Complete access/authentication mechanism

8f72f658 · Todor Kondic · c0c932d7 · 8f72f658 · 8f72f658 · 8f72f658
Verified Commit 8f72f658 authored Feb 25, 2021 by Todor Kondic
--- a/files/etc/gdm3/custom.conf
+++ b/files/etc/gdm3/custom.conf
+# GDM configuration storage
+#
+# See /usr/share/gdm/gdm.schemas for a list of available options.
+
+[daemon]
+# Uncomment the line below to force the login screen to use Xorg
+#WaylandEnable=false
+
+# Enabling automatic login
+#  AutomaticLoginEnable = true
+#  AutomaticLogin = user1
+
+# Enabling timed login
+#  TimedLoginEnable = true
+#  TimedLogin = user1
+#  TimedLoginDelay = 10
+
+
+[security]
+AllowRemoteRoot=true
+DisallowTCP=false
+
+[xdmcp]
+Enable=true
+MaxSessions=30
+
+[chooser]
+
+[debug]
+# Uncomment the line below to turn on debugging
+# More verbose logs
+# Additionally lets the X server dump core if it crashes
+#Enable=true
+
--- a/files/etc/xinetd.d/vncserver
+++ b/files/etc/xinetd.d/vncserver
+service vncserver
+{
+disable = no
+type = unlisted
+port = 5950
+socket_type = stream
+protocol = tcp
+group = tty
+wait = no
+user = nobody
+server = /usr/bin/Xvnc
+server_args = -inetd -query localhost -once -fp /usr/share/X11/fonts/misc -securitytypes=X509None -X509Key=/etc/custom-vnc/key.vnc.pem -X509Cert=/etc/custom-vnc/cert.vnc.pem
+}
--- a/hosts.txt
+++ b/hosts.txt
@@ -3,3 +3,5 @@ alien-one ansible_host=188.166.115.156

 [planb:vars]
 ansible_python_interpreter=/usr/bin/python3
+vault_password_file=meta/zubizareta
+become=root
--- a/main.yml
+++ b/main.yml
 - hosts: planb
-  become: true
+  become: True
  vars_files:
    - vars/users.yml
+    - vars/passwords.yml
  pre_tasks:
    - name: Update repositories
      apt: update_cache=yes
      changed_when: False

  tasks:
+    - name: Set hostname.
+      ansible.builtin.hostname:
+        name: "{{ inventory_hostname }}"
+
    - include: tasks/apt.yml
    - include: tasks/users.yml
+    - include: tasks/ufw.yml
+

+  handlers:
+    - name: Restart xinetd.
+      command: systemctl restart xinetd
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -8,8 +8,12 @@
            'wget',
            'gzip',
            'atop',
-            'git' ]
-  tags: upd-pack
+            'git',
+            'ufw',
+            'xfce4',
+            'gdm3',
+            'xinetd',]
+  tags: apt



--- a/tasks/ufw.yml
+++ b/tasks/ufw.yml
+- ufw:
+    state: enabled
+    
+    # policy: allow
+
+# Set logging
+- ufw:
+    logging: on
+
+# Sometimes it is desirable to let the sender know when traffic is
+# being denied, rather than simply ignoring it. In these cases, use
+# reject instead of deny. In addition, log rejected connections:
+- ufw:
+    rule: deny
+    port: auth
+    log: yes
+
+# ufw supports connection rate limiting, which is useful for protecting
+# against brute-force login attacks. ufw will deny connections if an IP
+# address has attempted to initiate 6 or more connections in the last
+# 30 seconds. See  http://www.debian-administration.org/articles/187
+# for details. Typical usage is:
+- ufw:
+    rule: limit
+    port: '22'
+    proto: tcp
+
+# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
+# a rule=allow task can leave those ports exposed. Either use delete=yes
+# or a separate state=reset task)
+# - ufw:
+#     rule: allow
+#     name: OpenSSH
+
+
+# Allow vnc.
+- ufw:
+    rule: allow
+    port: '5950'
+    proto: tcp
+
+# Allow all access to tcp port 80:
+- ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+# Allow all access from RFC1918 networks to this host:
+- ufw:
+    rule: allow
+    src: '{{ item }}'
+  with_items:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -9,6 +9,8 @@
    comment: "{{ item.name }}"
    groups: adm , cdrom , dip , plugdev , scratch
    generate_ssh_key: yes
+    shell: /bin/bash
+    password: "{{ passwords[item.login] | password_hash('sha512') }}"
    update_password: on_create
  loop: "{{ users }}"
  when: not item.sudo
@@ -19,6 +21,8 @@
    comment: "{{ item.name }}"
    generate_ssh_key: yes
    groups: sudo , adm , cdrom , dip , plugdev , scratch
+    shell: /bin/bash
+    password: "{{ passwords[item.login] | password_hash('sha512') }}"
    update_password: on_create
  loop: "{{ users }}"
  when: item.sudo

--- a/tasks/vnc.yml
+++ b/tasks/vnc.yml
+- name: Copy gdm3 config files.
+  ansible.builtin.copy:
+    src: /files/etc/gdm3/custom.conf
+    dest: /etc/gdm3/custom.conf
+    owner: root
+    group: root
+    mode: '0644'
+    
+- name: Copy xinetd config files.
+  ansible.builtin.copy:
+    src: /files/etc/xinetd.d/vncserver
+    dest: /etc/xinetd.d/vncserver
+    owner: root
+    group: root
+    mode: '0644'
+    notify:
+      - Restart xinetd.
+
+
+
+
--- a/vars/passwords.yml
+++ b/vars/passwords.yml
+$ANSIBLE_VAULT;1.1;AES256
+64386164623735383434343330326637343837653966623066343061626364323139636334346136
+3537663335626461623833333234623134306632623461360a313462656433346537636365393162
+34646334623631626262616666663364616537653561313337313965373337396163666231616638
+3762383834343832350a643164306564303564663033386637323864333866303538356532303963
+35323138616336323632643238303864333535333564346133633539663363303330653233323865
+63613332633564303461656234663336623364346532313631366234653535383664646533333265
+656236343134316264376165323235333838