Updating some SSH config
This commit is contained in:
parent
60f848b55d
commit
5ab88dc387
@ -18,8 +18,10 @@ saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
|
||||
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
|
||||
# Ignore IRC Modules
|
||||
saferegex="$saferegex"'|m_password_hash.so|/quote ns identify|SELECT|password_attribute|SET PASS|SASET PASS'
|
||||
# Ignore SSH known hosts
|
||||
saferegex="$saferegex""|ssh_known_hosts:|"
|
||||
|
||||
grep -irE 'secret|password|pw|passphrase|pass=' roles/*/{files,templates} 2>&1 | grep -vE "$saferegex"
|
||||
git ls-files roles/*/{files,templates} | xargs grep -irE 'secret|password|pw|passphrase|pass=' | grep -vE "$saferegex"
|
||||
if [ $? -ne 1 ]; then
|
||||
echo
|
||||
echo If these are false positives, you need to add the signature to the whitelist in $0.
|
||||
|
@ -1,50 +1,13 @@
|
||||
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
# ssh_config(5) for more information. This file provides defaults for
|
||||
# users, and the values can be changed in per-user configuration files
|
||||
# or on the command line.
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
# 1. command line options
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
# Host *
|
||||
# ForwardAgent no
|
||||
# man 5 ssh_config
|
||||
ForwardX11 yes
|
||||
ForwardX11Trusted yes
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
# StrictHostKeyChecking ask
|
||||
# IdentityFile ~/.ssh/identity
|
||||
# IdentityFile ~/.ssh/id_rsa
|
||||
# IdentityFile ~/.ssh/id_dsa
|
||||
# Port 22
|
||||
# Protocol 2,1
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
UseRoaming no
|
||||
CanonicalizeHostname yes
|
||||
CanonicalDomains msn0.aninix.net
|
||||
Compression yes
|
||||
ServerAliveInterval 60
|
||||
ServerAliveCountMax 5
|
||||
TCPKeepAlive yes
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com
|
||||
|
||||
# fix for CVE-2016-0777
|
||||
# UseRoaming no
|
||||
|
43
roles/SSH/files/ssh_known_hosts
Normal file
43
roles/SSH/files/ssh_known_hosts
Normal file
@ -0,0 +1,43 @@
|
||||
### AniNIX
|
||||
# AniNIX.net
|
||||
147.219.175.219,foundation.aninix.net,aninix.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlUR05R8xcOgb+5p++xQ4hN8aVgyfaRn2bGDfIJleS1
|
||||
147.219.175.219,foundation.aninix.net,aninix.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtuJX5ShWmFFpPVubWTsp0uPcF8hFCqh+epZxoAlKZz5F+EedT9yzU67pttQmEpLCVGFqVQUwFHyN2ww/w0k9fDZ8Bdn7/Bn9LsUQtzeyeJWwiHTNS6IEKw8SMg2ifTCvGBevV7cuFMwFJ/b7iKjfaVhsZ5sPUpbG9c88rwX29FoUkghHDod9St1hoKtqbRARjhJ5p2BnzmvQeT5zwsPqLUh+5mbtoo3nLKQqudYQCIhkTWVArwfASSbdsb+xCQEnTF2D2lf6Bp+xp9DADsCu8I1NyY+cOsXGAWSXJSMHWJ6QF5SfVTqjCbNFiGe4qX9H+WdGVY6Bvbt4bTJPuoUX9
|
||||
# Shadowfeed.MSN0.AniNIX.net:6022
|
||||
