|
|
- ---
-
- # Ce role permet de deployer des fichiers de configurations SSH n'utilisant que des
- # algorithmes consideres comme sur, notamment bases sur les courbes elliptiques.
- # Adaptation de https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/
- # WARN : peut poser des problemes de compatibilites avec les vieux SSH (< 6.7)
-
- - name: Import OS variables
- include_vars: "{{ ansible_os_family }}.yml"
- tags:
- - ssh-curve
-
- - name: upload sshd_config
- template:
- src: sshd_config.j2
- dest: /etc/ssh/sshd_config
- backup: yes
- tags:
- - ssh-curve
- notify: restart ssh
-
- - name: upload ssh_config (for client connexion)
- copy:
- src: ssh_config
- dest: /etc/ssh/ssh_config
- backup: yes
- tags:
- - ssh-curve
- notify: restart ssh
-
- - name: remove obsoletes rsa and dsa keys - WARN! This WILL cause BREAKING ATTEMPT messages
- file:
- path: "{{ item }}"
- state: absent
- tags:
- - ssh-curve
- with_items:
- - /etc/ssh/ssh_host_ecdsa_key
- - /etc/ssh/ssh_host_ecdsa_key.pub
- - /etc/ssh/ssh_host_rsa_key
- - /etc/ssh/ssh_host_rsa_key.pub
- - /etc/ssh/ssh_host_ed25519_key
- - /etc/ssh/ssh_host_ed25519_key.pub
- notify: restart ssh
-
- - name: regenerate sshd ed25519 key to avoid cloudinit identikey problem
- command: ssh-keygen -q -N "" -C "" -o -a 1000 -t ed25519 -f "/etc/ssh/ssh_host_ed25519_key"
- tags:
- - ssh-curve
- notify: restart ssh
-
- - name: generate a secure ed25519 key you could ssh-copy to other servers (do not overwrite existing key by default)
- command: ssh-keygen -t ed25519 -o -a 1000 -C "" -N "" -q -f "/root/.ssh/id_ed25519"
- ignore_errors: yes
- tags:
- - ssh-curve
|