forked from evolix/ansible-roles
evolinux: groups for SSH configuration are used with Debian 10 and later
This commit is contained in:
parent
e79640d770
commit
8384e8ba43
|
@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
* evolinux: groups for SSH configuration are used with Debian 10 and later
|
||||||
* evolinux-base: fail2ban is not enabled by default
|
* evolinux-base: fail2ban is not enabled by default
|
||||||
* evolinux-users: refactoring of the SSH configuration
|
* evolinux-users: refactoring of the SSH configuration
|
||||||
* mysql-oracle: copy evolinux config files in mysql.cond.d
|
* mysql-oracle: copy evolinux config files in mysql.cond.d
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# We want to allow any user from a list of IP addresses to login with password,
|
# We want to allow any user from a list of IP addresses to login with password,
|
||||||
# but users of the "evolix" group can't login with password from other IP addresses
|
# but users of the "evolix" group can't login with password from other IP addresses
|
||||||
|
|
||||||
- name: Security directives for Evolinux (Debian 9 or later)"
|
- name: Security directives for Evolinux (Debian 10 or later)"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
block: |
|
block: |
|
||||||
|
@ -27,9 +27,9 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- evolinux_ssh_password_auth_addresses != []
|
- evolinux_ssh_password_auth_addresses != []
|
||||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- name: Security directives for Evolinux (Jessie)
|
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
block: |
|
block: |
|
||||||
|
@ -41,7 +41,7 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- evolinux_ssh_password_auth_addresses != []
|
- evolinux_ssh_password_auth_addresses != []
|
||||||
- ansible_distribution_release == "jessie"
|
- ansible_distribution_major_version | version_compare('10', '<')
|
||||||
|
|
||||||
# We disable AcceptEnv because it can be a security issue, but also because we
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||||
# do not want clients to push their environment variables like LANG.
|
# do not want clients to push their environment variables like LANG.
|
||||||
|
|
|
@ -43,18 +43,18 @@
|
||||||
|
|
||||||
# Unix groups
|
# Unix groups
|
||||||
|
|
||||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 9 or later)"
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_ssh_group }}"
|
name: "{{ evolinux_ssh_group }}"
|
||||||
state: present
|
state: present
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 9 or later)"
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: "{{ evolinux_ssh_group }}"
|
groups: "{{ evolinux_ssh_group }}"
|
||||||
append: yes
|
append: yes
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- name: "Secondary Unix groups are present"
|
- name: "Secondary Unix groups are present"
|
||||||
group:
|
group:
|
||||||
|
|
Loading…
Reference in a new issue