debian: run a separate sshd in mgmt VRF
Leave the default sshd alone. If ssh is not necessary in default VRF, another role should disable it.
This commit is contained in:
parent
c9479cc786
commit
5da50c14f9
4 changed files with 45 additions and 19 deletions
|
|
@ -16,24 +16,24 @@
|
|||
package: name=ifupdown2
|
||||
notify: reboot
|
||||
|
||||
- name: Create override directory for ssh service
|
||||
file:
|
||||
path: /etc/systemd/system/ssh.service.d
|
||||
state: directory
|
||||
|
||||
- name: Set up ssh to run in mgmt VRF
|
||||
- name: Configure SSH instance in management VRF
|
||||
copy:
|
||||
dest: /etc/systemd/system/ssh.service.d/override.conf
|
||||
src: ssh.service-override.conf
|
||||
dest: /etc/ssh/sshd_config.mgmt
|
||||
src: sshd_config.mgmt
|
||||
mode: 0644
|
||||
notify: reboot
|
||||
|
||||
# With PAM enabled, login shell would run in default VRF instead of mgmt.
|
||||
- name: Disable PAM for ssh
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^UsePAM .*yes'
|
||||
state: absent
|
||||
- name: Set up a SSH instance in management VRF
|
||||
copy:
|
||||
dest: /etc/systemd/system/
|
||||
src: sshd@mgmt.service
|
||||
mode: 0644
|
||||
notify: reboot
|
||||
|
||||
- name: Enable management SSH
|
||||
service:
|
||||
name: sshd@mgmt
|
||||
enabled: yes
|
||||
notify: reboot
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue