From 61e4b1d852f7e7667231b093c555d4af8d490ff2 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Fri, 29 Nov 2019 15:47:45 +0100 Subject: [PATCH] Add kerberize role (providing kerberized ssh so far). --- kerberox-client.yml | 1 + kerberox.yml | 1 + roles/kerberize/handlers/main.yml | 5 +++++ roles/kerberize/tasks/main.yml | 18 ++++++++++++++++++ roles/lan-client/tasks/main.yml | 22 ++++++++++++++++------ 5 files changed, 41 insertions(+), 6 deletions(-) create mode 100644 roles/kerberize/handlers/main.yml create mode 100644 roles/kerberize/tasks/main.yml diff --git a/kerberox-client.yml b/kerberox-client.yml index 7fceaf7..201d5d5 100644 --- a/kerberox-client.yml +++ b/kerberox-client.yml @@ -20,6 +20,7 @@ roles: - up2date-debian - lan-client + - kerberize ## Choose either gnome or KDE: #- gnome #- kde diff --git a/kerberox.yml b/kerberox.yml index c1594ca..2335fcf 100644 --- a/kerberox.yml +++ b/kerberox.yml @@ -52,3 +52,4 @@ - { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool } - { role: nfs-server, when: not run_in_installer|default(false)|bool } - prepare4clients + - kerberize diff --git a/roles/kerberize/handlers/main.yml b/roles/kerberize/handlers/main.yml new file mode 100644 index 0000000..9adbeaa --- /dev/null +++ b/roles/kerberize/handlers/main.yml @@ -0,0 +1,5 @@ +- name: reload sshd + systemd: + name: sshd + state: reloaded + notify: "reload sshd" diff --git a/roles/kerberize/tasks/main.yml b/roles/kerberize/tasks/main.yml new file mode 100644 index 0000000..6fcecc2 --- /dev/null +++ b/roles/kerberize/tasks/main.yml @@ -0,0 +1,18 @@ +- name: kerberize sshd server + lineinfile: + dest: /etc/ssh/sshd_config + line: "GSSAPIAuthentication yes" + insertafter: "#GSSAPIAuthentication no" + notify: "reload sshd" + +- name: kerberize ssh client, authenticate + lineinfile: + dest: /etc/ssh/ssh_config + line: "GSSAPIAuthentication yes" + insertafter: "# GSSAPIAuthentication no" + +- name: kerberize ssh client, delegate credentials + lineinfile: + dest: /etc/ssh/ssh_config + line: "GSSAPIDelegateCredentials yes" + insertafter: "# GSSAPIDelegateCredentials no" diff --git a/roles/lan-client/tasks/main.yml b/roles/lan-client/tasks/main.yml index f4d7afb..6882fa9 100644 --- a/roles/lan-client/tasks/main.yml +++ b/roles/lan-client/tasks/main.yml @@ -56,19 +56,29 @@ mode: 0600 notify: restart sssd - ## Activate machine after installation: -- name: create machine principal - command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}" +- name: create machine principals + command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}" register: kerberize_result + with_items: + - nfs + - host changed_when: kerberize_result.stderr is not search('already exists while creating') no_log: true when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0 -- name: add principal to keytab - command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}" +- name: remove old keytab + file: + path: /etc/krb5.keytab + state: absent + when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0 + +- name: add principals to keytab + command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}" + with_items: + - nfs + - host args: - creates: /etc/krb5.keytab no_log: true notify: "restart rpc-gssd" when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0