debian: run a separate sshd in mgmt VRF

Leave the default sshd alone. If ssh is not necessary in default VRF,
another role should disable it.
This commit is contained in:
Timotej Lazar 2023-10-25 13:04:44 +02:00
parent c9479cc786
commit 5da50c14f9
4 changed files with 45 additions and 19 deletions

View file

@ -1,4 +0,0 @@
[Service]
ExecStartPre=sleep 10
ExecStart=
ExecStart=/usr/bin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

View file

@ -0,0 +1,16 @@
[Unit]
Description=OpenBSD Secure Shell server (management VRF)
After=network.target auditd.service
[Service]
ExecStartPre=/usr/sbin/sshd -t
ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,14 @@
# This is for sshd in management VRF, for ansible and other not-really-OOB stuff.
PidFile none
UsePAM no
# Only allow pubkey auth.
KbdInteractiveAuthentication no
PasswordAuthentication no
PermitRootLogin prohibit-password
# Disable what we can.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

View file

@ -16,24 +16,24 @@
package: name=ifupdown2 package: name=ifupdown2
notify: reboot notify: reboot
- name: Create override directory for ssh service - name: Configure SSH instance in management VRF
file:
path: /etc/systemd/system/ssh.service.d
state: directory
- name: Set up ssh to run in mgmt VRF
copy: copy:
dest: /etc/systemd/system/ssh.service.d/override.conf dest: /etc/ssh/sshd_config.mgmt
src: ssh.service-override.conf src: sshd_config.mgmt
mode: 0644
notify: reboot notify: reboot
# With PAM enabled, login shell would run in default VRF instead of mgmt. - name: Set up a SSH instance in management VRF
- name: Disable PAM for ssh copy:
lineinfile: dest: /etc/systemd/system/
path: /etc/ssh/sshd_config src: sshd@mgmt.service
regexp: '^UsePAM .*yes' mode: 0644
state: absent notify: reboot
- name: Enable management SSH
service:
name: sshd@mgmt
enabled: yes
notify: reboot notify: reboot
- meta: flush_handlers - meta: flush_handlers