reorganize SSH key management

- read the SSH keys only from /etc and not from users home for better auditability. This also makes generating the key lists much easier. - move deployment of root ssh keys to the ssh role - improve deployment of user ssh keys in the user role

reorganize SSH key management
3072cea3 · Nico · ec7b7ab9 · 3072cea3 · 3072cea3 · 3072cea3
Unverified Commit 3072cea3 authored 3 weeks ago by Nico
--- a/inventory/ffspveguests
+++ b/inventory/ffspveguests
@@ -71,3 +71,4 @@ ffspveguests:
    nrb-backbonetest2.vm.freifunk-stuttgart.de:
      ansible_ssh_host: 2a01:4f8:172:feff:be24:11ff:fe8b:8979
      ansible_ssh_user: root
+    test-ansible01.vm.freifunk-stuttgart.de:
--- a/roles/ssh/files/sshd-10-disable-password-auth.conf
+++ b/roles/ssh/files/sshd-10-disable-password-auth.conf
+# ANSIBLE managed
+PasswordAuthentication no
--- a/roles/ssh/files/sshd-11-pubkeys-from-etc.conf
+++ b/roles/ssh/files/sshd-11-pubkeys-from-etc.conf
+# ANSIBLE managed
+AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+Match User root
+	AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u /etc/pve/priv/authorized_keys
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
 ---
+- name: Fail when no root public keys would be deployed
+  ansible.builtin.fail:
+    msg: No public keys would be deployed
+  when: "users_root|default([]) == [] and users_root_group|default([]) == []"
+- name: Ensure SSH dropin configuration file directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d
+    state: directory
+    mode: "0755"
 - name: Disable SSH password login
-  lineinfile:
+  ansible.builtin.copy:
-    regexp: "^#?PasswordAuthentication"
+    dest: /etc/ssh/sshd_config.d/10-disable-password-auth.conf
-    line: "PasswordAuthentication no"
+    mode: "0644"
-    path: /etc/ssh/sshd_config
+    src: sshd-10-disable-password-auth.conf
  notify:
    - restart ssh
  when: ssh_disable_password_login
+- name: Ensure SSH authorized keys directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/authorized_keys.d
+    state: directory
+    mode: "0755"
+- name: Read public keys /etc and not from users home directory
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/11-pubkeys-from-etc.conf
+    mode: "0644"
+    src: sshd-11-pubkeys-from-etc.conf
+  notify:
+    - restart ssh
+  when: ssh_disable_password_login
+- name: Authorize public keys for root
+  ansible.builtin.template:
+    dest: /etc/ssh/authorized_keys.d/root
+    src: ssh-root-authorized-keys
+    owner: root
+    group: root
+    mode: "0644"
--- a/roles/ssh/templates/ssh-root-authorized-keys
+++ b/roles/ssh/templates/ssh-root-authorized-keys
+# ANSIBLE managed
+{% for user in user_database.keys()|list %}
+{% for pubkey in user_database[user].pubkeys %}
+{% if user in users_root|default([]) or user in users_root_group|default([]) %}
+{{ pubkey }} {{ user }}
+{% endif %}
+{% endfor %}
+{% endfor %}
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -4,11 +4,6 @@
    msg: No users are in users nor in users_group
  when: "users|default([]) == [] and users_group|default([]) == []"
- name: Fail when no root public keys would be deployed
-  ansible.builtin.fail:
-    msg: No public keys would be deployed
-  when: "users_root|default([]) == [] and users_root_group|default([]) == []"
 - name: Creating users
  include_tasks: user.yml 
  loop: "{{ users|default([]) + users_group|default([]) }}" 
@@ -20,10 +15,3 @@
  loop: '{{ user_database | dict2items }}'
  loop_control:
    loop_var: user
- name: Deploying public key for users with root access
-  include_tasks: root_pubkey.yml
-  vars:
-  loop: '{{ user_database.keys() | list }}'
-  loop_control:
-    loop_var: user
--- a/roles/users/tasks/root_pubkey.yml
+++ b/roles/users/tasks/root_pubkey.yml
---
- name: "Deploying {{ user }} public keys for root"
-  authorized_key:
-    user: "root"
-    state: '{{ (user in users_root|default([]) or user in users_root_group|default([]) ) | ternary("present", "absent") }}'
-    key: '{{ item }}'
-    comment: '{{ user }} {{ (item|split(" "))[2]|default("") }}'
-    follow: yes
-  loop: '{{ user_database[user].pubkeys }}'
- name: "Remove revoked {{ user }} public keys for root"
-  authorized_key:
-    user: "root"
-    state: absent
-    key: '{{ item }}'
-    comment: '{{ user }}'
-    follow: yes
-  loop: '{{ user_database[user].revoked_pubkeys }}'
-  when: 'user_database[user].revoked_pubkeys is defined'
--- a/roles/users/tasks/user.yml
+++ b/roles/users/tasks/user.yml
@@ -11,17 +11,10 @@
    group: "{{ user }}"
    shell: /bin/bash
- name: "Add ssh keys for {{ user }}"
+- name: "Authorize public keys for user {{ user }}"
-  authorized_key:
+  ansible.builtin.template:
-    user: "{{ user }}"
+    dest: "/etc/ssh/authorized_keys.d/{{ user|quote }}"
-    state: present
+    src: ssh-user-authorized-keys
-    key: '{{ item }}'
+    owner: root
-  loop: '{{ user_database[user].pubkeys }}'
+    group: root
+    mode: "0644"
- name: "Remove revoked ssh keys for {{ user }}"
-  authorized_key:
-    user: "{{ user }}"
-    state: absent
-    key: '{{ item }}'
-  loop: '{{ user_database[user].revoked_pubkeys }}'
-  when: 'user_database[user].revoked_pubkeys is defined'
--- a/roles/users/templates/ssh-user-authorized-keys
+++ b/roles/users/templates/ssh-user-authorized-keys
+# ANSIBLE managed
+{% for pubkey in user_database[user].pubkeys %}
+{{ pubkey }} {{ user }}
+{% endfor %}