def install_strict_ssh(allow_users=['root'], allow_groups=None, address_family="any", permit_root=True, modern_ciphers=True, sftp_enabled=True, agent_forwarding=False, x11=False, tcp_forwarding=True, unix_forwarding=True, tunnel=False, port=22, use_dns=False, print_motd=False, auto_restart=True, check_sshd_config=True, password_enabled=None): # FIXME: change default in jinja templates to strict reporting of missing # values to avoid creating broken ssh configs # FIXME: add (possibly generic) support for atomic-tested-configuration # swaps (i.e. run sshd -t on a config) tpl = ssh_preset.templates.render( 'sshd_config', allow_users=allow_users, allow_groups=allow_groups, address_family=address_family, permit_root=permit_root, modern_ciphers=modern_ciphers, sftp_enabled=sftp_enabled, agent_forwarding=agent_forwarding, x11=x11, tcp_forwarding=tcp_forwarding, unix_forwarding=unix_forwarding, tunnel=tunnel, ports=port if isinstance(port, list) else [port], print_motd=print_motd, password_enabled=password_enabled) if fs.upload_string(tpl, '/etc/ssh/sshd_config').changed: if check_sshd_config: proc.run(['sshd', '-t']) # FIXME: we may want to abstract the init-system here if auto_restart: systemd.restart_unit('ssh.service') return Changed(msg='Changed sshd configuration') return Unchanged(msg='sshd config already strict')
def setup_rsyslog(server_addr): # setup papertrail # FIXME: this is part of remand now changed = False changed = apt.install_packages(['rsyslog-gnutls']).changed changed |= fs.upload_file(papertrail.files['papertrail-bundle.pem'], '/etc/papertrail-bundle.pem').changed changed |= fs.upload_string( papertrail.templates.render('papertrail.conf', addr=server_addr), '/etc/rsyslog.d/papertrail.conf', ).changed if changed: systemd.restart_unit('rsyslog.service') return Changed( msg='Setup papertrail logging to {}'.format(server_addr)) return Unchanged(msg='Papertrail already setup to {}'.format(server_addr))
def install_strict_ssh(allow_users=['root'], allow_groups=None, address_family="any", permit_root=True, modern_ciphers=True, sftp_enabled=True, agent_forwarding=False, x11=False, tcp_forwarding=True, unix_forwarding=True, tunnel=False, port=22, use_dns=False, print_motd=False, auto_restart=True, check_sshd_config=True): # FIXME: change default in jinja templates to strict reporting of missing # values to avoid creating broken ssh configs # FIXME: add (possibly generic) support for atomic-tested-configuration # swaps (i.e. run sshd -t on a config) tpl = ssh_preset.templates.render('sshd_config', allow_users=allow_users, allow_groups=allow_groups, address_family=address_family, permit_root=permit_root, modern_ciphers=modern_ciphers, sftp_enabled=sftp_enabled, agent_forwarding=agent_forwarding, x11=x11, tcp_forwarding=tcp_forwarding, unix_forwarding=unix_forwarding, tunnel=tunnel, port=port, print_motd=print_motd) if fs.upload_string(tpl, '/etc/ssh/sshd_config').changed: if check_sshd_config: proc.run(['sshd', '-t']) # FIXME: we may want to abstract the init-system here if auto_restart: systemd.restart_unit('ssh.service') return Changed(msg='Changed sshd configuration') return Unchanged(msg='sshd config already strict')
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'): if mark: if remote.lstat(mark): return Unchanged(msg='Hostkeys have already been regenerated') key_names = [ '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', ] def collect_fingerprints(): fps = '' for key in key_names: if remote.lstat(key): fps += proc.run(['ssh-keygen', '-l', '-f', key])[0] return fps old_fps = collect_fingerprints() # remove old keys for key in key_names: fs.remove_file(key) fs.remove_file(key + '.pub') # generate new ones proc.run(['dpkg-reconfigure', 'openssh-server']) # restart openssh systemd.restart_unit('ssh.service') new_fps = collect_fingerprints() # mark host keys as new fs.touch(mark) return Changed( msg='Regenerated SSH host keys.\n' 'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format( util.indent(' ', old_fps), util.indent(' ', new_fps)))