Ansible playbook to setup an SSH bastion server and clients.
- Non-standard SSH port for bastion
- Require key and password for bastion connections
- 5 minute connection timeout
- Login within 30 seconds of initial connection
- Disable SSHv1
- Separate key for connection to bastion and further hosts
- No warnings from
ssh-audit
Some of the hardening and configuration is based on https://joscor.com/blog/hardening-openssh-server-ubuntu-14-04/.
- Modify the values in
vars.yml
to match your requirements:user
is the user to be used on both the client and bastion machinesbastion_ssh_key
is the key to use to connect to the bastion machine.enable_root
enables SSH connections as root to the bastionbastion_ip
is the IP of the bastion, to be baked into the config of the clients.
- Populate
hosts
with your required hosts. A singlebastion
, and however manyclients
.standalone
can be used to configure clients who don't require connections through the bastion. - Run the playbook with
ansible-playbook bastion.yml -i hosts --ask-pass -K