02.INSTALL DEPENDENCIES

CONTROLLER NODE

SSH

// SSH SERVER: LINUX
//installation
root@controllerNode:~$ sudo apt update
root@controllerNode:~$ sudo apt install openssh-server

//configuration (if required)
root@controllerNode:~$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
root@controllerNode:~$ sudo nano /etc/ssh/sshd_config
 ...
 PasswordAuthentication no
 PubkeyAuthentication yes
 
 * change the standard port to a non-standard (if required)
    - this can mitigate some common automated attacks
 * PermitRootLogin
    - this prevents root from logging in; users must use sudo instead
       - PermitRootLogin no
 * PasswordAuthentication
    - set to "no" for ssh keys utilization; this disables passwordbased authentication
      which forces users to use ssh keys (more secure)
       - PasswordAuthentication no
 * PubkeyAuthentication
    - set to "yes" to enable public key authentication
       - PubkeyAuthentication yes
 * AllowUsers / DenyUsers
    - this restricts or allows SSH access to specific users.
       - AllowUsers yourusername anotheruser
       
root@controllerNode:~$ sudo systemctl restart ssh.service 
 
//FW Configuration
root@controllerNode:~$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 * ALT:
    - sudo ufw allow ssh
      sudo ufw enable

ANSIBLE

//INSTALL ANSIBLE COMMUNITY

root@oco:~$ which pipx
 /usr/bin/pipx
                                                                                                                                                                                                                                            
root@oco:~$ pipx install --include-deps ansible
 installed package ansible 11.7.0, installed using Python 3.13.3
 These apps are now globally available
  - ansible
  - ansible-community
  - ansible-config
  - ansible-console
  - ansible-doc
  - ansible-galaxy
  - ansible-inventory
  - ansible-playbook
  - ansible-pull
  - ansible-test
  - ansible-vault
 done!

root@oco:~$ pipx ensurepath
 Success! Added /home/ansible-admin/.local/bin to the PATH environment variable.
 Consider adding shell completions for pipx. Run 'pipx completions' for instructions.
 You will need to open a new terminal or re-login for the PATH changes to take effect. Alternatively, you can source your shell's config file with e.g. 'source ~/.bashrc'.
 Otherwise pipx is ready to go!

root@oco:~$ ansible --version
 ansible [core 2.18.6]
  config file = None
  configured module search path = ['/home/cyberteam/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/cyberteam/.local/share/pipx/venvs/ansible/lib/python3.13/site-packages/ansible
  ansible collection location = /home/cyberteam/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/cyberteam/.local/bin/ansible
  python version = 3.13.3 (main, Apr 10 2025, 21:38:51) [GCC 14.2.0] (/home/cyberteam/.local/share/pipx/venvs/ansible/bin/python)
  jinja version = 3.1.6
  libyaml = True
  
root@oco:~$ ansible-community --version
 Ansible community version 11.7.0

//DISPLAY MODULES
//list community modules
root@oco:~$ ansible-doc -l | wc -l     
 10682

//display modules
root@oco:~$ ansible-doc -l
 ansible.windows.async_status               Obtain status of asynchronous task                                                                                  
 ansible.windows.setup                      Gathers facts about remote hosts                                                                                    
 ansible.windows.slurp                      Slurps a file from remote nodes                                                                                     
 ansible.windows.win_acl                    Set file/directory/registry/certificate permissions for a system user or group                                      
 ansible.windows.win_acl_inheritance        Change ACL inheritance                                                                                              
 ansible.windows.win_audit_policy_system    Used to make changes to the system wide Audit Policy                                                                
 ansible.windows.win_audit_rule             Adds an audit rule to files, folders, or registry keys                                                              
 ansible.windows.win_auto_logon             Adds or Sets auto logon registry keys                                                                               
 ansible.windows.win_certificate_info       Get information on certificates from a Windows Certificate Store                                                    
 ansible.windows.win_certificate_store      Manages the certificate store                                                                                       
 ansible.windows.win_command                Executes a command on a remote Windows node 
 ...

MANAGED NODES

SSH (LINUX)

// SSH SERVER: LINUX
//installation
root@managedNode1:~$ sudo apt update
root@managedNode1:~$ sudo apt install openssh-server

//configuration (if required)
root@managedNode1:~$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
root@managedNode1:~$ sudo nano /etc/ssh/sshd_config
 ...
 PasswordAuthentication no
 PubkeyAuthentication yes
 
 * change the standard port to a non-standard (if required)
    - this can mitigate some common automated attacks
 * PermitRootLogin
    - this prevents root from logging in; users must use sudo instead
       - PermitRootLogin no
 * PasswordAuthentication
    - set to "no" for ssh keys utilization; this disables passwordbased authentication
      which forces users to use ssh keys (more secure)
       - PasswordAuthentication no
 * PubkeyAuthentication
    - set to "yes" to enable public key authentication
       - PubkeyAuthentication yes
 * AllowUsers / DenyUsers
    - this restricts or allows SSH access to specific users.
       - AllowUsers yourusername anotheruser

root@managedNode1:~$ sudo systemctl restart ssh.service 
 
//FW Configuration
root@managedNode1:~$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 * ALT:
    - sudo ufw allow ssh
      sudo ufw enable

