Add ssh playbook

2024-06-11 23:24:13 +02:00 · 2024-06-11 23:24:13 +02:00 · 3276083fa7
parent d9adab4da4
commit 3276083fa7
2 changed files with 35 additions and 0 deletions
--- a/playbooks/01-ssh.yaml
+++ b/playbooks/01-ssh.yaml
@ -0,0 +1,31 @@
+---
+- name: SSH configuration
+  hosts: all
+  tasks:
+    - name: SSH hardening - Deny password authentication
+      ansible.builtin.copy:
+        dest: /etc/ssh/sshd_config.d/90-deny-password.conf
+        owner: root
+        mode: '0600'
+        content: 'PasswordAuthentication no'
+
+    - name: SSH hardening - Deny weak Message Authentication Code Algorithms
+      ansible.builtin.copy:
+        dest: /etc/ssh/sshd_config.d/80-deny-insecure-mac.conf
+        owner: root
+        mode: '0600'
+        content: 'MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1'
+
+    - name: Install authorized keys
+      ansible.builtin.copy:
+        src: authorized_keys
+        dest: /root/.ssh/
+        owner: root
+        mode: '0600'
+        directory_mode: '0700'
+
+    - name: Restart sshd to apply changes
+      ansible.builtin.systemd:
+        name: ssh.service
+        state: restarted
+        enabled: true
--- a/playbooks/files/authorized_keys
+++ b/playbooks/files/authorized_keys
@ -0,0 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1A2E1TMeFhgvyqAUtEk3XNJUTVofvTXoqV9hduh/Ruow8jvIp9NZKpQUujuJmIDW0O5QHbLWoPsRda9Gg6JSmSrjihJB6dGUm+jyjxJxijKicY1eDByDmiLI41Dw9MnIF8n8/h/I/8etGGORPlzsFyE/Uf71bvnhwUNU763mpQyvdiy3Wm8VlikSdZyPTtps2jWmXoFfIstd2DUYjk3mTXtKpmpBKoWTzVoQhWO2weCrzoKqU++lfX3FgekSG0NdOgpif/veZ7Y+nNFUih3XMteLX2s/5cn1bTF/lcVxag6I40y6DbWgoZXEX0mYKbC/yoUyACx863oQjJ87AwbkEe78UgKpyg3aKj6At3pUUgRK7azx6IuW/1hRypxuPtUNGBi5lAEtf8WpcZdSDekULP5tpveoI34JA3wMIb8/7raw8tXDr/kEs+MmEXeutRypogo9VAIsUlKZ8Np9V1E8VM2iE6w4AkEvxN0RZZs4spG44ZofBhOQ7rvVAoz74lYM= giomba@giomba-probook
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEcr9QsMSfl069yVWh+mTR3EKjddrT7ZEE7IoxI0dacYTN99IjhjZMgN8nd7ozzP5s+3aywVZd7A8+2iOW1TofVlgsmFkMtBsHiabRS6VbsqrxcNQXcl74MYDk5ouNw/Q0qG9o/7zrlOS99UGhuP81w9Ac/PyxVpMl1lktv7nEjl5vTIOdCCdcG8SAzbhFntQP6ZsqW2nqFtBtnnTf7YwL6Ocuf8k/o0Dclb9d0J9xV+IJyPitTOEIuepktpTFwBKt4nJIJgXL1yuhGSrmEs8dfg9Tc2fm+zl0W9IZY7fXHwabmscTGsFyJZwOs8MZYLT7K6Cp/EGt50pmd/FcImH08nwb2ZBDNyUcKwNA3GoVKDAVwWhUUUtyQw6Y8KbMABy5Fb0czrBq4R/G8snboLV5qLsUvLyh0X+US4CoF7YWYSW1YHx6b7DQoMtQK2hACnG4GJojT26CrBfGsCHabd2yHzXimKIRl/IqtFy206Eh+03CvLwC5PAROROeKDHDMvk= giulio@marchtop
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJEQ8nfekSwfqq6koPi4Cyfo22vwC21gsW9P0fHhRuNO+eV2IjRMyi3+9LjyU9hXykMGqJpmC+3B2FEalaA9CvRgwmidjXuZXrYrWKF3Q1q8e2dkfJ5aUq1d9lRTP7/mXovNqiQbOmzXUVilYGTnrbQsQATG/wRQD/gqBGZv70dfLDmw1RtYmo9pLfeAPoLTWKAOEBOCCVnWHUJ2M2YI3xpK544cMwf8Lzh1ILcK9VQfUuluIwlwW5nAdsmM/7o1huda46HxVjgasgUKrBZYg9Fepo6jMytz19Kki7kccYp0H/lm3Xahe21MlEAb0S8XWmNt9EEsz0SeEa/bK9UXLl luca@luca-arch
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDqkwjXAmNQLTfCYgIeM4OVeAY8Y5vR0/sJDnqQWznjceRHMVFaUAKZ/sF9HP+zdmmai1atKptiD84sDLNlD3kTLfykLTyJ2DFpr5s4IER6H+ado6A7O7mvYLU6jrIcfdd4NYr7AXmoxdlnbA+nYDRMOzoCbV935v4zpmF4e8CiLGCEP0BgcFxU3kXDARbl2kAWKioF1RRso7Wr5i3iQhovgJa5j2ggzo/DCpPRXQ4AQyYdIOJUoKHTEIbfId47K9bDt6xtGH25WTT0Vjf3UHKe+bUfDC02fqIcwKmcig1+/KX9Umrf9k5RveRK5ybOpk233qXsTzbfvu5FIyGIw0xP3lz4z0/AROPde0+n2JZNrmVN+3m3BCoqFrJu9c8yuf0wyJm12CYlRc+nnfwfQTnke5qlOMzHiWFyH71q8Ndr0YsAay8vNZ15UrSxCAUWBuYYMmGpeXc1j6qGk/1/den1e9aiIDrhNPrSI+G37yYOGLXLGRtL3vvJcPyGb4wTI0= geraldo@aguacate