diff --git a/roles/debian/files/ssh.service-override.conf b/roles/debian/files/ssh.service-override.conf deleted file mode 100644 index 2ab24aa..0000000 --- a/roles/debian/files/ssh.service-override.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -ExecStartPre=sleep 10 -ExecStart= -ExecStart=/usr/bin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS diff --git a/roles/debian/files/sshd@mgmt.service b/roles/debian/files/sshd@mgmt.service new file mode 100644 index 0000000..7b63f30 --- /dev/null +++ b/roles/debian/files/sshd@mgmt.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenBSD Secure Shell server (management VRF) +After=network.target auditd.service + +[Service] +ExecStartPre=/usr/sbin/sshd -t +ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt +ExecReload=/usr/sbin/sshd -t +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify + +[Install] +WantedBy=multi-user.target diff --git a/roles/debian/files/sshd_config.mgmt b/roles/debian/files/sshd_config.mgmt new file mode 100644 index 0000000..ac45726 --- /dev/null +++ b/roles/debian/files/sshd_config.mgmt @@ -0,0 +1,14 @@ +# This is for sshd in management VRF, for ansible and other not-really-OOB stuff. + +PidFile none +UsePAM no + +# Only allow pubkey auth. +KbdInteractiveAuthentication no +PasswordAuthentication no +PermitRootLogin prohibit-password + +# Disable what we can. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no diff --git a/roles/debian/tasks/mgmt.yml b/roles/debian/tasks/mgmt.yml index 9ac0754..4cc3eca 100644 --- a/roles/debian/tasks/mgmt.yml +++ b/roles/debian/tasks/mgmt.yml @@ -16,24 +16,24 @@ package: name=ifupdown2 notify: reboot -- name: Create override directory for ssh service - file: - path: /etc/systemd/system/ssh.service.d - state: directory - -- name: Set up ssh to run in mgmt VRF +- name: Configure SSH instance in management VRF copy: - dest: /etc/systemd/system/ssh.service.d/override.conf - src: ssh.service-override.conf + dest: /etc/ssh/sshd_config.mgmt + src: sshd_config.mgmt + mode: 0644 notify: reboot -# With PAM enabled, login shell would run in default VRF instead of mgmt. -- name: Disable PAM for ssh - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^UsePAM .*yes' - state: absent +- name: Set up a SSH instance in management VRF + copy: + dest: /etc/systemd/system/ + src: sshd@mgmt.service + mode: 0644 + notify: reboot + +- name: Enable management SSH + service: + name: sshd@mgmt + enabled: yes notify: reboot - meta: flush_handlers -