OS hardening

[keyctl]

This addresses #42.

[keyctl]

@Miro-H I added all (?) relevant subnets for our network to allow SSH for now, but I cannot connect using vagrant ssh. Do you have an idea why this still does not work? Remember that the vagrant user still exists and is added to the allowed SSH group.

[Miro-H]

@Miro-H I added all (?) relevant subnets for our network to allow SSH for now, but I cannot connect using vagrant ssh. Do you have an idea why this still does not work? Remember that the vagrant user still exists and is added to the allowed SSH group.

And this is not a build you did with the vagrant purge option? Because vagrant uses ssh keys and not the password for vagrant ssh so for example adding the user back after the script ran doesn't work.

But I don't know if vagrant does anything else behind the scene to establish ssh connections, I hope that would be documented somewhere?

[keyctl]

And this is not a build you did with the vagrant purge option? Because vagrant uses ssh keys and not the password for vagrant ssh so for example adding the user back after the script ran doesn't work.

Yes I know. I've done a make build as always, and it ends in a Permission denied (publickey).

[keyctl]

This patch will not take care of which addresses SSH listens on. A firewall will be needed to manage traffic more granularly.

@Miro-H This branch works for me with a new build. Please have a look and tell me what's missing.

[keyctl]

@Miro-H I've made some more changes to make integration with the work on #68 easier. This now provides it's own playbook, which will be run right after the normal setup is done. It will run through the admin user, but without a connection to the client machine.

As soon as the script is run, we won't have access via passwords any longer. However, the Vagrantfile will generate keys for the admin for every Ansible master anyway, so we're fine.

Please try to run #68 first, then we can merge this on top.

[keyctl]

I was successful in issuing a new certificate on f65bf75.