diff options
author | Ben Copeland <ben.copeland@linaro.org> | 2015-03-11 14:36:12 +0000 |
---|---|---|
committer | Ben Copeland <ben.copeland@linaro.org> | 2015-03-11 14:36:12 +0000 |
commit | d0cf16d03cf465a8e46aeb78e72d3f33dd40a645 (patch) | |
tree | dcc841e30064ffc9065f443c5783147eb774a0a5 |
init
-rw-r--r-- | group_vars/all | 10 | ||||
-rw-r--r-- | host_vars/template.host.vars | 22 | ||||
-rw-r--r-- | ssh-ldap/README.md | 6 | ||||
-rw-r--r-- | ssh-ldap/files/sudoers.d/90-cloud-init-users.j2 | 3 | ||||
-rw-r--r-- | ssh-ldap/handlers/main.yml | 9 | ||||
-rw-r--r-- | ssh-ldap/tasks/main.yml | 239 | ||||
-rw-r--r-- | ssh-ldap/tasks/precise.yml | 56 | ||||
-rw-r--r-- | ssh-ldap/templates/access.conf.j2 | 138 | ||||
-rw-r--r-- | ssh-ldap/templates/gd_bundle.crt | 53 | ||||
-rw-r--r-- | ssh-ldap/templates/ldap-keys.sh.j2 | 22 | ||||
-rw-r--r-- | ssh-ldap/templates/ldap.conf.j2 | 19 | ||||
-rw-r--r-- | ssh-ldap/templates/my_mkhomedir.j2 | 6 | ||||
-rw-r--r-- | ssh-ldap/templates/nscd.conf.j2 | 91 | ||||
-rw-r--r-- | ssh-ldap/templates/nslcd.conf.j2 | 40 | ||||
-rw-r--r-- | ssh-ldap/templates/nsswitch.conf.j2 | 17 | ||||
-rw-r--r-- | ssh-ldap/templates/sshd_config.j2 | 96 | ||||
-rw-r--r-- | ssh-ldap/templates/sudoers.d/sudoers.j2 | 6 | ||||
-rw-r--r-- | ssh-ldap/templates/sudoers.d/sudoers_acl.j2 | 6 | ||||
-rw-r--r-- | ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2 | 7 | ||||
-rw-r--r-- | ssh-servers.yml | 11 |
20 files changed, 857 insertions, 0 deletions
diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000..0abd54a --- /dev/null +++ b/group_vars/all @@ -0,0 +1,10 @@ +--- +# Global vars set here. Host specific vars set in host_vars/ +# This file is used for global defaults. Meaning vars which are either being shared or need to be controlled globably + +##### SSH ##### +# Set the SSH port. +ssh_port: 22 +# Set ldap server. +ldap_server: login.linaro.org + diff --git a/host_vars/template.host.vars b/host_vars/template.host.vars new file mode 100644 index 0000000..64aafec --- /dev/null +++ b/host_vars/template.host.vars @@ -0,0 +1,22 @@ +sudoers_root_acl: + - user.name + +sudoers_access_acl: + - user.name + +sudoers_logaccess: + - logaccess + +sudoers_access: + - /foo/bar/* + - /foo/bin + +sudoers_root: + - (ALL) ALL + +ssh_local: + - localuser + +ssh_access: + - group/user + diff --git a/ssh-ldap/README.md b/ssh-ldap/README.md new file mode 100644 index 0000000..337a03c --- /dev/null +++ b/ssh-ldap/README.md @@ -0,0 +1,6 @@ +This role deploys openssh (client and server) with ldap (nss-ldapd) functionally. + + +Please read the documentation before deploying this role: + +https://collaborate.linaro.org/display/ITS/Deploying+Playbooks#DeployingPlaybooks-Playbook-ssh-servers.yml
\ No newline at end of file diff --git a/ssh-ldap/files/sudoers.d/90-cloud-init-users.j2 b/ssh-ldap/files/sudoers.d/90-cloud-init-users.j2 new file mode 100644 index 0000000..71bbd2b --- /dev/null +++ b/ssh-ldap/files/sudoers.d/90-cloud-init-users.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} +# User rules for ubuntu +ubuntu ALL=(ALL) NOPASSWD:ALL
\ No newline at end of file diff --git a/ssh-ldap/handlers/main.yml b/ssh-ldap/handlers/main.yml new file mode 100644 index 0000000..1a046e0 --- /dev/null +++ b/ssh-ldap/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: ssh - restart agent + service: name=ssh state=restarted enabled=yes + +- name: nscd - restart + service: name=nscd state=restarted enabled=yes + +- name: nslcd - restart + service: name=nslcd state=restarted enabled=yes
\ No newline at end of file diff --git a/ssh-ldap/tasks/main.yml b/ssh-ldap/tasks/main.yml new file mode 100644 index 0000000..ed9784b --- /dev/null +++ b/ssh-ldap/tasks/main.yml @@ -0,0 +1,239 @@ +# +# +# Install and configure openssh server/client with LDAP access +# +# Supported OS Ubuntu 12.04 and 14.04 +# +# Ubuntu 12.04 requires a custom PPA for AuthorizedKeysCommand to work. Because it uses a PPA it requires holding the openssh +# package. If SSH is update on 12.04, and ldap is enabled, ssh *WILL* break. +# +# 14.04 includes the AuthorizedKeysCommand by default. So it just requires installing the openssh-client/server. +--- + +- name: install ssh-ldap for precise 12.04 + include: precise.yml + when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'precise' + tags: + - install + - precise + - package + +- name: Install ldap tools + action: apt pkg={{ item }} state=latest update_cache=yes force=yes + with_items: + - ldap-utils + - libnss-ldapd + tags: + - install + - package + +- name: Install openssh-client and server for ubuntu 14.04 + action: apt pkg={{ item }} state=latest update_cache=yes + with_items: + - openssh-client + - openssh-server + when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'trusty' + tags: + - install + - package + +- name: uncomment pam_access.so so access.conf works + lineinfile: dest=/etc/pam.d/sshd + regexp='^# account required pam_access.so' + insertafter='^#pam_access.so' + line='account required pam_access.so' + tags: + - configupdate + +- name: Copy bundle file to ca-certificates + template: src=gd_bundle.crt + dest=/usr/share/ca-certificates/ + owner=root + group=root + mode=0644 + ignore_errors: yes + tags: + - install + - sslcert + +- name: update ca-certificates + shell: update-ca-certificates + tags: + - install + - sslcert + +#### Now copy the template files across + +- name: Copy ldap shell script + template: src=ldap-keys.sh.j2 + dest=/etc/ssh/ldap-keys.sh + owner=root + group=root + mode=0755 + notify: + - ssh - restart agent + tags: + - configupdate + +#### Contains LDAP BIND PASSWORD +- name: Copy ldap conf + template: src=ldap.conf.j2 + dest=/etc/ldap.conf + owner=root + group=root + mode=0644 + notify: + - ssh - restart agent + tags: + - configupdate + +#### Contains LDAP BIND PASSWORD +- name: Copy nslcd conf + template: src=nslcd.conf.j2 + dest=/etc/nslcd.conf + owner=root + group=root + mode=0400 + notify: + - nslcd - restart + tags: + - configupdate + +- name: Copy nsswitch conf + template: src=nsswitch.conf.j2 + dest=/etc/nsswitch.conf + owner=root + group=root + mode=0644 + notify: + - nscd - restart + - nslcd - restart + tags: + - configupdate + +- name: Copy nscd.conf + template: src=nscd.conf.j2 + dest=/etc/nscd.conf + owner=root + group=root + mode=0644 + notify: + - nscd - restart + tags: + - configupdate + +- name: update ca-certificates with gd_bundle + lineinfile: dest=/etc/ca-certificates.conf + state=present + regexp='' + insertafter=EOF + line='gd_bundle.crt' + +- name: Copy access.conf + template: src=access.conf.j2 + dest=/etc/security/access.conf + owner=root + group=root + mode=0644 + backup=yes + notify: + - nslcd - restart + tags: + - configupdate + - groupsupdate + +- name: Copy sshd config + template: src=sshd_config.j2 + dest=/etc/ssh/sshd_config + owner=root + group=root + mode=0644 + backup=yes + notify: + - ssh - restart agent + tags: + - configupdate + +- name: copy pam file to create home folders + template: src=my_mkhomedir.j2 + dest=/usr/share/pam-configs/my_mkhomedir + owner=root + group=root + mode=0644 + tags: + - configupdate + - pam + - mkhomedir +- name: Add pam_mkhomedir into pam.d + lineinfile: dest=/etc/pam.d/common-session + state=present + regexp='' + insertafter=EOF + line='session required pam_mkhomedir.so umask=0022 skel=/etc/skel' + when: inventory_hostname != "linaro-private.git.linaro.org" + tags: + - configupdate + - pam + - mkhomedir + +- name: Remove pam_mkhomedir from pam.d + lineinfile: + dest: /etc/pam.d/common-session + state: absent + regexp: 'pam_mkhomedir.so' + when: inventory_hostname == "linaro-private.git.linaro.org" + notify: nscd - restart + tags: + - configupdate + - pam + - mkhomedir + +- name: configure admin sudoers + template: src=sudoers.d/sudoers.j2 + dest=/etc/sudoers.d/ansible + owner=root + group=root + mode=0400 + validate='visudo -cf %s' + when: sudoers_root is defined + tags: + - sudoers + - configupdate + +- name: configure sudoers_logaccess + template: src=sudoers.d/sudoers_logaccess.j2 + dest=/etc/sudoers.d/ansible_logaccess + owner=root + group=root + mode=0400 + validate='visudo -cf %s' + when: sudoers_logaccess is defined + tags: + - sudoers + - configupdate + +- name: configure sudoers controlled ACL + template: src=sudoers.d/sudoers_acl.j2 + dest=/etc/sudoers.d/ansible_acl + owner=root + group=root + mode=0400 + validate='visudo -cf %s' + when: sudoers_access is defined + tags: + - sudoers + - configupdate + +#precise uses file format 90-cloudimg-ubuntu whilst trusty uses 90-cloud-init-users +- name: copy suoders ubuntu cloud-init file (useful for non-ec2 hosts) + copy: src=sudoers.d/90-cloud-init-users.j2 + dest=/etc/sudoers.d/90-cloud-init-users + owner=root + group=root + mode=0400 + force=no + validate='visudo -cf %s' + when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'trusty' + tags: + - sudoers + - configupdate diff --git a/ssh-ldap/tasks/precise.yml b/ssh-ldap/tasks/precise.yml new file mode 100644 index 0000000..89fa8de --- /dev/null +++ b/ssh-ldap/tasks/precise.yml @@ -0,0 +1,56 @@ +# +# This role is to deploy openssh-client and server to 12.04 precise. +# +# Ubuntu 12.04 requires a custom PPA for AuthorizedKeysCommand to work. Because it uses a PPA it requires holding the openssh +# package. If SSH is update on 12.04, and ldap is enabled, ssh *WILL* break. +# +# +--- + +- name: Install custom openssh ppa for AuthorizedKeysCommand only if OS is 12.04 + apt_repository: repo='ppa:zsoftich/ssh+authkeyscommand' + tags: + - install + - precise + - package + +- name: Install openssh-client and server only if OS is 12.04 + action: apt pkg={{ item }} state=present update_cache=yes force=yes + with_items: + - openssh-client=1:5.9p1-5ubuntu1+lpk1 + - openssh-server=1:5.9p1-5ubuntu1+lpk1 + + tags: + - install + - precise + - package + +- name: hold openssh-client only if OS is 12.04 (with dpkg) + shell: echo "openssh-client hold" | sudo dpkg --set-selections + tags: + - install + - precise + - package + +- name: hold openssh-server only if OS is 12.04 (with dpkg) + shell: echo "openssh-server hold" | sudo dpkg --set-selections + tags: + - install + - precise + - package + +- name: hold openssh-client only if OS is 12.04 (with aptitude) + shell: aptitude hold openssh-client -y + sudo: yes + tags: + - install + - precise + - package + +- name: hold openssh-server only if OS is 12.04 (with aptitude) + shell: aptitude hold openssh-server -y + sudo: yes + tags: + - install + - precise + - package
\ No newline at end of file diff --git a/ssh-ldap/templates/access.conf.j2 b/ssh-ldap/templates/access.conf.j2 new file mode 100644 index 0000000..b7697a9 --- /dev/null +++ b/ssh-ldap/templates/access.conf.j2 @@ -0,0 +1,138 @@ +# {{ ansible_managed }} +# Login access control table. +# +# Comment line must start with "#", no space at front. +# Order of lines is important. +# +# When someone logs in, the table is scanned for the first entry that +# matches the (user, host) combination, or, in case of non-networked +# logins, the first entry that matches the (user, tty) combination. The +# permissions field of that table entry determines whether the login will +# be accepted or refused. +# +# Format of the login access control table is three fields separated by a +# ":" character: +# +# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so +# module, you can change the field separation character to be +# '|'. This is useful for configurations where you are trying to use +# pam_access with X applications that provide PAM_TTY values that are +# the display variable like "host:0".] +# +# permission : users : origins +# +# The first field should be a "+" (access granted) or "-" (access denied) +# character. +# +# The second field should be a list of one or more login names, group +# names, or ALL (always matches). A pattern of the form user@host is +# matched when the login name matches the "user" part, and when the +# "host" part matches the local machine name. +# +# The third field should be a list of one or more tty names (for +# non-networked logins), host names, domain names (begin with "."), host +# addresses, internet network numbers (end with "."), ALL (always +# matches), NONE (matches no tty on non-networked logins) or +# LOCAL (matches any string that does not contain a "." character). +# +# You can use @netgroupname in host or user patterns; this even works +# for @usergroup@@hostgroup patterns. +# +# The EXCEPT operator makes it possible to write very compact rules. +# +# The group file is searched only when a name does not match that of the +# logged-in user. Both the user's primary group is matched, as well as +# groups in which users are explicitly listed. +# To avoid problems with accounts, which have the same name as a group, +# you can use brackets around group names '(group)' to differentiate. +# In this case, you should also set the "nodefgroup" option. +# +# TTY NAMES: Must be in the form returned by ttyname(3) less the initial +# "/dev" (e.g. tty1 or vc/1) +# +############################################################################## +# +# Disallow non-root logins on tty1 +# +#-:ALL EXCEPT root:tty1 +# +# Disallow console logins to all but a few accounts. +# +#-:ALL EXCEPT