include amazon aws example and startup sshd after openvpn #45
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An issue with this playbook is that the sshd service often get's stopped on reboot.
This can make this playbook impossible to use on Amazon AWS since there is no console -- you just get locked out of ssh whether or not you have connect via openvpn.
I modified the playbook to fix this, by specifying that the sshd service should startup only after the openvpn tunnel device is setup. This is accomplished by modifying the systemd file for the ssh service (/lib/systemd/system/ssh.service).
This is inspired from: https://btux1984.wordpress.com/2015/10/15/start-a-service-after-openvpn-connection-has-been-established-using-systemd/
This method circumvents the usual method of defining an "up.sh" script which starts ssh after openvpn startup that is usually recommended (see: https://unix.stackexchange.com/questions/144992/starting-ssh-server-after-vpn-starts), but which DOES NOT work here because openvpn does not have root privileges in this hardened setup and so cannot execute the restart command.
I also added a typical AWS example (assuming ubuntu 16.04) to inventory.example, which sudo user name ubuntu (as is typical on AWS).
Tested on Ubuntu 16.04 x64. Not sure it will work on the other supported distros, maybe the location of the ssh.service file is different or it's contents are.