john
/
LinuxUpskillChallenge
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Day 3 - Power trip [Automatically] #3

New Issue
Closed
opened 2022-02-09 16:10:11 +00:00 by john · 2 comments
john commented 2022-02-09 16:10:11 +00:00
Owner
Copy Link

Phase 1: open the correct access channel

Perform these actions via Ansible, root / public key auth already configured.

  • Create a standard user.
  • Install public keys to user's ~/.ssh/authorized_keys.
  • Install sudo and give the new user passwordless group membership.
  • Generate new ansible inventory/config to access the server with this admin user.

Phase 2: close the incorrect access channels (Basic Hardening)

Perform these actions via Ansible, admin user / public key auth configured in the previous step

  • Disable password login over SSH.
  • Disable root login over SSH.
  • install fail2ban.
  • change SSH port.
  • Generate new ansible inventory/config to access the server over the new port.
Phase 1: open the correct access channel Perform these actions via Ansible, root / public key auth already configured. * Create a standard user. * Install public keys to user's `~/.ssh/authorized_keys`. * Install `sudo` and give the new user passwordless group membership. * Generate new ansible inventory/config to access the server with this admin user. Phase 2: close the incorrect access channels *(Basic Hardening)* Perform these actions via Ansible, admin user / public key auth configured in the previous step * Disable password login over SSH. * Disable root login over SSH. * install fail2ban. * change SSH port. * Generate new ansible inventory/config to access the server over the new port.
john commented 2022-02-10 01:43:06 +00:00
Author
Owner
Copy Link

generating the user's password requires putting a hash into the playbook.

mkpasswd --method=sha-512 (debian whois package)

To correct this, I'm using the vars and vars_prompt sections. passlib Linux module is now required.

To avoid the prompt, the passhash variable can be given a value at the command line. Just setting the variable doesn't work, it has to be encrypted:

PASSHASH=$(mkpasswd --method=sha-512 -s << EOF
swordfish
EOF
) ansible-playbook phase1user.yml -e "passhash=$PASSHASH"

But this doesn't hash correctly, because the password gets a trailing newline. So, I'm struggling to make this fully unattended.

generating the user's password requires putting a hash into the playbook. `mkpasswd --method=sha-512` (debian `whois` package) To correct this, I'm using the `vars` and `vars_prompt` sections. `passlib` Linux module is now required. To avoid the prompt, the `passhash` variable can be given a value at the command line. Just setting the variable doesn't work, it has to be encrypted: ``` PASSHASH=$(mkpasswd --method=sha-512 -s << EOF swordfish EOF ) ansible-playbook phase1user.yml -e "passhash=$PASSHASH" ``` But this doesn't hash correctly, because the password gets a trailing newline. So, I'm struggling to make this fully unattended.
john closed this issue 2022-02-10 02:46:09 +00:00
john commented 2022-02-12 02:57:36 +00:00
Author
Owner
Copy Link

I'm an idiot, because mkpasswd takes a password as an argument.

PASSHASH=$(mkpasswd $PW --method=sha-512 -s)

I'm an idiot, because `mkpasswd` takes a password as an argument. `PASSHASH=$(mkpasswd $PW --method=sha-512 -s)`
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: john/LinuxUpskillChallenge#3
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?