02.INSTALL DEPENDENCIES
CONTROLLER NODE
SSH
// SSH SERVER: LINUX
//installation
root@controllerNode:~$ sudo apt update
root@controllerNode:~$ sudo apt install openssh-server
//configuration (if required)
root@controllerNode:~$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
root@controllerNode:~$ sudo nano /etc/ssh/sshd_config
...
PasswordAuthentication no
PubkeyAuthentication yes
* change the standard port to a non-standard (if required)
- this can mitigate some common automated attacks
* PermitRootLogin
- this prevents root from logging in; users must use sudo instead
- PermitRootLogin no
* PasswordAuthentication
- set to "no" for ssh keys utilization; this disables passwordbased authentication
which forces users to use ssh keys (more secure)
- PasswordAuthentication no
* PubkeyAuthentication
- set to "yes" to enable public key authentication
- PubkeyAuthentication yes
* AllowUsers / DenyUsers
- this restricts or allows SSH access to specific users.
- AllowUsers yourusername anotheruser
root@controllerNode:~$ sudo systemctl restart ssh.service
//FW Configuration
root@controllerNode:~$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
* ALT:
- sudo ufw allow ssh
sudo ufw enableANSIBLE
//INSTALL ANSIBLE COMMUNITY
root@oco:~$ which pipx
/usr/bin/pipx
root@oco:~$ pipx install --include-deps ansible
installed package ansible 11.7.0, installed using Python 3.13.3
These apps are now globally available
- ansible
- ansible-community
- ansible-config
- ansible-console
- ansible-doc
- ansible-galaxy
- ansible-inventory
- ansible-playbook
- ansible-pull
- ansible-test
- ansible-vault
done!
root@oco:~$ pipx ensurepath
Success! Added /home/ansible-admin/.local/bin to the PATH environment variable.
Consider adding shell completions for pipx. Run 'pipx completions' for instructions.
You will need to open a new terminal or re-login for the PATH changes to take effect. Alternatively, you can source your shell's config file with e.g. 'source ~/.bashrc'.
Otherwise pipx is ready to go!
root@oco:~$ ansible --version
ansible [core 2.18.6]
config file = None
configured module search path = ['/home/cyberteam/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/cyberteam/.local/share/pipx/venvs/ansible/lib/python3.13/site-packages/ansible
ansible collection location = /home/cyberteam/.ansible/collections:/usr/share/ansible/collections
executable location = /home/cyberteam/.local/bin/ansible
python version = 3.13.3 (main, Apr 10 2025, 21:38:51) [GCC 14.2.0] (/home/cyberteam/.local/share/pipx/venvs/ansible/bin/python)
jinja version = 3.1.6
libyaml = True
root@oco:~$ ansible-community --version
Ansible community version 11.7.0
//DISPLAY MODULES
//list community modules
root@oco:~$ ansible-doc -l | wc -l
10682
//display modules
root@oco:~$ ansible-doc -l
ansible.windows.async_status Obtain status of asynchronous task
ansible.windows.setup Gathers facts about remote hosts
ansible.windows.slurp Slurps a file from remote nodes
ansible.windows.win_acl Set file/directory/registry/certificate permissions for a system user or group
ansible.windows.win_acl_inheritance Change ACL inheritance
ansible.windows.win_audit_policy_system Used to make changes to the system wide Audit Policy
ansible.windows.win_audit_rule Adds an audit rule to files, folders, or registry keys
ansible.windows.win_auto_logon Adds or Sets auto logon registry keys
ansible.windows.win_certificate_info Get information on certificates from a Windows Certificate Store
ansible.windows.win_certificate_store Manages the certificate store
ansible.windows.win_command Executes a command on a remote Windows node
...
MANAGED NODES
SSH (LINUX)
// SSH SERVER: LINUX
//installation
root@managedNode1:~$ sudo apt update
root@managedNode1:~$ sudo apt install openssh-server
//configuration (if required)
root@managedNode1:~$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
root@managedNode1:~$ sudo nano /etc/ssh/sshd_config
...
PasswordAuthentication no
PubkeyAuthentication yes
* change the standard port to a non-standard (if required)
- this can mitigate some common automated attacks
* PermitRootLogin
- this prevents root from logging in; users must use sudo instead
- PermitRootLogin no
* PasswordAuthentication
- set to "no" for ssh keys utilization; this disables passwordbased authentication
which forces users to use ssh keys (more secure)
- PasswordAuthentication no
* PubkeyAuthentication
- set to "yes" to enable public key authentication
- PubkeyAuthentication yes
* AllowUsers / DenyUsers
- this restricts or allows SSH access to specific users.
