---
|
|
|
|
# Ce role permet de deployer des fichiers de configurations SSH n'utilisant que des
|
|
# algorithmes consideres comme sur, notamment bases sur les courbes elliptiques.
|
|
# Adaptation de https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/
|
|
# WARN : peut poser des problemes de compatibilites avec les vieux SSH (< 6.7)
|
|
|
|
- name: Import OS variables
|
|
include_vars: "{{ ansible_os_family }}.yml"
|
|
tags:
|
|
- ssh-curve
|
|
|
|
- name: upload sshd_config
|
|
template:
|
|
src: sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
backup: yes
|
|
tags:
|
|
- ssh-curve
|
|
notify: restart ssh
|
|
|
|
- name: upload ssh_config (for client connexion)
|
|
copy:
|
|
src: ssh_config
|
|
dest: /etc/ssh/ssh_config
|
|
backup: yes
|
|
tags:
|
|
- ssh-curve
|
|
notify: restart ssh
|
|
|
|
- name: remove obsoletes rsa and dsa keys - WARN! This WILL cause BREAKING ATTEMPT messages
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
tags:
|
|
- ssh-curve
|
|
with_items:
|
|
- /etc/ssh/ssh_host_ecdsa_key
|
|
- /etc/ssh/ssh_host_ecdsa_key.pub
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
- /etc/ssh/ssh_host_rsa_key.pub
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
- /etc/ssh/ssh_host_ed25519_key.pub
|
|
notify: restart ssh
|
|
|
|
- name: regenerate sshd ed25519 key to avoid cloudinit identikey problem
|
|
command: ssh-keygen -q -N "" -C "" -o -a 1000 -t ed25519 -f "/etc/ssh/ssh_host_ed25519_key"
|
|
tags:
|
|
- ssh-curve
|
|
notify: restart ssh
|
|
|
|
- name: generate a secure ed25519 key you could ssh-copy to other servers (do not overwrite existing key by default)
|
|
command: ssh-keygen -t ed25519 -o -a 1000 -C "" -N "" -q -f "/root/.ssh/id_ed25519"
|
|
ignore_errors: yes
|
|
tags:
|
|
- ssh-curve
|