wheel shutdown sync:LOCAL +# +# Same, but make sure that really the group wheel and not the user +# wheel is used (use nodefgroup argument, too): +# +#-:ALL EXCEPT (wheel) shutdown sync:LOCAL +# +# Disallow non-local logins to privileged accounts (group wheel). +# +#-:wheel:ALL EXCEPT LOCAL .win.tue.nl +# +# Some accounts are not allowed to login from anywhere: +# +#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL +# +# All other accounts are allowed to login from anywhere. +# +############################################################################## +# All lines from here up to the end are building a more complex example. +############################################################################## +# +# User "root" should be allowed to get access via cron .. tty5 tty6. +#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +# +# User "root" should be allowed to get access from hosts with ip addresses. +#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +#+ : root : 127.0.0.1 +# +# User "root" should get access from network 192.168.201. +# This term will be evaluated by string matching. +# comment: It might be better to use network/netmask instead. +# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +#+ : root : 192.168.201. +# +# User "root" should be able to have access from domain. +# Uses string matching also. +#+ : root : .foo.bar.org +# +# User "root" should be denied to get access from all other sources. +#- : root : ALL +# +# User "foo" and members of netgroup "nis_group" should be +# allowed to get access from all sources. +# This will only work if netgroup service is available. +#+ : @nis_group foo : ALL +# +# User "john" should get access from ipv4 net/mask +#+ : john : 127.0.0.0/24 +# +# User "john" should get access from ipv4 as ipv6 net/mask +#+ : john : ::ffff:127.0.0.0/127 +# +# User "john" should get access from ipv6 host address +#+ : john : 2001:4ca0:0:101::1 +# +# User "john" should get access from ipv6 host address (same as above) +#+ : john : 2001:4ca0:0:101:0:0:0:1 +# +# User "john" should get access from ipv6 net/mask +#+ : john : 2001:4ca0:0:101::/64 +# +# All other users should be denied to get access from all sources. +#- : ALL : ALL +# +# +# Please include host_vars/hostname.linaro.org +# ssh_access: +# - user/group + +{% if ssh_access is defined %} +-:ALL EXCEPT root sysadmin ubuntu {% if ssh_local is defined %}{{(ssh_local)|join(' ') }}{% endif %} {{ (ssh_access) | join(' ') }}:ALL + + {%else%} + +#No ssh_access defined in host_vars, assume basic ACL. Allows *ONLY* ITS. If this is wrong, please set correct group/user in host_vars. +-:ALL EXCEPT root sysadmin ubuntu (its):ALL + +{% endif %} diff --git a/ssh-ldap/templates/gd_bundle.crt b/ssh-ldap/templates/gd_bundle.crt new file mode 100644 index 0000000..9aa63ce --- /dev/null +++ b/ssh-ldap/templates/gd_bundle.crt @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx +ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g +RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw +MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH +QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j +b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j +b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H +KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm +VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR +SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT +cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ +6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu +MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS +kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB +BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f +BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv +c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH +AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO +BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG +OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU +A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o +0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX +RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH +qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV +U+4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh +MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE +YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3 +MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo +ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg +MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN +ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA +PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w +wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi +EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY +avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+ +YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE +sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h +/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5 +IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD +ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy +OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P +TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ +HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER +dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf +ReYNnyicsbkqWletNw+vHX/bvZ8= +-----END CERTIFICATE----- diff --git a/ssh-ldap/templates/ldap-keys.sh.j2 b/ssh-ldap/templates/ldap-keys.sh.j2 new file mode 100644 index 0000000..cf9932c --- /dev/null +++ b/ssh-ldap/templates/ldap-keys.sh.j2 @@ -0,0 +1,22 @@ +#!/bin/bash +# {{ ansible_managed }} +# get configuration from /etc/ldap.conf +for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do + eval $x; +done + +OPTIONS= +case "$ssl" in + start_tls) + case "$tls_checkpeer" in + no) OPTIONS+="-Z";; + *) OPTIONS+="-ZZ";; + esac;; +esac + +ldapsearch $OPTIONS -H ${uri} \ + -w "${bindpw}" -D "${binddn}" \ + -b "${base}" \ + '(&(objectClass=posixAccount)(uid='"$1"'))' \ + 'sshPublicKey' \ + | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' | tee /tmp/ssh.log
\ No newline at end of file diff --git a/ssh-ldap/templates/ldap.conf.j2 b/ssh-ldap/templates/ldap.conf.j2 new file mode 100644 index 0000000..259b619 --- /dev/null +++ b/ssh-ldap/templates/ldap.conf.j2 @@ -0,0 +1,19 @@ +## {{ ansible_managed }} +## LDAP Defaults +## +## See ldap.conf(5) for details +## +## + +base dc=linaro,dc=org +uri ldaps://{{ldap_server}} +binddn cn=bindaccount,dc=linaro,dc=org +bindpw someverylongcomplexpassword +ldap_version 3 +pam_password md5 +rootbinddn + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + diff --git a/ssh-ldap/templates/my_mkhomedir.j2 b/ssh-ldap/templates/my_mkhomedir.j2 new file mode 100644 index 0000000..8a003f5 --- /dev/null +++ b/ssh-ldap/templates/my_mkhomedir.j2 @@ -0,0 +1,6 @@ +Name: activate mkhomedir +Default: yes +Priority: 900 +Session-Type: Additional +Session: + required pam_mkhomedir.so umask=0022 skel=/etc/skel
\ No newline at end of file diff --git a/ssh-ldap/templates/nscd.conf.j2 b/ssh-ldap/templates/nscd.conf.j2 new file mode 100644 index 0000000..320cfe4 --- /dev/null +++ b/ssh-ldap/templates/nscd.conf.j2 @@ -0,0 +1,91 @@ +## {{ ansible_managed }} +# +# /etc/nscd.conf +# +# An example Name Service Cache config file. This file is needed by nscd. +# +# Legal entries are: +# +# logfile <file> +# debug-level <level> +# threads <initial #threads to use> +# max-threads <maximum #threads to use> +# server-user <user to run server as instead of root> +# server-user is ignored if nscd is started with -S parameters +# stat-user <user who is allowed to request statistics> +# reload-count unlimited|<number> +# paranoia <yes|no> +# restart-interval <time in seconds> +# +# enable-cache <service> <yes|no> +# positive-time-to-live <service> <time in seconds> +# negative-time-to-live <service> <time in seconds> +# suggested-size <service> <prime number> +# check-files <service> <yes|no> +# persistent <service> <yes|no> +# shared <service> <yes|no> +# max-db-size <service> <number bytes> +# auto-propagate <service> <yes|no> +# +# Currently supported cache names (services): passwd, group, hosts, services +# + + +# logfile /var/log/nscd.log +# threads 4 +# max-threads 32 +# server-user nobody +# stat-user somebody + debug-level 0 +# reload-count 5 + paranoia no +# restart-interval 3600 + + enable-cache passwd yes + positive-time-to-live passwd 60 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd yes + shared passwd yes + max-db-size passwd 33554432 + auto-propagate passwd yes + + enable-cache group yes + positive-time-to-live group 60 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group yes + shared group yes + max-db-size group 33554432 + auto-propagate group yes + + enable-cache hosts