improve ssh key managemnt
This commit is contained in:
vincent
parent
86385d5975
commit
d770f61739
@ -1 +0,0 @@
|
|||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfJj3fN0PK7ELn82wOZwL1JncL5prlM1kHVpmVJzhrrXF5ITzlqnaNaYLIpJVD5enbl7uJm0n1DNG58MKkW5ILyFIV9zKlW4AJ4q+sQC2MqcSNkkXXdnxGf/9TuF83zMZ2Ex43dxtURIjXPVBgy963BPdBGLepbDJATFe+GiUAJMwEm3A5DTT5Bo7Oh1mjZkuFn6fWsUK0uZr4oi7ZkZFRcHTy9fVKG2XWWOAobFw7WjwP3F4IY9FWwU4TjeHv+gc9xQzRDtfWN/P4yTsALYvqqDrYxBplOyqtz8Hkd4prujVFt4KA60P4KbwsR/nCHFTcFSSvdUldlfVdSD95n8Vb vincent@fixe-pc
|
|
||||||
50
files/config
50
files/config
@ -1,50 +0,0 @@
|
|||||||
# $OpenBSD: ssh_config,v 1.34 2019/02/04 02:39:42 dtucker Exp $
|
|
||||||
|
|
||||||
# This is the ssh client system-wide configuration file. See
|
|
||||||
# ssh_config(5) for more information. This file provides defaults for
|
|
||||||
# users, and the values can be changed in per-user configuration files
|
|
||||||
# or on the command line.
|
|
||||||
|
|
||||||
# Configuration data is parsed as follows:
|
|
||||||
# 1. command line options
|
|
||||||
# 2. user-specific file
|
|
||||||
# 3. system-wide file
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
|
||||||
# configuration file, and defaults at the end.
|
|
||||||
|
|
||||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
||||||
# list of available options, their meanings and defaults, please see the
|
|
||||||
# ssh_config(5) man page.
|
|
||||||
|
|
||||||
Host *
|
|
||||||
AddKeysToAgent yes
|
|
||||||
ForwardAgent yes
|
|
||||||
# ForwardX11 no
|
|
||||||
# PasswordAuthentication yes
|
|
||||||
# HostbasedAuthentication no
|
|
||||||
# GSSAPIAuthentication no
|
|
||||||
# GSSAPIDelegateCredentials no
|
|
||||||
# BatchMode no
|
|
||||||
# CheckHostIP yes
|
|
||||||
# AddressFamily any
|
|
||||||
# ConnectTimeout 0
|
|
||||||
# StrictHostKeyChecking ask
|
|
||||||
# IdentityFile ~/.ssh/id_rsa
|
|
||||||
# IdentityFile ~/.ssh/id_dsa
|
|
||||||
# IdentityFile ~/.ssh/id_ecdsa
|
|
||||||
# IdentityFile ~/.ssh/id_ed25519
|
|
||||||
# Port 22
|
|
||||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
|
|
||||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
|
|
||||||
# EscapeChar ~
|
|
||||||
# Tunnel no
|
|
||||||
# TunnelDevice any:any
|
|
||||||
# PermitLocalCommand no
|
|
||||||
# VisualHostKey no
|
|
||||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
||||||
# RekeyLimit 1G 1h
|
|
||||||
Host git.ducamps.win
|
|
||||||
Hostname git.ducamps.win
|
|
||||||
User gitea
|
|
||||||
IdentityFile ~/.ssh/id_gitea
|
|
||||||
@ -1 +0,0 @@
|
|||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIztSvsQI0y4OtFNXivgVG7+R3MMcxZpkYwiV/OGSkFQzFOwbLxMfXzbL8ZEWtVRRkiKUwbkb1lUot/3qBOAMA16ggQ7SsnhO4LPKF48JnB/yzKZZqN6ADlTuPOBxWGTEvvVgFnLjlFC/WQymU6wKWdu0+3A7a10DeYaJk8lh8U1uVM7wmuWpNzggTZU+/gvkJKBitA3gU7JUSBztL299YykY1pMjfpqXFE0YEd4iLeUvvgUQH1/39Z4RV2dRMx7s3mMYlSEQq96b5iUfUh62vXRh+V0E/4lNmgoXEjZMhb+4W6F4mxQh3J8yKHdqkL5NtTGRNcwaqbXY5HE9cCoAyekG2sYiO1kYwiJS7haoHGWfOIldmdLLclByP4KFa0CHSVqfMLMkvN0AnGbZlCB5Y3Go/mm47zFmQb3JELmJcWcEPc/jRQBMCUB89BZ13rDWllROypWd0zLGh1yHdrMdQrcZCKZBpkWyb2pjyq/dssRblkpMVENJfcJO168wLibU= gitea@oscar
