From 4cd86231152f4b39e6a627273319e6633f92426f Mon Sep 17 00:00:00 2001 From: DBras Date: Thu, 26 Oct 2023 19:57:41 +0200 Subject: [PATCH] Connect to host and set up initial config --- ansible/ansible.cfg | 2 + ansible/inventory | 2 + ansible/roles/setup/files/id_ed25519.pub | 1 + ansible/roles/setup/files/sshd_config | 88 ++++++++++++++++++++++++ ansible/roles/setup/tasks/main.yml | 21 ++++++ ansible/test.yml | 6 ++ setup.md | 31 +++++++++ 7 files changed, 151 insertions(+) create mode 100644 ansible/ansible.cfg create mode 100644 ansible/inventory create mode 100644 ansible/roles/setup/files/id_ed25519.pub create mode 100755 ansible/roles/setup/files/sshd_config create mode 100644 ansible/roles/setup/tasks/main.yml create mode 100644 ansible/test.yml create mode 100644 setup.md diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..73ee9b1 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +inventory = ./inventory diff --git a/ansible/inventory b/ansible/inventory new file mode 100644 index 0000000..f54cbf1 --- /dev/null +++ b/ansible/inventory @@ -0,0 +1,2 @@ +[windows] +192.168.1.26 ansible_user=backup ansible_shell_type=cmd diff --git a/ansible/roles/setup/files/id_ed25519.pub b/ansible/roles/setup/files/id_ed25519.pub new file mode 100644 index 0000000..6e37fbf --- /dev/null +++ b/ansible/roles/setup/files/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC02bdkH4DjCA9/l6MRLME9kW6Jrxcu37Ut384l2QXdA danielbrasholt@gmail.com diff --git a/ansible/roles/setup/files/sshd_config b/ansible/roles/setup/files/sshd_config new file mode 100755 index 0000000..72e4be4 --- /dev/null +++ b/ansible/roles/setup/files/sshd_config @@ -0,0 +1,88 @@ +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key +#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key +#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key +#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# GSSAPI options +#GSSAPIAuthentication no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp sftp-server.exe + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +Match Group administrators + AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys diff --git a/ansible/roles/setup/tasks/main.yml b/ansible/roles/setup/tasks/main.yml new file mode 100644 index 0000000..18f0e60 --- /dev/null +++ b/ansible/roles/setup/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Ping host + ansible.windows.win_ping: +- name: Copy SSH key to host + ansible.windows.win_copy: + src: id_ed25519.pub + dest: "C:\\ProgramData\\ssh\\administrators_authorized_keys" +- name: Hide backup user from login screen + ansible.windows.win_regedit: + path: "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" + name: backup + type: dword + data: 0 +- name: Upload SSH config to host + ansible.windows.win_copy: + src: sshd_config + dest: "C:\\ProgramData\\ssh\\sshd_config" +- name: Restart sshd service + ansible.windows.win_service: + name: sshd + state: restarted diff --git a/ansible/test.yml b/ansible/test.yml new file mode 100644 index 0000000..c98f209 --- /dev/null +++ b/ansible/test.yml @@ -0,0 +1,6 @@ +--- +- hosts: windows + user: backup + gather_facts: no + roles: + - setup diff --git a/setup.md b/setup.md new file mode 100644 index 0000000..9a75229 --- /dev/null +++ b/setup.md @@ -0,0 +1,31 @@ +# Installing OpenSSH + +In settings, select Apps & Features -> Optional features -> add new + +Select OpenSSH server from the list. + +Reboot the machine. + +When back in, open `services.msc` and enable the OpenSSH Server service. + +# Adding local administrator account + +```bash +net user backup /add +net localgroup Administrators backup /add +net user backup * +``` + +# Connecting from HOST + +To connect with SSH and Ansible, the HOST machine must have `sshpass` installed. + +It is also necessary to have `ansible.windows` installed: + +```bash +ansible-galaxy collection install ansible.windows +``` + +# Pre-config of host + +