SSH (WINDOWS)

// SSH SERVER: WINDOWS

//installation
PS C\managedNode1> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
PS C\managedNode1> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
PS C\managedNode1> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

//configuration
PS C\managedNode1> Start-Service sshd
PS C\managedNode1> Set-Service -Name sshd -StartupType 'Automatic'

PS C\managedNode1> Get-ChildItem C:\ProgramData\ssh
PS C\managedNode1> notepad C:\ProgramData\ssh\sshd_config
 PasswordAuthentication no
 PubkeyAuthentication yes
 AllowUsers yourwindowsusername   //this is for individual users
 
 * the file will be created if it doesn't exist
 * Port 2222
 
 //for domain
 AllowUsers DOMAIN\youruser
 AllowGroups DOMAIN\sshusers
 
//configure the authorized key file for key-based authentication
AuthorizedKeysFile .ssh/authorized_keys
 * ALT: for admins
    - AuthorizedKeysFile %PROGRAMDATA%/ssh/administrators_authorized_keys

* For non-administrator accounts, the default location is C:\Users\<YourUsername>\.ssh\authorized_keys
  For administrator accounts, OpenSSH server on Windows often defaults to C:\ProgramData\ssh\administrators_authorized_keys

PS C\managedNode1> Restart-Service sshd -Force
 
//this sets PS as default shell
PS C\managedNode1> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
 * this reverts to the default shell
    - Remove-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -ErrorAction SilentlyContinue

//configure FW
PS C\managedNode1> New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

 * alt for custom ports: New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP-Custom' -DisplayName 'OpenSSH Server (sshd) Custom Port' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 2222
 
//configure key-based authentication
PS C\managedNode1> ssh-keygen -t rsa -b 4096 -C "[email protected]"
 $publicKey = '<YOUR_PUBLIC_KEY_CONTENT>'
 $authorizedKeysPath = "C:\ProgramData\ssh\administrators_authorized_keys" # or "$env:USERPROFILE\.ssh\authorized_keys" for non-admins

 * Replace '<YOUR_PUBLIC_KEY_CONTENT>' with the actual content of your id_rsa.pub file

# Ensure the directory exists
PS C\managedNode1> New-Item -ItemType Directory -Path (Split-Path $authorizedKeysPath) -ErrorAction SilentlyContinue

# Append the public key
PS C\managedNode1> Add-Content -Force -Path $authorizedKeysPath -Value $publicKey
 * The public key (id_rsa.pub) needs to be placed in the authorized_keys file on your 
   Windows SSH server.
    - For non-administrator accounts: Create a .ssh folder in the user's profile 
      directory (C:\Users\<YourUsername>\.ssh) and place the public key content into a 
      file named authorized_keys.
    - For administrator accounts: The authorized_keys file for administrators is 
      typically located at C:\ProgramData\ssh\administrators_authorized_keys
      
//set permission for authorized key file
PS C\managedNode1> icacls.exe "$authorizedKeysPath" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
 * For C:\ProgramData\ssh\administrators_authorized_keys
 
# Example for a non-admin user's authorized_keys file (replace <username>)
# $userAuthorizedKeysPath = "C:\Users\<YourUsername>\.ssh\authorized_keys"
# icacls.exe "$userAuthorizedKeysPath" /inheritance:r /grant "<YourUsername>:F" /grant "SYSTEM:F"
* For C:\Users\<YourUsername>\.ssh\authorized_keys:
  Ensure only the user account and SYSTEM have full control. You might need to disable 
  inheritance and remove other users.

WINRM (WINDOWS)

PS C:\managedNode1> Set-ExecutionPolicy RemoteSigned -Force
PS C:\managedNode1> Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile C:\ConfigureRemotingForAnsible.ps1
PS C:\managedNode1> C:\ConfigureRemotingForAnsible.ps1 -EnableCredSSP -Force
PS C:\managedNode1> Get-Service -Name WinRM

 * -EnableCredSSP is often used for simpler setups but has security implications as 
   it delegates credentials. For production environments, consider NTLM or Kerberos 
   if in a domain.

PYTHON

MAIN METHOD

PS C:\managedNode1> Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe" -OutFile "$env:TEMP\python-installer.exe"
PS C:\managedNode1> Start-Process "$env:TEMP\python-installer.exe"
 Add Python to PATH
 
PS C:\managedNode1> python --version
PS C:\managedNode1> pip --version

ALTERNATE METHOD

//ALTERNATE METHOD
//Install winget
Microsoft Store
 Search: App Installer
 Update/Install
 
 * ALT: https://aka.ms/getwinget

PS C:\managedNode1> winget --version
PS C:\managedNode1> winget search python
 ...
 Python 3.12
 ...

PS C:\managedNode1> winget install --id Python.Python.3.12 --source winget --accept-package-agreements --accept-source-agreements
PS C:\managedNode1> python --version
PS C:\managedNode1> pip --version

Previous01.PRE-SETUP Next03.CREATE USER

Last updated 4 months ago