Getting started
Security considerations
The debops.authorized_keys
role is designed to manage files in
/etc/ssh/authorized_keys/
directory which contain SSH public keys for user
accounts.
By default, role modifies the ownership and permissions of these files after
the Ansible authorized_key
changes them, so that the owner of these files
is root
account, and the file group, either named after the specified
username, set as an item.group
parameter or root
if the previous
entries don't result in an existing group present on a given system. This
assumes that each user account has a primary group of the same name as their
account, and they are the only members of that group.
The file attributes will be set as 640
to allow read only access to the SSH
public key files. This should ensure that user accounts can be logged into the
specific SSH public keys, but they cannot be modified by their respective
users.
Unfortunately, it seems that the Ansible authorized_key
module
enforces the "600" file permissions
on any file change, therefore there exists a window of opportunity between the
given user file being updated by the authorized_key
module and permissions
being enforced again by the file
Ansible module. At the moment there's no
good solution to this issue, perhaps in the future the authorized_key
module will be updated to allow for setting custom file ownership and
permissions similarly to the file
module. However, if there are no updates
to the user files, the permissions are not changed.
SSH service configuration
The debops.authorized_keys
role does not manage the sshd
service
configuration by itself. Instead, you are expected to configure the sshd
daemon to use the authorized keys from its directory, either by hand or by an
Ansible role.
Note
The debops.sshd role enables use of the SSH public keys managed by the
debops.authorized_keys
automatically.
To enable the sshd
service to use the configured public keys, you should
change the configuration in the /etc/ssh/sshd_config
file to something like
this:
# /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys
The above configuration will enable use of the configured keys by all subsequent SSH connections.
You can use the Match
keyword to restrict the use of the authorized keys to
a particular hosts, users, groups or IP addresses/subnets as needed. For
example, if you want to check these authorized keys only for users in
a specific subnet, you can do it like this:
# /etc/ssh/sshd_config
Match Address 192.0.2.0/24
AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys
Alternatively, you can use different conditions to restrict the SSH public keys
checked by the sshd
daemon to only the authorized keys maintained by this
role. For example, to restrict a particular system group to only use these
authorized keys for authentication, you can do it like this:
# /etc/ssh/sshd_config
Match Group sftponly
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
Example inventory
This role is included by default in the common.yml
DebOps playbook, so you
don't need to do anything to enable it.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.authorized_keys
role:
---
- name: Manage SSH public keys
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_authorized_keys' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: authorized_keys
tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]