Fix /etc/issue - it was not appended, add also /etc/motd

blackandred · blackandred · commit 04419ceea7dc · 2020-08-29T12:06:04.000+02:00
diff --git a/tasks/configure-ssh.yml b/tasks/configure-ssh.yml
@@ -1,8 +1,12 @@
 - name: Apply sshd configuration
   become: yes
   template:
-      src: etc/ssh/sshd_config.j2
-      dest: /etc/ssh/sshd_config
+      src: "{{ item }}.j2"
+      dest: "/{{ item }}"
+  with_items:
+      - etc/ssh/sshd_config
+      - etc/issue
+      - etc/motd
 
 - name: Enable sshd on system startup
   become: yes
diff --git a/templates/etc/issue.j2 b/templates/etc/issue.j2
@@ -1,10 +1,9 @@
-=======================================
-== This server is managed by Ansible ==
-=======================================
+=====================================================================
+WARNING! You are attempting to reach a secured zone.
+         Intrusion Prevention System is running on this machine.
+         This server is MONITORED.
+=====================================================================
 
-Welcome to {{ ssh_host_title }}. {% if anonymize_logs %}
-- This server is anonymizing logs.{% endif %}{% if configure_firewall %}
-- UFW firewall is turned on, not all outgoing ports are allowed.{% endif %}{% if not ssh_gateway_ports %}
-- Forwarding SSH tunnels to the gateway is not allowed{% endif %}
+NOTICE: Multiple failed login attemps will result in a temporary ban.
+---------------------------------------------------------------------
 
-Have a nice day!
diff --git a/templates/etc/motd.j2 b/templates/etc/motd.j2
@@ -0,0 +1,14 @@
+=======================================
+== This server is managed by Ansible ==
+=======================================
+
+Welcome to {{ ssh_host_title }}. {% if anonymize_logs %}
+- This server is anonymizing logs.{% endif %}{% if configure_firewall %}
+- UFW firewall is turned on, not all outgoing ports are allowed.{% endif %}{% if not ssh_gateway_ports %}
+- Forwarding SSH tunnels to the gateway is not allowed{% endif %}{% if clear_shell_history %}
+- The bash, python and other tools history is erased periodically for security reasons{% endif %}
+
+NOTICE: Users can have personalized SSH rules (eg. some users can have enabled forwarding or gateway ports)
+NOTICE: Any changes in /etc can be overwritten by Ansible deployment. Please add everything to Ansible roles and push deployment to manage server configuration
+
+Have a nice day!
diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2
@@ -10,7 +10,6 @@ GatewayPorts {% if ssh_gateway_ports %}yes{% else %}no{% endif %}
 
 AllowAgentForwarding yes
 Subsystem sftp /usr/lib/sftp-server
-AcceptEnv W_INFRA_AUTH
 
 # kick off after idle time
 ClientAliveInterval {{ ssh_idle_time }}