- AllowUsers yourusername anotheruser
root@managedNode1:~$ sudo systemctl restart ssh.service
//FW Configuration
root@managedNode1:~$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
* ALT:
- sudo ufw allow ssh
sudo ufw enableSSH (WINDOWS)
// SSH SERVER: WINDOWS
//installation
PS C\managedNode1> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
PS C\managedNode1> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
PS C\managedNode1> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
//configuration
PS C\managedNode1> Start-Service sshd
PS C\managedNode1> Set-Service -Name sshd -StartupType 'Automatic'
PS C\managedNode1> Get-ChildItem C:\ProgramData\ssh
PS C\managedNode1> notepad C:\ProgramData\ssh\sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers yourwindowsusername //this is for individual users
* the file will be created if it doesn't exist
* Port 2222
//for domain
AllowUsers DOMAIN\youruser
AllowGroups DOMAIN\sshusers
//configure the authorized key file for key-based authentication
AuthorizedKeysFile .ssh/authorized_keys
* ALT: for admins
- AuthorizedKeysFile %PROGRAMDATA%/ssh/administrators_authorized_keys
* For non-administrator accounts, the default location is C:\Users\<YourUsername>\.ssh\authorized_keys
For administrator accounts, OpenSSH server on Windows often defaults to C:\ProgramData\ssh\administrators_authorized_keys
PS C\managedNode1> Restart-Service sshd -Force
//this sets PS as default shell
PS C\managedNode1> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
* this reverts to the default shell
- Remove-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -ErrorAction SilentlyContinue
//configure FW
PS C\managedNode1> New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
* alt for custom ports: New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP-Custom' -DisplayName 'OpenSSH Server (sshd) Custom Port' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 2222
//configure key-based authentication
PS C\managedNode1> ssh-keygen -t rsa -b 4096 -C "[email protected]"
$publicKey = '<YOUR_PUBLIC_KEY_CONTENT>'
$authorizedKeysPath = "C:\ProgramData\ssh\administrators_authorized_keys" # or "$env:USERPROFILE\.ssh\authorized_keys" for non-admins
* Replace '<YOUR_PUBLIC_KEY_CONTENT>' with the actual content of your id_rsa.pub file
# Ensure the directory exists
PS C\managedNode1> New-Item -ItemType Directory -Path (Split-Path $authorizedKeysPath) -ErrorAction SilentlyContinue
# Append the public key
PS C\managedNode1> Add-Content -Force -Path $authorizedKeysPath -Value $publicKey
* The public key (id_rsa.pub) needs to be placed in the authorized_keys file on your
Windows SSH server.
- For non-administrator accounts: Create a .ssh folder in the user's profile
directory (C:\Users\<YourUsername>\.ssh) and place the public key content into a
file named authorized_keys.
- For administrator accounts: The authorized_keys file for administrators is
typically located at C:\ProgramData\ssh\administrators_authorized_keys
//set permission for authorized key file
PS C\managedNode1> icacls.exe "$authorizedKeysPath" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
* For C:\ProgramData\ssh\administrators_authorized_keys
# Example for a non-admin user's authorized_keys file (replace <username>)
# $userAuthorizedKeysPath = "C:\Users\<YourUsername>\.ssh\authorized_keys"
# icacls.exe "$userAuthorizedKeysPath" /inheritance:r /grant "<YourUsername>:F" /grant "SYSTEM:F"
* For C:\Users\<YourUsername>\.ssh\authorized_keys:
Ensure only the user account and SYSTEM have full control. You might need to disable
inheritance and remove other users.WINRM (WINDOWS)
PS C:\managedNode1> Set-ExecutionPolicy RemoteSigned -Force
PS C:\managedNode1> Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile C:\ConfigureRemotingForAnsible.ps1
PS C:\managedNode1> C:\ConfigureRemotingForAnsible.ps1 -EnableCredSSP -Force
PS C:\managedNode1> Get-Service -Name WinRM
* -EnableCredSSP is often used for simpler setups but has security implications as
it delegates credentials. For production environments, consider NTLM or Kerberos
if in a domain.PYTHON
MAIN METHOD
PS C:\managedNode1> Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe" -OutFile "$env:TEMP\python-installer.exe"
PS C:\managedNode1> Start-Process "$env:TEMP\python-installer.exe"
Add Python to PATH
PS C:\managedNode1> python --version
PS C:\managedNode1> pip --versionALTERNATE METHOD
//ALTERNATE METHOD
//Install winget
Microsoft Store
Search: App Installer
Update/Install
* ALT: https://aka.ms/getwinget
PS C:\managedNode1> winget --version
PS C:\managedNode1> winget search python
...
Python 3.12
...
PS C:\managedNode1> winget install --id Python.Python.3.12 --source winget --accept-package-agreements --accept-source-agreements
PS C:\managedNode1> python --version
PS C:\managedNode1> pip --versionLast updated