def install_strict_ssh(allow_users=['root'],
allow_groups=None,
address_family="any",
permit_root=True,
modern_ciphers=True,
sftp_enabled=True,
agent_forwarding=False,
x11=False,
tcp_forwarding=True,
unix_forwarding=True,
tunnel=False,
port=22,
use_dns=False,
print_motd=False,
auto_restart=True,
check_sshd_config=True,
password_enabled=None):
# FIXME: change default in jinja templates to strict reporting of missing
# values to avoid creating broken ssh configs
# FIXME: add (possibly generic) support for atomic-tested-configuration
# swaps (i.e. run sshd -t on a config)
tpl = ssh_preset.templates.render(
'sshd_config',
allow_users=allow_users,
allow_groups=allow_groups,
address_family=address_family,
permit_root=permit_root,
modern_ciphers=modern_ciphers,
sftp_enabled=sftp_enabled,
agent_forwarding=agent_forwarding,
x11=x11,
tcp_forwarding=tcp_forwarding,
unix_forwarding=unix_forwarding,
tunnel=tunnel,
ports=port if isinstance(port, list) else [port],
print_motd=print_motd,
password_enabled=password_enabled)
if fs.upload_string(tpl, '/etc/ssh/sshd_config').changed:
if check_sshd_config:
proc.run(['sshd', '-t'])
# FIXME: we may want to abstract the init-system here
if auto_restart:
systemd.restart_unit('ssh.service')
return Changed(msg='Changed sshd configuration')
return Unchanged(msg='sshd config already strict')
def setup_rsyslog(server_addr):
# setup papertrail
# FIXME: this is part of remand now
changed = False
changed = apt.install_packages(['rsyslog-gnutls']).changed
changed |= fs.upload_file(papertrail.files['papertrail-bundle.pem'],
'/etc/papertrail-bundle.pem').changed
changed |= fs.upload_string(
papertrail.templates.render('papertrail.conf',
addr=server_addr),
'/etc/rsyslog.d/papertrail.conf', ).changed
if changed:
systemd.restart_unit('rsyslog.service')
return Changed(
msg='Setup papertrail logging to {}'.format(server_addr))
return Unchanged(msg='Papertrail already setup to {}'.format(server_addr))
def setup_rsyslog(server_addr):
# setup papertrail
# FIXME: this is part of remand now
changed = False
changed = apt.install_packages(['rsyslog-gnutls']).changed
changed |= fs.upload_file(papertrail.files['papertrail-bundle.pem'],
'/etc/papertrail-bundle.pem').changed
changed |= fs.upload_string(
papertrail.templates.render('papertrail.conf', addr=server_addr),
'/etc/rsyslog.d/papertrail.conf',
).changed
if changed:
systemd.restart_unit('rsyslog.service')
return Changed(
msg='Setup papertrail logging to {}'.format(server_addr))
return Unchanged(msg='Papertrail already setup to {}'.format(server_addr))
def install_strict_ssh(allow_users=['root'],
allow_groups=None,
address_family="any",
permit_root=True,
modern_ciphers=True,
sftp_enabled=True,
agent_forwarding=False,
x11=False,
tcp_forwarding=True,
unix_forwarding=True,
tunnel=False,
port=22,
use_dns=False,
print_motd=False,
auto_restart=True,
check_sshd_config=True):
# FIXME: change default in jinja templates to strict reporting of missing
# values to avoid creating broken ssh configs
# FIXME: add (possibly generic) support for atomic-tested-configuration
# swaps (i.e. run sshd -t on a config)
tpl = ssh_preset.templates.render('sshd_config',
allow_users=allow_users,
allow_groups=allow_groups,
address_family=address_family,
permit_root=permit_root,
modern_ciphers=modern_ciphers,
sftp_enabled=sftp_enabled,
agent_forwarding=agent_forwarding,
x11=x11,
tcp_forwarding=tcp_forwarding,
unix_forwarding=unix_forwarding,
tunnel=tunnel,
port=port,
print_motd=print_motd)
if fs.upload_string(tpl, '/etc/ssh/sshd_config').changed:
if check_sshd_config:
proc.run(['sshd', '-t'])
# FIXME: we may want to abstract the init-system here
if auto_restart:
systemd.restart_unit('ssh.service')
return Changed(msg='Changed sshd configuration')
return Unchanged(msg='sshd config already strict')
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'):
if mark:
if remote.lstat(mark):
return Unchanged(msg='Hostkeys have already been regenerated')
key_names = [
'/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key',
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
]
def collect_fingerprints():
fps = ''
for key in key_names:
if remote.lstat(key):
fps += proc.run(['ssh-keygen', '-l', '-f', key])[0]
return fps
old_fps = collect_fingerprints()
# remove old keys
for key in key_names:
fs.remove_file(key)
fs.remove_file(key + '.pub')
# generate new ones
proc.run(['dpkg-reconfigure', 'openssh-server'])
# restart openssh
systemd.restart_unit('ssh.service')
new_fps = collect_fingerprints()
# mark host keys as new
fs.touch(mark)
return Changed(
msg='Regenerated SSH host keys.\n'
'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format(
util.indent(' ', old_fps), util.indent(' ', new_fps)))
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'):
if mark:
if remote.lstat(mark):
return Unchanged(msg='Hostkeys have already been regenerated')
key_names = [
'/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key',
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
]
def collect_fingerprints():
fps = ''
for key in key_names:
if remote.lstat(key):
fps += proc.run(['ssh-keygen', '-l', '-f', key])[0]
return fps
old_fps = collect_fingerprints()
# remove old keys
for key in key_names:
fs.remove_file(key)
fs.remove_file(key + '.pub')
# generate new ones
proc.run(['dpkg-reconfigure', 'openssh-server'])
# restart openssh
systemd.restart_unit('ssh.service')
new_fps = collect_fingerprints()
# mark host keys as new
fs.touch(mark)
return Changed(
msg='Regenerated SSH host keys.\n'
'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format(
util.indent(' ', old_fps), util.indent(' ', new_fps)))