yes + positive-time-to-live hosts 60 + negative-time-to-live hosts 20 + suggested-size hosts 211 + check-files hosts yes + persistent hosts yes + shared hosts yes + max-db-size hosts 33554432 + + enable-cache services no + positive-time-to-live services 28800 + negative-time-to-live services 20 + suggested-size services 211 + check-files services yes + persistent services yes + shared services yes + max-db-size services 33554432 + +# netgroup caching is known-broken, so disable it in the default config, +# see: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1068889 + enable-cache netgroup no + positive-time-to-live netgroup 28800 + negative-time-to-live netgroup 20 + suggested-size netgroup 211 + check-files netgroup yes + persistent netgroup yes + shared netgroup yes + max-db-size netgroup 33554432 diff --git a/ssh-ldap/templates/nslcd.conf.j2 b/ssh-ldap/templates/nslcd.conf.j2 new file mode 100644 index 0000000..907d6b2 --- /dev/null +++ b/ssh-ldap/templates/nslcd.conf.j2 @@ -0,0 +1,40 @@ +## {{ ansible_managed }} +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldaps://{{ldap_server}} + +# The search base that will be used for all queries. +base dc=linaro,dc=org + +# The LDAP protocol version to use. +ldap_version 3 + +# The DN to bind with for normal lookups. +binddn cn=bindaccount,dc=linaro,dc=org +bindpw someverylongcomplexpassword + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +ssl on +tls_reqcert allow + +# The search scope. +#scope sub + +#base passwd cn=NodeAdmin,ou=group,dc=x4b,dc=org +#filter passwd (|(gidNumber=10001)(gidNumber=10000)) +#filter group (objectClass=Group) + +# automatically added on upgrade of nslcd package +{% if inventory_hostname == 'flexlm.linaro.org' %} +map passwd loginShell "/usr/sbin/nologin" +{% endif %} diff --git a/ssh-ldap/templates/nsswitch.conf.j2 b/ssh-ldap/templates/nsswitch.conf.j2 new file mode 100644 index 0000000..235dd21 --- /dev/null +++ b/ssh-ldap/templates/nsswitch.conf.j2 @@ -0,0 +1,17 @@ +## {{ ansible_managed }}
+# /etc/nsswitch.conf
+#
+
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+
+hosts: files dns ldap
+networks: files ldap
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis
diff --git a/ssh-ldap/templates/sshd_config.j2 b/ssh-ldap/templates/sshd_config.j2 new file mode 100644 index 0000000..a372dea --- /dev/null +++ b/ssh-ldap/templates/sshd_config.j2 @@ -0,0 +1,96 @@ +# {{ ansible_managed }} +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +# SSH port set in group_vars. Host specific port set in host_vars +Port {{ssh_port}} +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +AuthorizedKeysCommand /etc/ssh/ldap-keys.sh +{% if ansible_distribution_release == 'jessie' %} +#This is required for 14.04 +AuthorizedKeysCommandUser root +{% endif %} + +UseDNS no diff --git a/ssh-ldap/templates/sudoers.d/sudoers.j2 b/ssh-ldap/templates/sudoers.d/sudoers.j2 new file mode 100644 index 0000000..20bb5ff --- /dev/null +++ b/ssh-ldap/templates/sudoers.d/sudoers.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} +# Controls "root" access. + +{% for user in sudoers_root_acl %} +{{ user }} ALL={{ sudoers_root | join(',') }} +{% endfor %} diff --git a/ssh-ldap/templates/sudoers.d/sudoers_acl.j2 b/ssh-ldap/templates/sudoers.d/sudoers_acl.j2 new file mode 100644 index 0000000..8dbdd46 --- /dev/null +++ b/ssh-ldap/templates/sudoers.d/sudoers_acl.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} +# This file control sudo access to servers, but only by the given directory or binary. + +{% for user in sudoers_access_acl %} +{{ user }} ALL=NOPASSWD:{{ sudoers_access | join(',') }} +{% endfor %} diff --git a/ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2 b/ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2 new file mode 100644 index 0000000..ec49ad6 --- /dev/null +++ b/ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} +# for weblogs.linaro.org + +# MANAGED BY ANSIBLE +{% for user in sudoers_logaccess %} +{{user}} ALL=NOPASSWD: /var/log/apache2/*,/bin/cat,/usr/bin/rsync,/bin/ls +{% endfor %} diff --git a/ssh-servers.yml b/ssh-servers.yml new file mode 100644 index 0000000..c2716e2 --- /dev/null +++ b/ssh-servers.yml @@ -0,0 +1,11 @@ +# Deploy the ssh-ldap module. +# Maintainer: Ben Copeland ben.copeland@linaro.org +--- + +- name: Deploy the ssh-ldap module. + hosts: ssh + roles: + - role: ssh-ldap + sudo: yes + - role: logrotate + sudo: yes |