From cb57de93175638b700b9b198c07f02e15798a3ba Mon Sep 17 00:00:00 2001
From: Ansible Servercow <ansible@servercow.de>
Date: Thu, 21 Nov 2024 15:24:34 +0100
Subject: [PATCH] added manage-ssh-keys role

---
 playbooks/hardening/manage-ssh-keys.yaml |  6 ++++
 roles/manage-ssh-keys/defaults/main.yml  | 14 ++++++++++
 roles/manage-ssh-keys/tasks/main.yml     | 35 ++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 playbooks/hardening/manage-ssh-keys.yaml
 create mode 100644 roles/manage-ssh-keys/defaults/main.yml
 create mode 100644 roles/manage-ssh-keys/tasks/main.yml

diff --git a/playbooks/hardening/manage-ssh-keys.yaml b/playbooks/hardening/manage-ssh-keys.yaml
new file mode 100644
index 0000000..90d2123
--- /dev/null
+++ b/playbooks/hardening/manage-ssh-keys.yaml
@@ -0,0 +1,6 @@
+- hosts: all
+  vars:
+    good_keys: "{{ lookup('env', 'good_keys') | from_json }}"
+    bad_keys: "{{ lookup('env', 'bad_keys') | from_json }}"
+  roles:
+    - role: manage_ssh_keys
\ No newline at end of file
diff --git a/roles/manage-ssh-keys/defaults/main.yml b/roles/manage-ssh-keys/defaults/main.yml
new file mode 100644
index 0000000..a93f544
--- /dev/null
+++ b/roles/manage-ssh-keys/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+ssh_user: "root"
+authorized_keys_file: >-
+  {{ "/root/.ssh/authorized_keys" if ssh_user == "root" else "/home/{{ ssh_user }}/.ssh/authorized_keys" }}
+
+# Liste der erwünschten (Good) Keys
+good_keys:
+  - "ssh-rsa AAAAB3... goodkey1"
+  - "ssh-rsa AAAAB3... goodkey2"
+
+# Liste der unerwünschten (Bad) Keys
+bad_keys:
+  - "ssh-rsa AAAAB3... badkey1"
+  - "ssh-rsa AAAAB3... badkey2"
\ No newline at end of file
diff --git a/roles/manage-ssh-keys/tasks/main.yml b/roles/manage-ssh-keys/tasks/main.yml
new file mode 100644
index 0000000..9f85b17
--- /dev/null
+++ b/roles/manage-ssh-keys/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Stelle sicher, dass das .ssh-Verzeichnis existiert
+  file:
+    path: "{{ authorized_keys_file | dirname }}"
+    state: directory
+    owner: "{{ ssh_user }}"
+    group: "{{ ssh_user }}"
+    mode: '0700'
+
+- name: Lese aktuelle authorized_keys
+  slurp:
+    src: "{{ authorized_keys_file }}"
+  register: current_keys_content
+  ignore_errors: true
+
+- name: Bereite aktuelle Keys für den Vergleich vor
+  set_fact:
+    current_keys: "{{ (current_keys_content['content'] | b64decode).splitlines() if current_keys_content['content'] is defined else [] }}"
+
+- name: Filtern von Schlüsseln, die beibehalten werden
+  set_fact:
+    retained_keys: "{{ current_keys | difference(good_keys + bad_keys) }}"
+
+- name: Erstelle finale Liste der Keys
+  set_fact:
+    final_keys: "{{ retained_keys + good_keys }}"
+
+- name: Synchronisiere authorized_keys
+  copy:
+    content: "{{ final_keys | join('\n') + '\n' }}"
+    dest: "{{ authorized_keys_file }}"
+    owner: "{{ ssh_user }}"
+    group: "{{ ssh_user }}"
+    mode: '0600'
+  when: final_keys != current_keys
\ No newline at end of file