Merge pull request #776 from edx/jarv/ssh-motd

Jarv/ssh motd

playbooks/roles/common/handlers/main.yml

@@ -2,3 +2,6 @@
 - name: restart rsyslogd
   service: name=rsyslog state=restarted
   sudo: True
+- name: restart ssh
+  service: name=ssh state=restarted
+  sudo: True

playbooks/roles/common/tasks/main.yml

@@ -73,4 +73,28 @@
 
 - name: update /etc/dhcp/dhclient.conf
   template: src=etc/dhcp/dhclient.conf.j2 dest=/etc/dhcp/dhclient.conf
-  when: COMMON_CUSTOM_DHCLIENT_CONFIG
\ No newline at end of file
+  when: COMMON_CUSTOM_DHCLIENT_CONFIG
+
+  # Remove some of the default motd display on ubuntu
+  # and add a custom motd.  These do not require an
+  # ssh restart
+- name: update the ssh motd on Ubuntu
+  file: >
+    mode=0644
+    path={{ item }}
+  with_items:
+  - "/etc/update-motd.d/10-help-text"
+  - "/usr/share/landscape/50-landscape-sysinfo"
+  - "/etc/update-motd.d/51-cloudguest"
+  - "/etc/update-motd.d/91-release-upgrade"
+
+- name: add ssh-warning banner motd
+  template: >
+    dest=/etc/motd.tail
+    src=motd.tail.j2 mode=0755 owner=root group=root
+
+- name: update ssh config
+  template: >
+    dest=/etc/ssh/sshd_config
+    src=sshd_config.j2 mode=0644 owner=root group=root
+  notify: restart ssh

playbooks/roles/common/templates/motd.tail.j2

+******************************************************************* 
+*                                                                 *  
+*   _   _| |\ \/ /  This system is for the use of authorized      * 
+* / -_) _` | >  <   users only.  Usage of this system may be      *
+* \___\__,_|/_/\_\  monitored and recorded by system personnel.   *
+*                                                                 *
+* Anyone using this system expressly consents to such monitoring  *
+* and is advised that if such monitoring reveals possible         *
+* evidence of criminal activity, system personnel may provide the *
+* evidence from such monitoring to law enforcement officials.     *
+*                                                                 *
+*******************************************************************

playbooks/roles/common/templates/sshd_config.j2

+# {{ ansible_managed }}
+#
+# Changes from the default Ubuntu ssh config:
+#  - LogLevel set to VERBOSE
+#
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes