Improve SSH configuration for nodes

Ensure hostbased auth works with configs, remove erroneous old
conditional for authtypes, remove obsolete config option.
This commit is contained in:
Joshua Boniface 2020-08-06 15:54:12 -04:00
parent 6851d42885
commit a0e4f3bd30
3 changed files with 8 additions and 7 deletions

View File

@ -1,3 +1,8 @@
# SSH remote allowed hosts # SSH remote allowed hosts
# {{ ansible_managed }} # {{ ansible_managed }}
{% for host in groups[cluster_group] %}
{{ host }}
{{ host.split('.')[0] }}.{{ networks['cluster']['domain'] }}
{{ host.split('.')[0] }}
{% endfor %}

View File

@ -1,3 +1,6 @@
# SSH remote allowed hosts # SSH remote allowed hosts
# {{ ansible_managed }} # {{ ansible_managed }}
{% for host in groups[cluster_group] %}
{{ host }},{{ host.split('.')[0] }}.{{ networks['cluster']['domain'] }},{{ host.split('.')[0] }} ssh-ed25519 {{ hostvars[host].ansible_ssh_host_key_ed25519_public }}
{% endfor %}

View File

@ -6,7 +6,6 @@ ListenAddress ::
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
Protocol 2 Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
SyslogFacility AUTH SyslogFacility AUTH
LogLevel INFO LogLevel INFO
LoginGraceTime 120 LoginGraceTime 120
@ -29,15 +28,9 @@ PubkeyAuthentication yes
PermitEmptyPasswords no PermitEmptyPasswords no
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
PasswordAuthentication no PasswordAuthentication no
{% if 'hv' in group_names %}
HostbasedAuthentication yes HostbasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes HostbasedUsesNameFromPacketOnly yes
IgnoreRhosts no IgnoreRhosts no
PermitRootLogin yes
{% else %}
HostbasedAuthentication no
IgnoreRhosts yes
PermitRootLogin no PermitRootLogin no
{% endif %}
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO