diff --git a/playbooks/01-ssh.yaml b/playbooks/01-ssh.yaml new file mode 100644 index 0000000..d4b9292 --- /dev/null +++ b/playbooks/01-ssh.yaml @@ -0,0 +1,31 @@ +--- +- name: SSH configuration + hosts: all + tasks: + - name: SSH hardening - Deny password authentication + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/90-deny-password.conf + owner: root + mode: '0600' + content: 'PasswordAuthentication no' + + - name: SSH hardening - Deny weak Message Authentication Code Algorithms + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/80-deny-insecure-mac.conf + owner: root + mode: '0600' + content: 'MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1' + + - name: Install authorized keys + ansible.builtin.copy: + src: authorized_keys + dest: /root/.ssh/ + owner: root + mode: '0600' + directory_mode: '0700' + + - name: Restart sshd to apply changes + ansible.builtin.systemd: + name: ssh.service + state: restarted + enabled: true diff --git a/playbooks/files/authorized_keys b/playbooks/files/authorized_keys new file mode 100644 index 0000000..f26cf9c --- /dev/null +++ b/playbooks/files/authorized_keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1A2E1TMeFhgvyqAUtEk3XNJUTVofvTXoqV9hduh/Ruow8jvIp9NZKpQUujuJmIDW0O5QHbLWoPsRda9Gg6JSmSrjihJB6dGUm+jyjxJxijKicY1eDByDmiLI41Dw9MnIF8n8/h/I/8etGGORPlzsFyE/Uf71bvnhwUNU763mpQyvdiy3Wm8VlikSdZyPTtps2jWmXoFfIstd2DUYjk3mTXtKpmpBKoWTzVoQhWO2weCrzoKqU++lfX3FgekSG0NdOgpif/veZ7Y+nNFUih3XMteLX2s/5cn1bTF/lcVxag6I40y6DbWgoZXEX0mYKbC/yoUyACx863oQjJ87AwbkEe78UgKpyg3aKj6At3pUUgRK7azx6IuW/1hRypxuPtUNGBi5lAEtf8WpcZdSDekULP5tpveoI34JA3wMIb8/7raw8tXDr/kEs+MmEXeutRypogo9VAIsUlKZ8Np9V1E8VM2iE6w4AkEvxN0RZZs4spG44ZofBhOQ7rvVAoz74lYM= giomba@giomba-probook +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEcr9QsMSfl069yVWh+mTR3EKjddrT7ZEE7IoxI0dacYTN99IjhjZMgN8nd7ozzP5s+3aywVZd7A8+2iOW1TofVlgsmFkMtBsHiabRS6VbsqrxcNQXcl74MYDk5ouNw/Q0qG9o/7zrlOS99UGhuP81w9Ac/PyxVpMl1lktv7nEjl5vTIOdCCdcG8SAzbhFntQP6ZsqW2nqFtBtnnTf7YwL6Ocuf8k/o0Dclb9d0J9xV+IJyPitTOEIuepktpTFwBKt4nJIJgXL1yuhGSrmEs8dfg9Tc2fm+zl0W9IZY7fXHwabmscTGsFyJZwOs8MZYLT7K6Cp/EGt50pmd/FcImH08nwb2ZBDNyUcKwNA3GoVKDAVwWhUUUtyQw6Y8KbMABy5Fb0czrBq4R/G8snboLV5qLsUvLyh0X+US4CoF7YWYSW1YHx6b7DQoMtQK2hACnG4GJojT26CrBfGsCHabd2yHzXimKIRl/IqtFy206Eh+03CvLwC5PAROROeKDHDMvk= giulio@marchtop +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJEQ8nfekSwfqq6koPi4Cyfo22vwC21gsW9P0fHhRuNO+eV2IjRMyi3+9LjyU9hXykMGqJpmC+3B2FEalaA9CvRgwmidjXuZXrYrWKF3Q1q8e2dkfJ5aUq1d9lRTP7/mXovNqiQbOmzXUVilYGTnrbQsQATG/wRQD/gqBGZv70dfLDmw1RtYmo9pLfeAPoLTWKAOEBOCCVnWHUJ2M2YI3xpK544cMwf8Lzh1ILcK9VQfUuluIwlwW5nAdsmM/7o1huda46HxVjgasgUKrBZYg9Fepo6jMytz19Kki7kccYp0H/lm3Xahe21MlEAb0S8XWmNt9EEsz0SeEa/bK9UXLl luca@luca-arch +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDqkwjXAmNQLTfCYgIeM4OVeAY8Y5vR0/sJDnqQWznjceRHMVFaUAKZ/sF9HP+zdmmai1atKptiD84sDLNlD3kTLfykLTyJ2DFpr5s4IER6H+ado6A7O7mvYLU6jrIcfdd4NYr7AXmoxdlnbA+nYDRMOzoCbV935v4zpmF4e8CiLGCEP0BgcFxU3kXDARbl2kAWKioF1RRso7Wr5i3iQhovgJa5j2ggzo/DCpPRXQ4AQyYdIOJUoKHTEIbfId47K9bDt6xtGH25WTT0Vjf3UHKe+bUfDC02fqIcwKmcig1+/KX9Umrf9k5RveRK5ybOpk233qXsTzbfvu5FIyGIw0xP3lz4z0/AROPde0+n2JZNrmVN+3m3BCoqFrJu9c8yuf0wyJm12CYlRc+nnfwfQTnke5qlOMzHiWFyH71q8Ndr0YsAay8vNZ15UrSxCAUWBuYYMmGpeXc1j6qGk/1/den1e9aiIDrhNPrSI+G37yYOGLXLGRtL3vvJcPyGb4wTI0= geraldo@aguacate