies: [] diff --git a/roles/global/install_ssh/tasks/main.yml b/roles/global/install_ssh/tasks/main.yml new file mode 100644 index 0000000..e7254d5 --- /dev/null +++ b/roles/global/install_ssh/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Ensure OpenSSH server is installed + ansible.builtin.apt: + name: openssh-server + state: present + update_cache: true + cache_valid_time: 3600 + +- name: Ensure OpenSSH server is enabled and started + ansible.builtin.service: + name: ssh + enabled: true + state: started + +- name: Deploy SSH configuration + ansible.builtin.template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0600' + notify: Restart SSH diff --git a/roles/global/install_ssh/templates/sshd_config.j2 b/roles/global/install_ssh/templates/sshd_config.j2 new file mode 100644 index 0000000..dd15c27 --- /dev/null +++ b/roles/global/install_ssh/templates/sshd_config.j2 @@ -0,0 +1,70 @@ +# This file is managed by Ansible. +# Any manual changes will be overwritten. + +Port {{ install_ssh_ssh_port }} +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +SyslogFacility AUTH +LogLevel {{ install_ssh_ssh_log_level }} + +LoginGraceTime {{ install_ssh_ssh_login_grace_time }} +PermitRootLogin {{ install_ssh_permit_root_login }} +StrictModes yes + +MaxAuthTries {{ install_ssh_ssh_max_auth_tries }} +MaxSessions {{ install_ssh_ssh_max_sessions }} + +PubkeyAuthentication yes + +AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/ssh_authorized_keys + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication {{ install_ssh_password_authentication }} +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +AllowAgentForwarding yes +AllowTcpForwarding yes +GatewayPorts no +X11Forwarding no + +# Default value for MaxStartups is 10:30:100 +MaxStartups {{ install_ssh_ssh_max_startups }} + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/roles/global/install_ssh/vars/main.yml b/roles/global/install_ssh/vars/main.yml new file mode 100644 index 0000000..e69de29