[10.0.1.1]:6022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7qREh5sVlKy52UumXEayNYufFHxGgil2uRn8sA/LBq
|
||||
# Nazara.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1
|
||||
nazara.msn0.aninix.net,nazara,10.0.1.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4QJO1FOhCwGaYPVdpsu4gfADQ0DFG+21MKxG9lKSCS
|
||||
nazara.msn0.aninix.net,nazara,10.0.1.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDb04V2FUnzMV5SCGUV5S7ZvlZfbsOVA3RUk/BDWlzfnUR5pwHAxBJ+vFGaNPiD376zuOj6T0L2voHCwY9pchdlMGCTON4n6FQNWRm3fBoivyfDgfTryNykbRGe9O/rjgl7Y01tYPit4butwqycUmzsuXpXx29TUgRHdmRL/OjcuDonW/MYzgn9GSN26Q4BMI6OXaMwuE3R/mvh8XxmMffK+alXNSonnPxviV60FkESGiBjdj1TiWYJ1i9gsjNbPWks6iW+H4w1DAbGWLajYMvkzgvRpPXMIDMYRUuQyT/cGFocYp98IB8Q4OF2VhRujisqYGphrD0YhjGBRMrwiDMwgMAYvsvGeNvvkRZJ4kVELM99obPdR/ADru/mDu2ZO5Q1AjO4Wr3Vllf9gJPEPRt8PJi2b0BC9mb0xnQ7xGb8cy6DqjJ8R1sJ1TqovYHCW+gC5VexA1k0hzG6btNZGAx6FB4CM2a57zJwkuEOKfRFHFtaKB11sOj3QpPIhITSYek=
|
||||
[147.219.8.116]:21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4QJO1FOhCwGaYPVdpsu4gfADQ0DFG+21MKxG9lKSCS
|
||||
# Core.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.8
|
||||
core.msn0.aninix.net,core,10.0.1.3 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlUR05R8xcOgb+5p++xQ4hN8aVgyfaRn2bGDfIJleS1
|
||||
core.msn0.aninix.net,core,10.0.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtuJX5ShWmFFpPVubWTsp0uPcF8hFCqh+epZxoAlKZz5F+EedT9yzU67pttQmEpLCVGFqVQUwFHyN2ww/w0k9fDZ8Bdn7/Bn9LsUQtzeyeJWwiHTNS6IEKw8SMg2ifTCvGBevV7cuFMwFJ/b7iKjfaVhsZ5sPUpbG9c88rwX29FoUkghHDod9St1hoKtqbRARjhJ5p2BnzmvQeT5zwsPqLUh+5mbtoo3nLKQqudYQCIhkTWVArwfASSbdsb+xCQEnTF2D2lf6Bp+xp9DADsCu8I1NyY+cOsXGAWSXJSMHWJ6QF5SfVTqjCbNFiGe4qX9H+WdGVY6Bvbt4bTJPuoUX9
|
||||
# Node0.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.5
|
||||
node0.msn0.aninix.net,node0,10.0.1.4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByPH4xBtfbG1sWBThjzeB/41wIiG8VElMJt6Tt7gj3Q
|
||||
node0.msn0.aninix.net,node0,10.0.1.4 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkqvIkK1+qO/SllXv87HCjl4FKJvZ5D1ultL60msq4PFRKQQowHGRbLC32boqXzSPPi4nfx7oEqTiziqDE2noYpvt4FQehOsmwcXujW1QuCL4WC+WZLsMT7vxDxEXME9GMTFdFQY6XiNY4QfVj9jtQQ0OW8s7VHz8Cik4QAlSIJhUyDug8JaFRpB/p4l2BBYW2TpdMEZnhF3Avhr+gMmxArtEUHFpwfKViGJv3PEdoTI9coftiIELBS18l0aNlXHgjMxGG52TXMtxihHlKUTx+KJGWgh29n7RAlLIZ2XU1nq7FuXdG1DT7SdThqPryQ6yjgnF9DMvTj8FfUtcc+HpMGyGk1EvKZzjw00XPoM5P3T97Cox2YmzWwab74mtRWhBV55sAaRSSqCLzxcELjTokZ9zkTXAWDytkJzy3odD3dISjUOlLLPNfghT7kAK71HN7NL0pyH7u8XzIKY/dLH26gbxIs1IXux9QM9zBDVtQODSWaoyBS0W44FiOwdbubJU=
|
||||
# Sharingan.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.5
|
||||
sharingan.msn0.aninix.net,sharingan,10.0.1.16 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHWiEtEMgosZv/LFNjY7ebFVdsEXrkPmdJHSC8sbaD5
|
||||
