2016-11-07 14:00:57 +01:00
---
2018-02-08 15:29:53 +01:00
- name : verify AllowGroups directive
2018-04-04 23:22:46 +02:00
command : "grep -E '^AllowGroups' /etc/ssh/sshd_config"
2016-12-27 14:04:02 +01:00
changed_when : False
failed_when : False
2017-03-24 14:15:09 +01:00
check_mode : no
2018-03-01 11:07:43 +01:00
register : grep_allowgroups_ssh
2017-03-24 14:15:09 +01:00
2018-03-01 18:26:18 +01:00
- debug :
var : grep_allowgroups_ssh
verbosity : 1
2018-03-01 15:57:17 +01:00
- name : verify AllowUsers directive
2018-03-01 18:26:18 +01:00
command : "grep -E '^AllowUsers' /etc/ssh/sshd_config"
2018-03-01 15:57:17 +01:00
changed_when : False
failed_when : False
check_mode : no
register : grep_allowusers_ssh
2018-03-01 18:26:18 +01:00
- debug :
var : grep_allowusers_ssh
verbosity : 1
2018-04-18 18:20:23 +02:00
- assert :
that : "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg : "We can't deal with AllowUsers and AllowGroups at the same time"
2018-03-01 18:26:18 +01:00
- set_fact :
2018-04-20 10:25:06 +02:00
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
2020-02-25 10:45:35 +01:00
ssh_allowgroups : "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
2018-04-20 10:25:06 +02:00
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
2020-02-25 10:45:35 +01:00
ssh_allowusers : "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
2018-03-01 18:26:18 +01:00
- debug :
var : ssh_allowgroups
verbosity : 1
- debug :
var : ssh_allowusers
verbosity : 1
2018-03-01 11:59:36 +01:00
- include : ssh_allowgroups.yml
2018-03-01 18:26:18 +01:00
when :
2018-04-15 16:59:00 +02:00
- ssh_allowgroups
- not ssh_allowusers
2016-11-07 14:00:57 +01:00
2018-03-01 11:59:36 +01:00
- include : ssh_allowusers.yml
2018-03-01 18:26:18 +01:00
vars :
user : "{{ item.value }}"
2021-05-04 14:20:53 +02:00
loop : "{{ evolinux_users | dict2items }}"
2018-03-01 18:26:18 +01:00
when :
2018-04-15 16:59:00 +02:00
- ssh_allowusers
- not ssh_allowgroups
2018-03-01 18:26:18 +01:00
- name : disable root login
replace :
dest : /etc/ssh/sshd_config
regexp : '^PermitRootLogin (yes|without-password|prohibit-password)'
replace : "PermitRootLogin no"
notify : reload sshd
2021-05-09 23:06:42 +02:00
when : evolinux_root_disable_ssh | bool
2018-03-01 18:26:18 +01:00
- meta : flush_handlers