# SPDX-License-Identifier: MIT-0 --- # tasks file for lockdown # @NOTE: assumes one logged in to SSH server as root to begin with, hence no need for privilege escalation - name: Create users when: ansible_facts["user_id"] == "root" block: - name: Create sys-admin user ansible.builtin.user: name: "{{ create_users[0].username }}" uid: 1000 password: "{{ create_users[0].password }}" append: yes groups: - sudo shell: /bin/bash generate_ssh_key: yes password_expire_min: 93 password_expire_max: 186 password_expire_warn: 45 comment: sysadmin # ssh_key_passphrase: "{{ item.password }}" state: present tags: - default - administrative_user register: created_admin - name: Create new user ansible.builtin.user: name: "{{ item.username }}" uid: 1000 password: "{{ item.password }}" append: yes groups: - sudo shell: /bin/bash generate_ssh_key: yes password_expire_min: 93 password_expire_max: 186 password_expire_warn: 45 comment: administrator # ssh_key_passphrase: "{{ item.password }}" state: present loop: "{{ create_users[1:] }}" tags: - other_users register: created_user - name: Specify authorized SSH keys for users based on local public keys when: not files_mode and ansible_facts["user_id"] == "root" block: - name: Acquire list of SSH public keys for sys-admin user ansible.builtin.find: paths: "{{ lookup('env', 'HOME') }}/.ssh" patterns: - '{{ ssh_pubkey_filename_pattern }}' use_regex: yes recurse: no tags: - default - administrative_user - admin_ssh register: ssh_public_keys - name: Register SSH public keys as sys-admin user's authorized keys ansible.builtin.lineinfile: path: "{{ created_admin.home }}/.ssh/authorized_keys" line: "{{ lookup('ansible.builtin.file', item) }}" owner: "{{ created_admin.name }}" group: "{{ created_admin.name }}" mode: "0600" create: yes insertafter: ~ state: present tags: - default - administrative_user - admin_ssh loop: "{{ ssh_public_keys.files }}" - name: Register SSH puplic keys as other users' authorized keys ansible.builtin.copy: src: "ssh/{{ item.name }}/authorized_keys" dest: "{{ item.home }}/.ssh/authorized_keys" force: yes backup: yes owner: "{{ item.name }}" group: "{{ item.name }}" mode: "0600" tags: - other_users - others_ssh loop: "{{ created_user }}" register: authorized_ssh_pubkeys - name: Specify authorized SSH keys for users when: files_mode and ansible_facts["user_id"] == "root" block: - name: Specify authorized keys file for sys-admin user ansible.builtin.copy: src: ssh/authorized_keys dest: "{{ created_admin.home }}/.ssh/authorized_keys" force: yes backup: yes owner: "{{ created_admin.name }}" group: "{{ created_admin.name }}" mode: "0600" tags: - default - administrative_user - admin_ssh register: authorized_admin_ssh_pubkeys - name: Specify authorized keys file for other users ansible.builtin.copy: src: "ssh/{{ item.name }}/authorized_keys" dest: "{{ item.home }}/.ssh/authorized_keys" force: yes backup: yes owner: "{{ item.name }}" group: "{{ item.name }}" mode: "0600" tags: - other_users - others_ssh loop: "{{ created_user }}" register: authorized_ssh_pubkeys - name: Lock down root SSH access when: ansible_facts["user_id"] == "root" block: - name: Constrain SSH authentication methods to using SSH key ansible.builtin.copy: src: sshd_config.d/auth.conf dest: /etc/ssh/sshd_config.d/auth.conf force: yes backup: yes mode: "0644" tags: - depass_root register: constrained_auth - name: Prohibit access to root via SSH ansible.builtin.copy: src: sshd_config.d/denyroot.conf dest: /etc/ssh/sshd_config.d/denyroot.conf force: yes backup: yes mode: "0644" tags: - prohib_root_ssh register: prohibited_root_ssh_login - name: Lock the root account when: include_root_lock ansible.builtin.user: name: root password_lock: yes tags: - delog_root register: prohibited_root_login tags: - default - deroot notify: "restart ssh" - name: Import disabling of shell root by sys-admin user ansible.builtin.import_tasks: file: ./deshell.yml