sharingan.msn0.aninix.net,sharingan,10.0.1.16 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTw9KTB/u3h8z6JFon7C3Wex5Vn9ghTUjacuEZvGJymjPt8GMiCS/b4epBibdbYq3bastnJA/AA2m++bo3PZZPgo8VVCVuRvblpsDHkNcYtdjI/bdsVlaHYLcm/yh7R+s6mKULeFE1GdaPGBTl/Mu1UOrFPmPG/yRvA7moTz9+0m7YS1/4isWI8kXH/A4eoGk5VpLDqwQDiDYKCyI15Z1T+GSn5tF1iBgCI90CoztHyrrQa5LSqsBtUi7J3YVtG395lTIga+QjJcU8HMaGwdhtRe57LnSDPSAZLKXdWHk1+nDrwrdnqGfvLO6MJGN3OaeT/aOo6srFhJSVG3SAvaksvaDkunie0fLnXoVheTZ2BAB7nUwbU8F301c69TMkvietmzWrXK2IPNL/areLfUT3gROXdzJp9jqFz3Tht6i1wyQNOvrAsJyriLmCzqGtNjEMTHbzs/Ld/eMzgsmLsD6jV09wTithjnOgJEpdUEbbl8EDmXcgeoElKtwffDmBrc=
|
||||
# DarkNet.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.5
|
||||
darknet.msn0.aninix.net,darknet,10.0.1.17 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJUs68uQdOc5vRxnWZAd6DRRFLrZyqQi2gdx7QuzwZH
|
||||
darknet.msn0.aninix.net,darknet,10.0.1.17 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmfOvKeJa7SKZ8hDzEAu3tM7VjOoj64d1wMKxmXuHcOVOG2pOyGNCrutBhj4CXsNHtU1liOF8QAIG0bQJ7K+JLU1BSsQ4kuV/Nn99hmW3A6yzZN+FuhvdiWMb+kS7VM7OjDZ71RmOqCsJJsJVAsoFZIWxbzk9Zom4bvoEgERe5P0jeYzoXJsBbeR+t6zCWTVNMTDYWNXY0u+E9YZv8gpUrzlgJltXmperq79DjtigemX4+D2hiQ72xL8beNbRko/s4qOLk8VyUfb012XB6QyvqPH6CWM5L74MhAnUJmfp7uWUIaUO5eUB3WUNDiMfIGoLwR4d/q1tGpbIgGNfeksIZ
|
||||
# Maat.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.8
|
||||
maat.msn0.aninix.net,maat,10.0.1.18 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoF3EiL06w+VQNYUxrNH0VBAUsaqnswpGEe4NolLvIZ
|
||||
maat.msn0.aninix.net,maat,10.0.1.18 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxiY6BE9ThRhGR6EJUPpvs/pnlKY00FkRtrYgemqaoJ4CeJAv+zldJMdEEUDaw2litWuFaA3mFiUtwjhwtHYBGFB71PHrwkxjona/H9dnUGiTb1yZhQ0amRg6qqY1oiQ2+X5MvBimsADIEnpCjce3pO+R1d2bHZgCMAr5O7M700pdboM4i0nTsMjHBIdJ73hmq9A47liw3/7lEofX19ahL+Z2Jog1lHE7CszlnCae7XWwkU3DppGmn597uKuBaiqrq1mzI9B0cjdsQLUJ9CVNy5iA7qttwy/DQZtmVgpUrL9U10PaD4zlyYtm4CiFEV1EdA1JuzCrsBc4TjI6r6cGPIniL20IAu5Ud2SFg4IzFVa4SIuCCFO6xE2+y6tBPn9U2bUUqqLnFRSkoLarXTCEu2xqlAWj2krvxneo1B4vkPov4HhB9sF/nxNdWGdpcU06X1JrndbCRUEJYmsZekaMfdsrJ4oso3le3yptQDMo5wcRWfKNBUSaFl8/fFRdsDYc=
|
||||
# DedNet.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.8
|
||||
dednet.msn0.aninix.net,dednet,10.0.1.52 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfz42IEWihRkfxGjdp80hUaWbCt+f4jD2cN+KxxQNYb
|
||||
dednet.msn0.aninix.net,dednet,10.0.1.52 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9AJF9tnic4frwdNI6/sSxlfAOfghjbG/b30qHSAdFh4ktVB6NWPS6SVf/zUsg+8K02tZXOFBKR5JAQO0KCVI20Vig/WPOM6pwc/UIvRqWioAoR97jDPJBauZKdULdwVDQE4jfvJv969QfJNhy//bsH66JzyPVdGqQaDO4UGR0+QY3aBeLgptAh2+zMrMuk4pGjxsngV0udKsoKY/k//gIZprSal39cBwO6/htD0sdmua2T/Io6L6V9jlRxHbqQD2TkXNAe+dgJ1hEJa+41Ahunhkba4xcy3siXYCnQk9K5zk1xZmFPNGDSLlPHbAUmsSUAAc75aoV32XMLKb9KCH
|
||||
# Geth-Hub-1.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
|
||||
geth-hub-1.msn0.aninix.net,geth-hub-1,10.0.1.32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHc2LkiAHfRXB2j5dHvQQctPrRaL5EHxtcY0+GnKsGtV
|
||||
geth-hub-1.msn0.aninix.net,geth-hub-1,10.0.1.32 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGWZ+4SPBIuWtzaicM7bdxTcadH+m2390O06CP3B56vvlFwXQCztqVGL3UPhQEpbfJtZkipPWN2sjNWHmzQ1LCQ=
|
||||
# Geth-Hub-2.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
|
||||
geth-hub-2.msn0.aninix.net,geth-hub-2,10.0.1.33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAWCCPeMydz3Ge++Uu+a189FtsCK6CLvPsqxlPQupGM
|
||||
geth-hub-2.msn0.aninix.net,geth-hub-2,10.0.1.33 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLolkWL+a6oAHcgHQ2nROoVwC0WBBzYLL9nZJ8wIslsepCy2H8hSjnrgQ5sNMQBKOe5ToOrmP3YfXVgonpC4sAc=
|
||||
# Geth-Hub-3.MSN0.AniNIX.net:22 SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1
|
||||
geth-hub-3.msn0.aninix.net,geth-hub-3,10.0.1.34 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4odSWjWwTUCMOVtHwCQIboz4B6Myv78Z/qqpGtZ1Ow
|
||||
geth-hub-3.msn0.aninix.net,geth-hub-3,10.0.1.34 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC51Fj5BPwQUfMMAktbp4Xxly1m7KSjadG4SoJ2WmtN4ipFCWBdZgrTTvIDwDE/F3UuSiV/8nqbfL/Hu0ZNeLlVFtslVJ+L83S/DE9D83yydOJrg8gMK6/D4Kmc+BWmijoZzlpEOwu6YXqTf9d91cYFKLjleTcInCkqHqPikI119IScOqYJbgUTo2RQRmmja+TLn/usWo58kqLlSH058bIfsnHzjwC65W7zBDORWcoK6uX4JQwITrucEf5ipooNMU83pHp7kWT2w2bTsq2oUPwXTOgzquMD5oOCsxf9jKXh9uj1llb8+hAaQuGnRidM0ZN9Jk7s/ou3IOISzq0OHJX5XN1r+IIOL/pPO0FpMFsKpNLdDx+xod9wj1qsZqW0S7bMBnr6QTvGw38psls92PraFiEZi9voC4ShwtZMcADFn9+Mat2FhfIJTmFbGNRez8xZnVMeXCnaTVZvv/MwzeSNpv3daijprbVY/lFgv5Fib5B1bx3lBTDwSPsY5/2nETE=
|
||||
# DedSec.MSN0.AniNIX.net:22
|
||||
dedsec.msn0.aninix.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfz42IEWihRkfxGjdp80hUaWbCt+f4jD2cN+KxxQNYb
|
||||
# Tachikoma.MSDN0.aninix.net
|
||||
tachikoma.msn0.aninix.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP94+yPnzTF0imO3l2eKBzuNR+U8iABkzGgvFpv4udJd
|
||||
tachikoma.msn0.aninix.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPO+k25FnFlNJOhD419pwX6U6Xt9HrGXxN2jNrUvRBX3ZeuQEXQYx/oZ3c2t4D3nM28/QrNfE9vZ9lt7XorpafU=
|
||||
tachikoma ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP94+yPnzTF0imO3l2eKBzuNR+U8iABkzGgvFpv4udJd
|
@ -8,6 +8,7 @@ PrintLastLog yes
|
||||
StrictModes yes
|
||||
Protocol 2
|
||||
ChrootDirectory none
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com
|
||||
|
||||
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
|
||||
# RSA and ED25519 are stable.
|
||||
|
@ -57,6 +57,12 @@
|
||||
src: ssh_config
|
||||
dest: /etc/ssh/ssh_config
|
||||
|
||||
- name: Known hosts
|
||||
become: yes
|
||||
copy:
|
||||
src: ssh_known_hosts
|
||||
dest: /etc/ssh/ssh_known_hosts
|
||||
|
||||
- name: SSHD Config
|
||||
become: yes
|
||||
register: sshd_config
|
||||
|
Loading…
Reference in New Issue
Block a user