Skip to content

baseline_ssh

The cake function baseline_ssh executes the Blunix Ansible role-ssh, which installs and configures the OpenSSH server installed on all Debian instances. Simplified, the role-ssh works as follows:

  • Configure /etc/ssh/sshd_config.d/ansible.conf
  • Create a Linux group "admins"
  • Creates Linux users and prepares their /home/<username>/ directory for convinient interaction by SSH login
  • Optionally accepts remote SSH host keys (github.com, git.example.com)
  • Optionally removes Linux users

Information

Key Value
Playbook path plays/baseline/ssh.yml
Role https://git.blunix.com/ansible-roles/role-ssh
Tags https://git.blunix.com/ansible-roles/role-ssh/-/tags
Defaults https://git.blunix.com/ansible-roles/role-ssh/-/blob/master/defaults/main.yml
Config file Description
/etc/ssh/sshd_config.d/ansible.conf OpenSSH daemon configuration file, which overrides the Debian package maintainers /etc/ssh/sshd_config, which is NOT being modified!
~/.bashrc Configures pretty colors in BASH and alike
~/.bashrc.d/ All files in this directory are included by ~/.bashrc
~/.ssh/ SSH configuration directory for this user
~/.ssh/id_ed25519(.pub) SSH private and public key
~/.ssh/environment Environment variables defined when somebody logs in as this user from remote
~/.ssh/config SSH configuration for outgoing SSH sessions
~/.ssh/known_hosts Servers which the Linux user has previously connected to are saved here

Example

Define the ssh public keys of employees in inventory/group_vars/all.yml:

humans:
  'j.doe':
    ssh_key: 'ssh-ed25519 ssh-public-key j.doe@example.com-11'
  'm.mustermann':
    ssh_key: 'ssh-ed25519 ssh-public-key m.mustermann@example.com-11'

Define the variables for role-ssh in inventory/group_vars/all.yml to manage Linux users and their SSH settings:

ssh_users:

    # name of the (existing if create is not True) user
  - name: root

    # Create the user and its group if it is not present
    # Requires: group (default: name), home, uid and gid (default: uid)
    create: True

    # State of this user (present or absent, default: present)
    # State absent will remove the user and its group, however it will not delete the home directory
    state: present

    # Ansible is to retarded to determine a users home directory, hence...
    home: /root

    # name of the users primary group (for templating files) (Default: "name")
    group: root

    # Groups to put this user in
    # Note that the users own group will always be added to the list of groups, so you don't have to specify it here
    groups:
      - games

    # Append groups to already present groups of this user or enforce listed groups, default: True
    append: False

    # User and group ID
    uid: "0"
    gid: "0"

    # Weather to make this a system user and group, default: True
    system: False

    # Specify login shell
    shell: /bin/bash

    # Give this user a nice default ~/.bashrc, default: False
    bashrc: True

    # Create /home/user/.bashrc.d/test.sh
    bashrc_templates:
      - name: test
        content: |
          alias foo=bar

    # Generate a ed25519 keypair, default: False
    generate_keypair: True

    # Setup key=value environment variables in ~/.ssh/environment
    environment:
      SOME: VARIABLE

    # Manage $HOME/.ssh/config
    config:
      sat.github.com:
        HostName: 'github.com'
        User: git
        IdentityFile: '~/.ssh/id_ed25519'
        IdentitiesOnly: 'yes'

    # Accept host keys to known_hosts
    known_hosts:
      - github.com
      - gitlab.com

    # Pull a ssh public key from another instance and put it into authorized_keys
    remote_authorized_keys:
        # Ansible hostname
      - host: bullseye
        # Where to find the public key on this host
        path: /root/.ssh/id_ed25519.pub

    # Populate authorized_keys
    authorized_keys:
      # - key: https://github.com/charlie.keys
      #   options: 'no-port-forwarding,from="10.0.1.1"'
      # - key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"
      #   # present or absent, default: present
      #   state: present
      - key: "ssh-ed25519 ssh-pubic-key u.name@example.com"



  # Minimal config - just add a public key to ssh authorized_keys of an existing user
  - name: backuppc
    home: /var/lib/backuppc
    authorized_keys:
      - key: "ssh-ed25519 ssh-pubic-key u.name@example.com"

Different users

To manage different Linux users on server A then on server B, you should define a default ssh_users dictionary in inventory/group_vars/all.yml and append to it in inventory/group_vars/ or inventory/host_vars/.

Setup j.doe's and m.mustermann's ssh public key on all servers for the root user in inventory/group_vars/all.yml:

ssh_users: "{{ ssh_users_admins }}"
ssh_users_admins:
  - name: root
    home: /root
    authorized_keys:
      - key: "{{ humans['j.doe']['ssh_key'] }}"
      - key: "{{ humans['m.mustermann']['ssh_key'] }}"

Additionally setup a Linux user "myapp" and add developers public keys in inventory/group_vars/cus_www_prod_web:

ssh_users: "{{ ssh_users_admins + ssh_users_myapp }}"
ssh_users_myapp:
  - name: myapp
    group: myapp
    groups:
      - www-data
    create: True
    uid: 3000
    append: False
    home: /var/www/myapp
    authorized_keys:
      - key: "{{ humans['j.doe']['ssh_key'] }}"
      - key: "{{ humans['m.mustermann']['ssh_key'] }}"
      - key: "{{ humans['t.atkins']['ssh_key'] }}"
      - key: "{{ humans['j.soap']['ssh_key'] }}"
    bashrc: True

ssh_sshd_config_AllowGroups: "root admins myapp"

Logfiles

Stream ssh logs on the cus-util-prod-log-1:

journalctl --file /var/log/journal/remote/all.journal -f _HOSTNAME=cus-www-prod-web-2 _COMM=sshd