geerlingguy.ssh-chroot-jail

Panoramica Versioni Approfondimenti

Ansible Role: SSH Chroot Jail Configuration

CI

This role sets up a chroot jail to limit specific SSH users' access to the system. It's useful for servers where you want to restrict access severely.

Requirements

You need to have an OpenSSH server installed. It's recommended to also use the geerlingguy.security role or something similar to secure your server better.

Role Variables

Here are the available variables with their default values (check defaults/main.yml for more details):

  • ssh_chroot_jail_path: Specifies where the chroot jail will be located (default is /var/jail).

  • ssh_chroot_jail_group_name: Sets the group name for jailed users (default is ssh_jailed).

  • ssh_chroot_jail_users: A list of users to be jailed. If you want to manage users yourself, leave this empty ([]).

  • ssh_chroot_jail_dirs: Directories that should exist in the jail. Defaults include essential directories like bin, dev, etc, lib, and usr.

  • ssh_chroot_jail_devs: Devices that need to be present in the jail. By default, it includes things like null, random, and zero.

  • ssh_chroot_bins: A list of binaries to copy to the jail, along with any necessary libraries. You can choose not to copy libraries by setting l2chroot: false.

  • ssh_chroot_l2chroot_template and ssh_chroot_l2chroot_path: Specify where to download and install the l2chroot script.

  • ssh_chroot_copy_extra_items: Additional files to copy into the jail, including essential configuration files.

  • ssh_chroot_sshd_chroot_jail_config: Configuration settings to add to the sshd_config file for controlling user access in the jail.

  • ssh_chroot_jail_dirs_recurse: If set to true, directories will be added recursively. If you have many directories or a slow filesystem, set this to false.

Dependencies

This role does not have any dependencies.

Example Playbook

- hosts: servers
  become: yes
  roles:
    - geerlingguy.security
    - geerlingguy.ssh-chroot-jail

Inside vars/main.yml:

ssh_chroot_jail_users:
  - name: janedoe
    home: /home/janedoe
    shell: /bin/bash

License

This project is licensed under the MIT (Expat) / BSD.

Author Information

Created in 2017 by Jeff Geerling, the author of Ansible for DevOps.

Special thanks to Acquia for supporting the initial development of this role.

Informazioni sul progetto

Simple SSH chroot jail management.

role access chroot jail lockdown security ssh system
Installa
ansible-galaxy install geerlingguy.ssh-chroot-jail
GitHub repository
77 stelle
34 fork
0 problemi aperti
Licenza
mit
Download
237k
Proprietario
Jeff Geerling
Father, author, developer, maker. Sometimes called "an inflammatory enigma". #stl #drupal #ansible #k8s #raspberrypi #crohns