Updating Ubiqtorate
This commit is contained in:
18
roles/SSH/README.md
Normal file
18
roles/SSH/README.md
Normal file
@@ -0,0 +1,18 @@
|
||||
Remote access is important in the AniNIX, and so we support the use of the [https://wiki.archlinux.org/index.php/Secure_Shell OpenSSH] protocol via [[ShadowArch]] to supporting hosts.
|
||||
|
||||
# Etymology
|
||||
SSH is named for the protocol on which it's built.
|
||||
|
||||
# Relevant Files and Software
|
||||
Most of this service's configuration lives in [file:///etc/ssh/sshd_config sshd_config]. This includes match statements on what groups are allowed to connect, allowed protocols, and somewhat importantly the ForceCommand directives that hold certain users captive to specific operations.
|
||||
|
||||
VNC and X11 forwarding can be used over SSH to allow graphical clients. X11 forwarding without SSH compression is generally slower. To allow VNC, log in over SSH and forward remote port 5901 to localhost port 5901. Start the VNC server on the remote, and use a VNC viewer like tightVNC portable to view the remote desktop.
|
||||
|
||||
# Available Clients
|
||||
* Windows users should use [http://www.putty.org/ PuTTY]. The AniNIX considers this important enough that a copy of PuTTY is mirrored in [https://aninix.net/wolfpack/ WolfPack].[[Category:CachedClient]]
|
||||
* Mac has a native client in their Terminal application.
|
||||
* Linux users can install [https://wiki.archlinux.org/index.php/Secure_Shell openssh].
|
||||
* Android users can use [https://serverauditor.com/ Server Auditor].
|
||||
}}
|
||||
[[Category:Public_Service]]
|
||||
[[Category:LDAP]]
|
||||
50
roles/SSH/files/ssh_config
Normal file
50
roles/SSH/files/ssh_config
Normal file
@@ -0,0 +1,50 @@
|
||||
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
# ssh_config(5) for more information. This file provides defaults for
|
||||
# users, and the values can be changed in per-user configuration files
|
||||
# or on the command line.
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
# 1. command line options
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
# Host *
|
||||
# ForwardAgent no
|
||||
ForwardX11 yes
|
||||
ForwardX11Trusted yes
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
# StrictHostKeyChecking ask
|
||||
# IdentityFile ~/.ssh/identity
|
||||
# IdentityFile ~/.ssh/id_rsa
|
||||
# IdentityFile ~/.ssh/id_dsa
|
||||
# Port 22
|
||||
# Protocol 2,1
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
UseRoaming no
|
||||
# fix for CVE-2016-0777
|
||||
59
roles/SSH/files/sshd_config
Normal file
59
roles/SSH/files/sshd_config
Normal file
@@ -0,0 +1,59 @@
|
||||
### AniNIX::SSH \\ Basic configuration for listening daemon ###
|
||||
|
||||
# Daemon spec #
|
||||
Port 22
|
||||
ListenAddress 0.0.0.0
|
||||
PrintMotd yes
|
||||
PrintLastLog yes
|
||||
StrictModes yes
|
||||
Protocol 2
|
||||
ChrootDirectory none
|
||||
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
|
||||
# RSA and ED25519 are stable.
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Network Performance #
|
||||
Compression yes
|
||||
ClientAliveInterval 5
|
||||
ClientAliveCountMax 3
|
||||
|
||||
# Forwarding options #
|
||||
AllowTcpForwarding no
|
||||
PermitTunnel no
|
||||
AllowAgentForwarding no
|
||||
X11Forwarding no
|
||||
X11DisplayOffset 10
|
||||
X11UseLocalhost no
|
||||
GatewayPorts no
|
||||
|
||||
# Override default of no subsystems to allow SFTP #
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
|
||||
# Authentication #
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
PasswordAuthentication yes
|
||||
UsePAM yes
|
||||
ChallengeResponseAuthentication no
|
||||
HostbasedAuthentication no
|
||||
KerberosAuthentication no
|
||||
GSSAPIAuthentication no
|
||||
DenyGroups [^ssh-allow]
|
||||
AllowGroups ssh-allow
|
||||
PermitRootLogin no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
## Access Controls ###
|
||||
Match Group ssh-forward
|
||||
AllowTcpForwarding yes
|
||||
PermitTunnel yes
|
||||
AllowAgentForwarding yes
|
||||
X11Forwarding yes
|
||||
|
||||
Match Group sftp-home-jail
|
||||
ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
|
||||
ChrootDirectory /home # Lock the user in their home directory
|
||||
|
||||
Match User crypto
|
||||
ForceCommand /usr/local/bin/captivecrypto
|
||||
21
roles/SSH/tasks/main.yml
Normal file
21
roles/SSH/tasks/main.yml
Normal file
@@ -0,0 +1,21 @@
|
||||
---
|
||||
|
||||
- name: SSH
|
||||
become: yes
|
||||
package:
|
||||
name:
|
||||
- bash
|
||||
- sudo
|
||||
|
||||
- name: SSH Config
|
||||
become: yes
|
||||
copy:
|
||||
src: sshd_config
|
||||
dest: /etc/ssh/ssh_config
|
||||
|
||||
- name: SSHD Config
|
||||
become: yes
|
||||
copy:
|
||||
src: sshd_config
|
||||
dest: /etc/ssh/sshd_config
|
||||
|
||||
Reference in New Issue
Block a user