forked from evolix/ansible-roles
evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
This commit is contained in:
parent
1d342f6952
commit
5903ff8c81
|
@ -18,6 +18,7 @@ The **patch** part is incremented if multiple releases happen the same month
|
|||
### Changed
|
||||
|
||||
* evobackup-client: upstream release 24.05
|
||||
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -37,6 +37,6 @@ Main variables are:
|
|||
* `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
|
||||
* `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)
|
||||
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`)
|
||||
* `evolinux_ssh_allow_current_user`: don't lock yourself out (default: `False`)
|
||||
* `evolinux_ssh_allow_current_user`: don't lock yourself out is there is an AllowUsers or AllowGroups directive (default: `False`)
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -16,34 +16,75 @@
|
|||
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
mode: "0644"
|
||||
|
||||
- name: "Get current user's group"
|
||||
# Should we allow the current user?
|
||||
- name: Allow the current user
|
||||
block:
|
||||
- name: "Get current user's login"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: logname
|
||||
register: _logname
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -ER '^AllowUsers' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- name: "Add AllowUsers sshd directive for current user"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
|
||||
create: yes
|
||||
line: "AllowUsers {{ logname.stdout }}"
|
||||
insertafter: 'Subsystem'
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowgroups_ssh
|
||||
check_mode: no
|
||||
|
||||
# If we have AllowUsers but not AllowGroups, append the user to the list
|
||||
# (in the first file where we found the directive)
|
||||
|
||||
- name: "Append user to existing AllowUsers sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ _logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
|
||||
# If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
|
||||
# (in the first file where we found the directive)
|
||||
|
||||
- name: "Append evolinux ssh group to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "evolinux ssh group is present"
|
||||
ansible.builtin.group:
|
||||
name: "{{ evolinux_ssh_group }}"
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Add current user to evolinux ssh group"
|
||||
ansible.builtin.user:
|
||||
name: "{{ _logname.stdout }}"
|
||||
group: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
||||
# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
|
||||
# TODO si allowgroups, ajouter groupe de l’utilisateur
|
||||
|
|
|
@ -61,15 +61,16 @@
|
|||
notify: reload sshd
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
# Should we allow the current user?
|
||||
- name: Allow the current user
|
||||
block:
|
||||
- name: "Get current user"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: logname
|
||||
register: _logname
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
|
@ -77,24 +78,49 @@
|
|||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- name: "Add AllowUsers sshd directive for current user"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ logname.stdout }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowgroups_ssh
|
||||
check_mode: no
|
||||
|
||||
# If we have AllowUsers but not AllowGroups, append the user to the list
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for current user"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ logname.stdout }}'
|
||||
regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ _logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
|
||||
# If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
|
||||
|
||||
- name: "Add current user to {{ evolinux_ssh_group }} group"
|
||||
ansible.builtin.user:
|
||||
name: "{{ _logname.stdout }}"
|
||||
group: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: "/etc/ssh/sshd_config"
|
||||
regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
Loading…
Reference in a new issue