debian: run a separate sshd in mgmt VRF
Leave the default sshd alone. If ssh is not necessary in default VRF, another role should disable it.
This commit is contained in:
parent
c9479cc786
commit
5da50c14f9
|
|
@ -1,4 +0,0 @@
|
||||||
[Service]
|
|
||||||
ExecStartPre=sleep 10
|
|
||||||
ExecStart=
|
|
||||||
ExecStart=/usr/bin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS
|
|
||||||
16
roles/debian/files/sshd@mgmt.service
Normal file
16
roles/debian/files/sshd@mgmt.service
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
[Unit]
|
||||||
|
Description=OpenBSD Secure Shell server (management VRF)
|
||||||
|
After=network.target auditd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStartPre=/usr/sbin/sshd -t
|
||||||
|
ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt
|
||||||
|
ExecReload=/usr/sbin/sshd -t
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
KillMode=process
|
||||||
|
Restart=on-failure
|
||||||
|
RestartPreventExitStatus=255
|
||||||
|
Type=notify
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
14
roles/debian/files/sshd_config.mgmt
Normal file
14
roles/debian/files/sshd_config.mgmt
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
# This is for sshd in management VRF, for ansible and other not-really-OOB stuff.
|
||||||
|
|
||||||
|
PidFile none
|
||||||
|
UsePAM no
|
||||||
|
|
||||||
|
# Only allow pubkey auth.
|
||||||
|
KbdInteractiveAuthentication no
|
||||||
|
PasswordAuthentication no
|
||||||
|
PermitRootLogin prohibit-password
|
||||||
|
|
||||||
|
# Disable what we can.
|
||||||
|
AllowTcpForwarding no
|
||||||
|
GatewayPorts no
|
||||||
|
X11Forwarding no
|
||||||
|
|
@ -16,24 +16,24 @@
|
||||||
package: name=ifupdown2
|
package: name=ifupdown2
|
||||||
notify: reboot
|
notify: reboot
|
||||||
|
|
||||||
- name: Create override directory for ssh service
|
- name: Configure SSH instance in management VRF
|
||||||
file:
|
|
||||||
path: /etc/systemd/system/ssh.service.d
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Set up ssh to run in mgmt VRF
|
|
||||||
copy:
|
copy:
|
||||||
dest: /etc/systemd/system/ssh.service.d/override.conf
|
dest: /etc/ssh/sshd_config.mgmt
|
||||||
src: ssh.service-override.conf
|
src: sshd_config.mgmt
|
||||||
|
mode: 0644
|
||||||
notify: reboot
|
notify: reboot
|
||||||
|
|
||||||
# With PAM enabled, login shell would run in default VRF instead of mgmt.
|
- name: Set up a SSH instance in management VRF
|
||||||
- name: Disable PAM for ssh
|
copy:
|
||||||
lineinfile:
|
dest: /etc/systemd/system/
|
||||||
path: /etc/ssh/sshd_config
|
src: sshd@mgmt.service
|
||||||
regexp: '^UsePAM .*yes'
|
mode: 0644
|
||||||
state: absent
|
notify: reboot
|
||||||
|
|
||||||
|
- name: Enable management SSH
|
||||||
|
service:
|
||||||
|
name: sshd@mgmt
|
||||||
|
enabled: yes
|
||||||
notify: reboot
|
notify: reboot
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue