adfinis.maintenance.audit_ssh_authorizedkeys (0.1.23) — module

Install collection

Install with ansible-galaxy collection install adfinis.maintenance:==0.1.23

Add to requirements.yml

  collections:
    - name: adfinis.maintenance
      version: 0.1.23

Description

This is my longer description explaining my test module.

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Check for unknown SSH keys
  adfinis.maintenance.audit_ssh_authorizedkeys:
    allowed:
      - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA'

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: The same, but also check users from sssd (use with caution if your domain contains a large number of users)
  adfinis.maintenance.audit_ssh_authorizedkeys:
    allowed:
      - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA'
    limit_nss_backends: [files, compat, db, systemd, sss]

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Silence the warning that sss users are not audited
  adfinis.maintenance.audit_ssh_authorizedkeys:
    allowed:
      - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA'
    ignore_nss_backends: [sss]

Inputs

    
file:
    default: null
    description: Path to the authorized_keys file.  If absent, sshd_config is queried
      (see config and sshd below)
    required: false
    type: str

sshd:
    default: sshd
    description: Path to the sshd binary
    required: false
    type: str

user:
    default: ALL
    description: User whose keys to audit
    required: false
    type: str

config:
    default: /etc/ssh/sshd_config
    description: Path to the sshd config fille
    required: false
    type: str

allowed:
    default: []
    description: List of optional, allowed authorized_keys entries
    required: false
    type: list

required:
    default: []
    description: List of required authorized_keys entries
    required: false
    type: list

forbidden:
    default: []
    description: List of forbidden authorized_keys entries
    required: false
    type: list

limit_nss_backends:
    default:
    - files
    - compat
    - db
    - systemd
    description: Only retrieve users from these NSS backends, and emit a warning if other
      backends are configured.
    required: false
    type: list

ignore_nss_backends:
    default: []
    description: Consider these NSS backends as "safe" and don't emit a warning if they
      are not present in limit_nss_backends.
    required: false
    type: list

Outputs

authorized_keys:
  description: Entries in all authorized_keys files, per user
  returned: always
  sample:
    root:
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA
      mallory@evil.example.org
  type: dict