Photo credit: Unsplash: samuelzeller
I’m continuing to really enjoy working with Ansible. It meets the needs I have for server configuration, and has a lot of great community resources.
One thing that is crucial to any server setup is ensuring that your SSH configuration is sound.
A great role that I’ve used for my Ansible SSH configuration is ssh-hardening.
A pitfall that the author points out in the Readme, is that it is possible that your user account will be locked out after the role is applied. I’ve found this to be particularly true for the ubuntu
account on EC2 servers.
In order to make sure I can continue to get in to that user with my AWS key-pair, I’ve started adding this to a role that runs right after the ssh-hardening
role in my playbooks.
- name: Check if Ubuntu is locked
command: grep -q "ubuntu:!:" /etc/shadow
register: check_ubuntu_lock
ignore_errors: True
changed_when: False
become: true
- name: Unlock Ubuntu
command: usermod -p "*" ubuntu
when: check_ubuntu_lock.rc == 0
become: true
This checks the shadow file for the !
indicator that would lock the account, and sets the password has to *
which will unlock the account, but also ensure that the user can only log in via ssh keys.