it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add kerberize role (providing kerberized ssh so far).

Browse source
This commit is contained in:
Andreas B. Mundt 2019-11-29 15:47:45 +01:00
parent be829760c6
commit 61e4b1d852
5 changed files with 41 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
kerberox-client.yml
View file

@ -20,6 +20,7 @@
roles: roles:
- up2date-debian - up2date-debian
- lan-client - lan-client
- kerberize
## Choose either gnome or KDE: ## Choose either gnome or KDE:
#- gnome #- gnome
#- kde #- kde

1
kerberox.yml
View file

@ -52,3 +52,4 @@
- { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool } - { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool }
- { role: nfs-server, when: not run_in_installer|default(false)|bool } - { role: nfs-server, when: not run_in_installer|default(false)|bool }
- prepare4clients - prepare4clients
- kerberize

5
roles/kerberize/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
- name: reload sshd
systemd:
name: sshd
state: reloaded
notify: "reload sshd"

18
roles/kerberize/tasks/main.yml Normal file
View file

@ -0,0 +1,18 @@
- name: kerberize sshd server
lineinfile:
dest: /etc/ssh/sshd_config
line: "GSSAPIAuthentication yes"
insertafter: "#GSSAPIAuthentication no"
notify: "reload sshd"
- name: kerberize ssh client, authenticate
lineinfile:
dest: /etc/ssh/ssh_config
line: "GSSAPIAuthentication yes"
insertafter: "# GSSAPIAuthentication no"
- name: kerberize ssh client, delegate credentials
lineinfile:
dest: /etc/ssh/ssh_config
line: "GSSAPIDelegateCredentials yes"
insertafter: "# GSSAPIDelegateCredentials no"

22
roles/lan-client/tasks/main.yml
View file

@ -56,19 +56,29 @@
mode: 0600 mode: 0600
notify: restart sssd notify: restart sssd
## Activate machine after installation: ## Activate machine after installation:
- name: create machine principal - name: create machine principals
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}" command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
register: kerberize_result register: kerberize_result
with_items:
- nfs
- host
changed_when: kerberize_result.stderr is not search('already exists while creating') changed_when: kerberize_result.stderr is not search('already exists while creating')
no_log: true no_log: true
when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0 when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
- name: add principal to keytab - name: remove old keytab
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}" file:
path: /etc/krb5.keytab
state: absent
when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
- name: add principals to keytab
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
with_items:
- nfs
- host
args: args:
creates: /etc/krb5.keytab
no_log: true no_log: true
notify: "restart rpc-gssd" notify: "restart rpc-gssd"
when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0 when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0