|
|
||||||
@ -1,38 +0,0 @@
|
|||||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
||||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
|
|
||||||
NhAAAAAwEAAQAAAYEAyM7Ur7ECNMuDrRTV4r4FRu/kdzDHMWaZGMIlfzhkpBUMxTsGy8TH
|
|
||||||
182y/GRFrVUUZIilMG5G9ZVKLf96gTgDANeoIEO0rJ4TuCzyhePCZwf8symWajegA5U7jz
|
|
||||||
gcVhkxL71YBZy45RQv1kMplOsClnbtPtwO2tdA3mGiZPJYfFNblTO8JrlqTc4IE2VPv4L5
|
|
||||||
CSgYrQN4FOyVEgc7S9vfWMpGNaTI36alxRNGBHeIi3lL74FEB9f9/WeEVdnUTMe7N5jGJU
|
|
||||||
hEKvem+YlH1Ietr10YfldBP+JTZoKFxI2TIW/uFuheJsUIdyfMih3apC+TbUxkTXMGqm12
|
|
||||||
ORxPXAqAMnpBtrGIjtZGMIiUu4WqBxlnziJXZnSy3JQcj+ChWtAh0lanzCzJLzdAJxm2ZQ
|
|
||||||
geWNxqP5puO8xZkG9yRC5iXFnBD3P40UATAlAfPQWdd6w1pZUTsqVndMyxodch3azHUK3G
|
|
||||||
QimQaZFsm9qY8qv3bLEW5ZKTFRDSX3CTtevMC4m1AAAFiOHYcAfh2HAHAAAAB3NzaC1yc2
|
|
||||||
EAAAGBAMjO1K+xAjTLg60U1eK+BUbv5HcwxzFmmRjCJX84ZKQVDMU7BsvEx9fNsvxkRa1V
|
|
||||||
FGSIpTBuRvWVSi3/eoE4AwDXqCBDtKyeE7gs8oXjwmcH/LMplmo3oAOVO484HFYZMS+9WA
|
|
||||||
WcuOUUL9ZDKZTrApZ27T7cDtrXQN5homTyWHxTW5UzvCa5ak3OCBNlT7+C+QkoGK0DeBTs
|
|
||||||
lRIHO0vb31jKRjWkyN+mpcUTRgR3iIt5S++BRAfX/f1nhFXZ1EzHuzeYxiVIRCr3pvmJR9
|
|
||||||
SHra9dGH5XQT/iU2aChcSNkyFv7hboXibFCHcnzIod2qQvk21MZE1zBqptdjkcT1wKgDJ6
|
|
||||||
QbaxiI7WRjCIlLuFqgcZZ84iV2Z0styUHI/goVrQIdJWp8wsyS83QCcZtmUIHljcaj+abj
|
|
||||||
vMWZBvckQuYlxZwQ9z+NFAEwJQHz0FnXesNaWVE7KlZ3TMsaHXId2sx1CtxkIpkGmRbJva
|
|
||||||
mPKr92yxFuWSkxUQ0l9wk7XrzAuJtQAAAAMBAAEAAAGBAMaxmVOq0yMISOdnGWf9W91gG3
|
|
||||||
Ewi7i+6zfLSy0B0NtmlLdHe6b+tDs9pyAD28nxyHbdmo48X+w6ZybyhvX7RUV9Hjempsyy
|
|
||||||
sZJoryR6Q+6MwadJvDKnjaZd8Iv7Gla7IKc7NDCBbZYGDnt1A1z92Ram4IN1XSF/IgmpE/
|
|
||||||
XMsm96T8FnaoHqr1wDRIxkj69Q2jgMO7ZeG2Cg47PuAedCzVHe+++yeKyMCbTiKELdP/e5
|
|
||||||
8sAu6PDV8NTfq9sC6gV7DmynuD6l63XI8zZi6Kr6Z3F1N4lXPlbAtGLoVzbCcRpQ10R8QR
|
|
||||||
xBc7O5nxHRqAMmfzRsJ8A1IXM26pLbkGyMZ3gLITcFMVEfmKapEt2sTD8rcthfme04UiVX
|
|
||||||
AaBxojIu2s6exw9p93gihHFDY3FDoJwhTypJHyDU6qq1ThfSZlQB/O2zqCttTr9CJOKium
|
|
||||||
eKwUPfhcEVzMGZ7AVFQAFpsPkrQfepIgz8DID9gLHH56hZRq55iUQSn8c/h6M7lK9NYQAA
|
|
||||||
AMEArfI7v/pcBZcjt0VGKTDmxfxHXka8J1Ljrp1H4mZQ67nqKq65bRr4LSxPYi/uLKTEA2
|
|
||||||
yVEZeR0ry8frQ4F59ji1e/yF2rMMpwSUe30RH+Qe2CtoH1FM56EneFZH7XSG6tGYEkeXgp
|
|
||||||
jintdhNYU+9mzEOrqEfa99UXbG4ymTqb4fipHPgPVYj7NmfpgMfusJILbeeYoagLeLLAKC
|
|
||||||
OyMr5y0jG2s81zWj+D/DzJOwLpfULKZAYZGZU44wju5/dRYZj+AAAAwQDrXmw3evOGG+FJ
|
|
||||||
SUX7cuT2kVsRPH0KXtmhXY+a9Jaibq9bzjSicyn870UrnioM91VQPQ64IBgjLM81SCcMUF
|
|
||||||
1m1h6qqoNCH1r8E1JKHlKvU8z2w6MncANAS3/chU0qyfbNjY6jzcGmYZ6Slo/ZjQ34RVwD
|
|
||||||
rUTHQwIuDUFw9iBEuz+st3JmYAOFyM/b45gwnuFoyKJOHebzMpM/SCz+qXhrtJxQIalElN
|
|
||||||
Js5c0GWQ4qroacSdwX5tk0JjqZIbK+s70AAADBANpo4D7vg5Q9oxXIJjUNPgCVSeGRb+up
|
|
||||||
q20tevfuqTgdgjdoMfB6Z54k47eayK4/tt4joQgFwCUSCcTXfwP4amXnubJWOB4rvNZoaF
|
|
||||||
OeAo8d3V6aOSLbpcszvIyf0uU60LlKU0ecE/UrN1jQpmv/Qkstgd2K2XE8addvQCxmyi15
|
|
||||||
AYXqn52cIXxoFzYuz6l7FNF708vDy/E64G2dcZYCIFPIKe4SJP9XLnsLk4xP57qkTI07X1
|
|
||||||
am7qIPs2H7GkWRWQAAAA92aW5jZW50QGZpeGUtcGMBAg==
|
|
||||||
-----END OPENSSH PRIVATE KEY-----
|
|
||||||
28
files/id_rsa
28
files/id_rsa
@ -1,28 +0,0 @@
|
|||||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
||||||
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABB3dGJOmT
|
|
||||||
6zIeKGnpAvHzKHAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDfJj3fN0PK
|
|
||||||
7ELn82wOZwL1JncL5prlM1kHVpmVJzhrrXF5ITzlqnaNaYLIpJVD5enbl7uJm0n1DNG58M
|
|
||||||
KkW5ILyFIV9zKlW4AJ4q+sQC2MqcSNkkXXdnxGf/9TuF83zMZ2Ex43dxtURIjXPVBgy963
|
|
||||||
BPdBGLepbDJATFe+GiUAJMwEm3A5DTT5Bo7Oh1mjZkuFn6fWsUK0uZr4oi7ZkZFRcHTy9f
|
|
||||||
VKG2XWWOAobFw7WjwP3F4IY9FWwU4TjeHv+gc9xQzRDtfWN/P4yTsALYvqqDrYxBplOyqt
|
|
||||||
z8Hkd4prujVFt4KA60P4KbwsR/nCHFTcFSSvdUldlfVdSD95n8VbAAAD0PqHdBdpkKHyuk
|
|
||||||
mHmdxzLlSdfcL+XNqP6z3Ac68D+aehVF/3GBrT86dn+2GcPKBnKjMAEQ3JRq3oUDqOG6a9
|
|
||||||
OsFRc1pyO5JxEK1+bEm5Ammtg4wQyHyVhywU3sN7zPnxDTQL4isGN6kLRVDfzrwaaQjYNU
|
|
||||||
gWF35veZU97w2lQXVOmiyxbpTIswJx7gr87eyznNhni6gdI31LSN/K8n3jGK6nZwamjMgS
|
|
||||||
NhR7eRS2FrrqpuC99U/RAGp5SseA9R3Yps8rp/bl+6/2en51octtoPXM0i+ajf9RSn0uaA
|
|
||||||
5t7BYO7zOLByy8Go0C6pT+GP1DfBMmD8OesDaSvTVI5dPWZgA0kjFrNlc2siV0WiYI6XAp
|
|
||||||
3/as6oQ1y1dIOF/rEsp0cm5D5e8kyjPp9mgWpX2MGEnd1+XddSCrWm9JTOeHwXNh0GZd5S
|
|
||||||
/HfrirBBJJgZ2WZ7L0xICWDK2O3/ovC5bX3b6ho3XiijKomeXV7ChtPj1QXFAWsQpfYUY5
|
|
||||||
c+ppr1vCgwTkfeFuo+WQ+37+PVJwOItjfj0r73Aq7cLazUOmuYZ970xGm8s7DLuSw2dzch
|
|
||||||
X60mQKAhzTQ2WfjBNh80kM5OMAh1SyHiVB1HImzhhdFlNvEw0Sxk2GWgTNI9g3kKOJYYR7
|
|
||||||
FXlZxaFe/OVHRfFIkUbT3E3yBLv3cGkAV5Q1rsoU/qYvBRHySIZubCm9D62HGgzubLIFoI
|
|
||||||
TS/n0wHrW3kDkCavwECZGTRKBugHPavd6QU3/Gv+bVjZJSpM37TMoKCm5vqEMJqZ4Tk0hq
|
|
||||||
Up4AwxaworrQIs2w9OKLEsLhHohNM0lkECllo5/3sujqAw0qzOk0l6E+pALPxuJairKTXQ
|
|
||||||
YcZsIG8QyUdEnhBGR08vJQ01qX355jdWev9uuOKHhoINXKBSyKue+uLlkqwlAX/jv1Fogm
|
|
||||||
WGd0gVLRbTzbJVAJsDmTb5HiTGtWgpbVJn6cAdBeB3ht/13G5EJcX5S/b1BF9ePTKW+zeU
|
|
||||||
kM0Ugox+JhPoQL0ldTri220YG5NZlkY16Lprvj3bfrW2NAkxSOqLpCvkNp2aqfaMLcYBa+
|
|
||||||
FmWG4eP9d3ip1nY5quvECca8v8VC1lozrW/tdlii+XCXEfRUDRnOHqcpnsjKXNU9uk+c+0
|
|
||||||
AiNIrQITxK8Q7aM0X8HvPrcMxTg/za2Jflq7pZUMcR2s3HNkgxdhwlVyDeN0g5zr0YIEGO
|
|
||||||
rvCZyhgNpJIGdfcF1cVp3VYVTtSLHFV/cDAJuKRHiAFVRgZRxR4dpiwlYEvu5cHtfJ0lu3
|
|
||||||
PvhWqQeWX5Bg8jLduAd/uo79FK/nw=
|
|
||||||
-----END OPENSSH PRIVATE KEY-----
|
|
||||||
@ -88,32 +88,12 @@
|
|||||||
state: 'present'
|
state: 'present'
|
||||||
validate: 'visudo -cf "%s"'
|
validate: 'visudo -cf "%s"'
|
||||||
|
|
||||||
- name: copy rsa key for user
|
|
||||||
copy:
|
|
||||||
dest: /home/{{user.name}}/.ssh/ # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist.
|
|
||||||
src: "{{item}}" # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync.
|
|
