ssh-certs users.

2026-05-21 02:10:57 +10:00
parent cc71562960
commit eaec4d7b87
4 changed files with 240 additions and 0 deletions
--- a/playbooks/deploy_ssh_user_certs.yml
+++ b/playbooks/deploy_ssh_user_certs.yml
@@ -0,0 +1,70 @@
+- hosts: all
+  become: yes
+  vars:
+    # Путь к ПУБЛИЧНОМУ ключу User CA на вашей Ansible-машине
+    local_ssh_user_ca_pub_path: "/etc/step-ca/ssh_user_ca_key.pub"
+
+  tasks:
+    - name: Создание системной директории для принципалов
+      file:
+        path: /etc/ssh/auth_principals
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Создание локальных пользователей из списка проекта
+      user:
+        name: "{{ item.name }}"
+        shell: /bin/bash
+        create_home: yes
+        state: present
+      loop: "{{ project_users }}"
+
+    - name: Генерация файлов auth_principals с маппингом проектов
+      copy:
+        dest: "/etc/ssh/auth_principals/{{ item.name }}"
+        content: "{{ allowed_projects | join('\n') }}\n"
+        owner: root
+        group: root
+        mode: '0644'
+      loop: "{{ project_users }}"
+
+    - name: Настройка беспарольного sudo для администраторов проекта
+      copy:
+        dest: "/etc/sudoers.d/project-ssh-{{ item.name }}"
+        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
+        validate: /usr/sbin/visudo -cf %s
+        mode: '0440'
+      loop: "{{ project_users }}"
+      when: item.sudo | bool
+
+    - name: Копирование публичного ключа User CA на хост
+      copy:
+        src: "{{ local_ssh_user_ca_pub_path }}"
+        dest: /etc/ssh/ca.pub
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Сбор имен всех разрешенных пользователей для AllowUsers
+      set_fact:
+        allow_users_list: "{{ project_users | map(attribute='name') | join(' ') }}"
+
+    - name: Настройка sshd_config для авторизации пользователей по сертификатам
+      blockinfile:
+        path: /etc/ssh/sshd_config
+        block: |
+          TrustedUserCAKeys /etc/ssh/ca.pub
+          AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
+          AllowUsers {{ allow_users_list }} hogweed1
+          PasswordAuthentication no
+          PubkeyAuthentication yes
+        marker: "# {mark} ANSIBLE MANAGED USER CERTIFICATE BLOCK #"
+      notify: Restart SSH
+
+  handlers:
+    - name: Restart SSH
+      service:
+        name: sshd
+        state: restarted