{"id":2901,"date":"2021-08-09T07:00:00","date_gmt":"2021-08-09T05:00:00","guid":{"rendered":"https:\/\/www.my-it-brain.de\/wordpress\/?p=2901"},"modified":"2021-08-04T20:30:08","modified_gmt":"2021-08-04T18:30:08","slug":"quick-ansible-enforce-sshd-configuration-options","status":"publish","type":"post","link":"https:\/\/www.my-it-brain.de\/wordpress\/quick-ansible-enforce-sshd-configuration-options\/","title":{"rendered":"Quick Ansible: Enforce SSHD configuration options"},"content":{"rendered":"\n<p>You need to enforce certain configuration options in <code>sshd_config<\/code>, while leaving the rest of the config to your colleagues? Your colleagues need to be able to change these parameters too, temporarily, but they should be reset after a certain time? And you wanna do it with Ansible? Read on.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>---\n- hosts: all\n  tasks:\n  - name: sshd configuration file update\n    blockinfile:\n      path: \/etc\/ssh\/sshd_config\n      insertbefore: BOF # Beginning of the file\n      marker: \"# {mark} ANSIBLE MANAGED BLOCK BY LINUX-ADMIN\"\n      block: |\n        PermitRootLogin no\n        PubkeyAuthentication yes\n        AuthorizedKeysFile .ssh\/authorized_keys\n        PasswordAuthentication no\n      backup: yes\n      validate: \/usr\/sbin\/sshd -T -f %s\n\n  - name: Restart SSHD\n    service:\n      name: sshd\n      state: restarted<\/code><\/pre>\n\n\n\n<p>I&#8217;ll show you a playbook that sets the options <code>PermitRootLogin<\/code>, <code>PubkeyAuthentication<\/code>, <code>AuthorizedKeysFile<\/code> and <code>PasswordAuthentication<\/code> using the Ansible module <a href=\"https:\/\/docs.ansible.com\/ansible\/2.9\/modules\/blockinfile_module.html\"><u>blockinfile<\/u><\/a>.<\/p>\n\n\n\n<p>What happens here is that at the beginning of the file <code>sshd_config<\/code> a block is getting inserted containing the shown key-argument pairs. Inserting this block at the beginning of the file ensures that these lines are used, because first occurrence wins (see <code>sshd_config(5)<\/code>).<\/p>\n\n\n\n<p>This playbook ensures the desired configuration that the user root is not permitted to login via <code>ssh<\/code>, public key authentication is enabled, the <code>.ssh\/authorized_keys<\/code> file from user&#8217;s HOME directory should be used, and password authentication is disabled. Before <code>\/etc\/ssh\/sshd_config<\/code> gets changed a backup is created and the new file is going to be validated prior to saving it.<\/p>\n\n\n\n<p>The second task restarts the <code>sshd<\/code> service to make sure the desired config is going to be used.<\/p>\n\n\n\n<p>Of course, any user with sudo or root access could edit the <code>sshd_config<\/code> file and restart the service to change the desired settings; and it might be OK to do so temporarily. To make sure any changes to the file will be reset to the desired config you could just run the playbook every 30 minutes per <code>cron<\/code>.<\/p>\n\n\n\n<p>This was a really quick example of how to use ansible to set or change configuration settings. I hope you enjoyed it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You need to enforce certain configuration options in sshd_config, while leaving the rest of the config to your colleagues? Your colleagues need to be able to change these parameters too, temporarily, but they should be reset after a certain time? And you wanna do it with Ansible? Read on. I&#8217;ll show you a playbook that<span class=\"continue-reading\"> <a href=\"https:\/\/www.my-it-brain.de\/wordpress\/quick-ansible-enforce-sshd-configuration-options\/\">[Weiterlesen&#8230;]<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_metis_text_type":"","_metis_text_length":0,"_post_count":0,"footnotes":""},"categories":[532],"tags":[410,630,631],"class_list":["post-2901","post","type-post","status-publish","format-standard","hentry","category-ansible","tag-ansible","tag-blockinfile","tag-sshd_config"],"_links":{"self":[{"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/posts\/2901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/comments?post=2901"}],"version-history":[{"count":1,"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/posts\/2901\/revisions"}],"predecessor-version":[{"id":2902,"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/posts\/2901\/revisions\/2902"}],"wp:attachment":[{"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/media?parent=2901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/categories?post=2901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.my-it-brain.de\/wordpress\/wp-json\/wp\/v2\/tags?post=2901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}