Improve SSH configuration for nodes
Ensure hostbased auth works with configs, remove erroneous old conditional for authtypes, remove obsolete config option.
This commit is contained in:
parent
6851d42885
commit
a0e4f3bd30
|
@ -1,3 +1,8 @@
|
||||||
# SSH remote allowed hosts
|
# SSH remote allowed hosts
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% for host in groups[cluster_group] %}
|
||||||
|
{{ host }}
|
||||||
|
{{ host.split('.')[0] }}.{{ networks['cluster']['domain'] }}
|
||||||
|
{{ host.split('.')[0] }}
|
||||||
|
{% endfor %}
|
||||||
|
|
|
@ -1,3 +1,6 @@
|
||||||
# SSH remote allowed hosts
|
# SSH remote allowed hosts
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% for host in groups[cluster_group] %}
|
||||||
|
{{ host }},{{ host.split('.')[0] }}.{{ networks['cluster']['domain'] }},{{ host.split('.')[0] }} ssh-ed25519 {{ hostvars[host].ansible_ssh_host_key_ed25519_public }}
|
||||||
|
{% endfor %}
|
||||||
|
|
|
@ -6,7 +6,6 @@ ListenAddress ::
|
||||||
ListenAddress 0.0.0.0
|
ListenAddress 0.0.0.0
|
||||||
Protocol 2
|
Protocol 2
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
UsePrivilegeSeparation yes
|
|
||||||
SyslogFacility AUTH
|
SyslogFacility AUTH
|
||||||
LogLevel INFO
|
LogLevel INFO
|
||||||
LoginGraceTime 120
|
LoginGraceTime 120
|
||||||
|
@ -29,15 +28,9 @@ PubkeyAuthentication yes
|
||||||
PermitEmptyPasswords no
|
PermitEmptyPasswords no
|
||||||
ChallengeResponseAuthentication no
|
ChallengeResponseAuthentication no
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
{% if 'hv' in group_names %}
|
|
||||||
HostbasedAuthentication yes
|
HostbasedAuthentication yes
|
||||||
HostbasedUsesNameFromPacketOnly yes
|
HostbasedUsesNameFromPacketOnly yes
|
||||||
IgnoreRhosts no
|
IgnoreRhosts no
|
||||||
PermitRootLogin yes
|
|
||||||
{% else %}
|
|
||||||
HostbasedAuthentication no
|
|
||||||
IgnoreRhosts yes
|
|
||||||
PermitRootLogin no
|
PermitRootLogin no
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO
|
||||||
|
|
Loading…
Reference in New Issue