Configuring SSHD System Role on RHEL Systems using Ansible
October 27, 2024 ,

Configuring SSHD System Role on RHEL Systems using Ansible

Prerequisites:

  • Access and permission to at least one managed node that will be configured with the sshd system role.
  • Red Hat Ansible Core installed on the control node, which will be used to configure the systems.
  • Inventory file containing the list of managed nodes.

Procedure:

  1. Copy the example playbook for the sshd system role:
# cp /usr/share/doc/rhel-system-roles/sshd/example-root-login-playbook.yml path/custom-playbook.yml
  1. Edit the copied playbook using a text editor, such as Vim:
# vim path/custom-playbook.yml

Here's an example of what the playbook might look like:

---
- hosts: all
 tasks:
 - name: Configure sshd to prevent root and password login except from particular subnet
 include_role:
 name: rhel-system-roles.sshd
 vars:
 sshd:
 # root login and password login is enabled only from a particular subnet
 PermitRootLogin: no
 PasswordAuthentication: no
 Match:
 - Condition: "Address 192.0.2.0/24"
 PermitRootLogin: yes
 PasswordAuthentication: yes

This playbook configures the SSH server to prevent root and password login by default, but allows it only from a specific subnet (192.0.2.0/24).

  1. Check the syntax of the playbook:
# ansible-playbook --syntax-check path/custom-playbook.yml
  1. Run the playbook using the inventory file:
# ansible-playbook -i inventory_file path/custom-playbook.yml

Output:

PLAY RECAP
**************************************************

localhost : ok=12 changed=2 unreachable=0 failed=0
skipped=10 rescued=0 ignored=0
  1. Verify the configuration by logging in to the SSH server:
$ ssh [email protected]
  1. Check the contents of the /etc/ssh/sshd_config file:
$ vim /etc/ssh/sshd_config

The output should look similar to this:

# Ansible managed
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
PasswordAuthentication no
PermitRootLogin no
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UsePAM yes
X11Forwarding yes
Match Address 192.0.2.0/24
 PasswordAuthentication yes
 PermitRootLogin yes
  1. Verify that you can connect to the SSH server as root from a machine in the 192.0.2.0/24 subnet:
$ hostname -I
192.0.2.1

$ ssh [email protected]

Additional Resources:

  • /usr/share/doc/rhel-system-roles/sshd/README.md file.
  • ansible-playbook(1) help page.

By following these steps, you can configure the SSHD system role on RHEL systems using Ansible.

Tags:
Share this