||||||
force: yes # not required. the default is C(yes), which will replace the remote file when contents are different than the source. If C(no), the file will only be transferred if the destination does not exist.
|
|
||||||
remote_src: no # not required. If C(no), it will search for I(src) at originating/master machine.,If C(yes) it will go to the remote/target machine for the I(src). Default is C(no).,Currently I(remote_src) does not support recursive copying.,I(remote_src) only works with C(mode=preserve) as of version 2.6.
|
|
||||||
mode: "600" # not required. Mode the file or directory should be. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of version 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of version 2.3, the mode may also be the special string C(preserve). C(preserve) means that the file will be given the same permissions as the source file.
|
|
||||||
selevel: s0 # not required. Level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the C(range). C(_default) feature works as for I(seuser).
|
|
||||||
owner: "{{user.name}}" # not required. Name of the user that should own the file/directory, as would be fed to I(chown).
|
|
||||||
with_items:
|
|
||||||
- id_rsa
|
|
||||||
- authorized_keys
|
|
||||||
- id_gitea
|
|
||||||
- config
|
|
||||||
|
|
||||||
- name: copy rsa key for root
|
- name: Set authorized key taken from file
|
||||||
copy:
|
authorized_key:
|
||||||
dest: /root/.ssh/ # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist.
|
user: "{{user.name}}"
|
||||||
src: "{{item}}" # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync.
|
state: present
|
||||||
force: yes # not required. the default is C(yes), which will replace the remote file when contents are different than the source. If C(no), the file will only be transferred if the destination does not exist.
|
key: "{{ lookup('file', '/home/{{user.name}}/.ssh/id_rsa.pub') }}"
|
||||||
remote_src: no # not required. If C(no), it will search for I(src) at originating/master machine.,If C(yes) it will go to the remote/target machine for the I(src). Default is C(no).,Currently I(remote_src) does not support recursive copying.,I(remote_src) only works with C(mode=preserve) as of version 2.6.
|
|
||||||
mode: "600" # not required. Mode the file or directory should be. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of version 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of version 2.3, the mode may also be the special string C(preserve). C(preserve) means that the file will be given the same permissions as the source file.
|
|
||||||
selevel: s0 # not required. Level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the C(range). C(_default) feature works as for I(seuser).
|
|
||||||
with_items:
|
|
||||||
- id_gitea
|
|
||||||
- config
|
|
||||||
|
|
||||||
- name: Remove root SSH access
|
- name: Remove root SSH access
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user