diff options
| -rw-r--r-- | inventory.yaml | 6 | ||||
| -rw-r--r-- | playbook.yaml | 1 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/handlers/main.yaml | 6 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/tasks/main.yaml | 83 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/vars/main.yaml | 3 |
5 files changed, 99 insertions, 0 deletions
diff --git a/inventory.yaml b/inventory.yaml index 1bdf809..be14b5f 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -13,6 +13,9 @@ all: internal_nginx_port: 8080 internal_sshd_port: 22 + # set this to generate a portfwd only user + port_fwd_user: proxyuser + #server02: # ansible_host: 10.11.12.14 # ansible_user: root @@ -25,6 +28,9 @@ all: # public_sslh_port: 443 # internal_nginx_port: 8080 # internal_sshd_port: 22 + # + # # set this to generate a portfwd only user + # port_fwd_user: proxyuser children: servers: diff --git a/playbook.yaml b/playbook.yaml index f0fbe91..b2a6ebf 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -17,6 +17,7 @@ - attackbox - sliver-c2 - ssh-nginx-multiplex + - ssh-port-fwd-user #- name: setup server02 # hosts: server02 diff --git a/roles/ssh-port-fwd-user/handlers/main.yaml b/roles/ssh-port-fwd-user/handlers/main.yaml new file mode 100644 index 0000000..8c5ef88 --- /dev/null +++ b/roles/ssh-port-fwd-user/handlers/main.yaml @@ -0,0 +1,6 @@ +- name: restart ssh + systemd: + name: ssh + state: restarted + enabled: true + when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/ssh-port-fwd-user/tasks/main.yaml b/roles/ssh-port-fwd-user/tasks/main.yaml new file mode 100644 index 0000000..8975cdb --- /dev/null +++ b/roles/ssh-port-fwd-user/tasks/main.yaml @@ -0,0 +1,83 @@ +- name: fail if required vars are missing + assert: + that: + - port_fwd_user is defined + +- name: set default shell if not defined + set_fact: + port_fwd_shell: "/bin/false" + when: port_fwd_shell is not defined + +- name: create restricted user + user: + name: "{{ port_fwd_user }}" + shell: "{{ port_fwd_shell }}" + create_home: yes + password: '*' + state: present + +- name: ensure {{ ssh_key_dir }} exists + ansible.builtin.file: + path: "{{ ssh_key_dir }}" + state: directory + owner: "{{ port_fwd_user }}" + group: "{{ port_fwd_user }}" + mode: '0700' + +- name: set ssh_key_dir + set_fact: + ssh_key_dir: "{{ ssh_key_dir }}" + +- name: create ssh key pair on remote host + community.crypto.openssh_keypair: + path: "{{ ssh_key_dir }}/id_ed25519" + type: ed25519 + owner: "{{ port_fwd_user }}" + group: "{{ port_fwd_user }}" + mode: '0600' + comment: "" + force: true + +- name: set authorized_keys for restricted user + copy: + src: "{{ ssh_key_dir }}/id_ed25519.pub" + dest: "{{ ssh_key_dir }}/authorized_keys" + remote_src: yes + owner: "{{ port_fwd_user }}" + group: "{{ port_fwd_user }}" + mode: '0600' + +- name: create sshd_config.d drop-in + copy: + dest: "/etc/ssh/sshd_config.d/{{ port_fwd_user }}.conf" + content: | + Match User {{ port_fwd_user }} + PasswordAuthentication no + PubkeyAuthentication yes + AllowTcpForwarding yes + PermitOpen any + GatewayPorts no + X11Forwarding no + PermitTunnel no + AllowAgentForwarding no + ForceCommand echo "port forwarding only" + owner: root + group: root + mode: '0644' + notify: restart ssh + +- name: ensure /etc/ssh/sshd_config includes .d directory + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Include /etc/ssh/sshd_config\.d/\*\.conf' + line: 'Include /etc/ssh/sshd_config.d/*.conf' + insertafter: EOF + notify: restart ssh + +- name: fetch private key to control node + fetch: + src: "{{ ssh_key_dir }}/id_ed25519" + dest: "./{{ inventory_hostname }}_{{ port_fwd_user }}_id_ed25519" + flat: true + fail_on_missing: yes + mode: '0600' diff --git a/roles/ssh-port-fwd-user/vars/main.yaml b/roles/ssh-port-fwd-user/vars/main.yaml new file mode 100644 index 0000000..97f8962 --- /dev/null +++ b/roles/ssh-port-fwd-user/vars/main.yaml @@ -0,0 +1,3 @@ +port_fwd_shell: /bin/false +ssh_key_dir: "/home/{{ port_fwd_user }}/.ssh" +private_key_path: "/tmp/{{ port_fwd_user }}_ed25519" |