Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Add support to specify a list of revoked public keys #120

Merged
merged 1 commit into from
Jun 30, 2017
Merged

Add support to specify a list of revoked public keys #120

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|

## Example Playbook

Expand Down
3 changes: 3 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,3 +160,6 @@ ssh_challengeresponseauthentication: false

# look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
ssh_use_dns: false

# a list of public keys that are never accepted by the ssh server
ssh_server_revoked_keys: []
5 changes: 5 additions & 0 deletions tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
when: sshd_version.stdout >= '6.3'

- name: create revoked_keys and set permissions to root/600
template: src='revoked_keys.j2' dest='/etc/ssh/revoked_keys' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
notify: restart sshd
when: ssh_server_hardening

- name: create sshd_config and set permissions to root/600
template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}" validate="/usr/sbin/sshd -T -f %s"
notify: restart sshd
Expand Down
3 changes: 3 additions & 0 deletions templates/opensshd.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,9 @@ Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
{% endif %}

# Reject keys that are explicitly blacklisted
RevokedKeys /etc/ssh/revoked_keys

{% if sftp_enabled %}
# Configuration, in case SFTP is used
## override default of no subsystems
Expand Down
4 changes: 4 additions & 0 deletions templates/revoked_keys.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# {{ansible_managed}}
{% for key in ssh_server_revoked_keys %}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a # {{ansible_managed}} on the first line, please?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added. I also checked and the comment doesn't interfere with the functionality. 👍

{{key}}
{% endfor %}