'sshd__permit_root_login' not taking effect

Question

'sshd__permit_root_login' not taking effect

Routhinator opened this issue 7 years ago · comments

Starting out with Ansible and Debops for the first time.

So far the scripts are great as are the docs, and I can add vars to the group_vars/all directory to set my defaults. However this one isn't being picked up, taking effect, or something. I'm not sure why.

sshd.yml:

---
sshd__permit_root_login: 'no'

I'd just like to completely disable root login now that I have a user created to manage my hosts.

Maciej Delmanowski · Answer 1 · Sat Apr 01 2017 23:27:14 GMT+0800 (China Standard Time)

Welcome to the project!

I presume that you added this in the ansible/inventory/group_vars/all/sshd.yml file, relative to the DebOps project directory? What happens when you run command:

debops service/sshd

Can you show me the output of this command? Also, the contents of the generated /etc/ssh/sshd_config configuration file?

Chris Routh · Answer 2 · Sat Apr 01 2017 23:40:26 GMT+0800 (China Standard Time)

Thanks for the welcome!

Yes your presumption is correct.

Interesting; running that command does seem to have gotten the playbook to pick up the var:

TASK [debops.sshd : Setup /etc/ssh/sshd_config] ********************************
changed: [devops-fra1-01]
changed: [docker-fra1-01]

And now I have the appropriate line in /etc/ssh/sshdd_config:

# Authentication:
PermitRootLogin no

Maybe I should step back a bit here. Based on my reading of the docs, sshd is part of the common.yml playbook, and thus should be run/configured when running debops bootstrap - no?

Maciej Delmanowski · Answer 3 · Sun Apr 02 2017 00:20:37 GMT+0800 (China Standard Time)

No, The DebOps configuration works like this:

debops bootstrap - this is an optional step, only useful when you deploy an environment for the first time, or you configure a host in environment where you don't have control over deployment, like a VPS host. An alternative for this step is usage of cloud-init, setting up your own DHCP/PXE/preseeding environment, or LXC/OpenVZ template scripts. The bootstrap role runs only a minimal set of tasks that prepare the host for management using Ansible.
debops common - this command runs the common.yml playbook, with common roles like sshd, user configuration, ferm, etc. The common playbook defines a "base environment" of a host, and many roles assume that the environment defined by this playbook exists on the host.
debops - if you run this command, the script will run the site.yml playbook which includes the common.yml playbook and all other playbooks for various services. Which services will be executed depends on what inventory groups a given host is included in.

So it looks like you have only executed debops bootstrap? Try running debops common next time, it should configure the environment.

Chris Routh · Answer 4 · Sun Apr 02 2017 00:22:20 GMT+0800 (China Standard Time)

Got it. My bad.