diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 29a77524..b9afc630 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -56,9 +56,17 @@ name: evolix/evomaintenance when: evolinux_evomaintenance_include | bool -- name: SSH configuration - include: ssh.yml - when: evolinux_ssh_include | bool +- name: SSH configuration (single file) + import_tasks: ssh.single-file.yml + when: + - ansible_distribution_major_version is version('12', '<') + - evolinux_ssh_include | bool + +- name: SSH configuration (included-files) + import_tasks: ssh.included-files.yml + when: + - ansible_distribution_major_version is version('12', '>=') + - evolinux_ssh_include | bool ### disabled because of a memory leak # - name: Create evolinux users diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml new file mode 100644 index 00000000..952b661f --- /dev/null +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -0,0 +1,104 @@ +--- +# This is a copy of ssh.single-file.yml +# It needs to be changed when we move to a included-files configuration + + +- ansible.builtin.debug: + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" + when: evolinux_ssh_password_auth_addresses == [] + +# From 'man sshd_config' : +# « If all of the criteria on the Match line are satisfied, the keywords +# on the following lines override those set in the global section of the config +# file, until either another Match line or the end of the file. +# If a keyword appears in multiple Match blocks that are satisfied, +# only the first instance of the keyword is applied. » +# +# We want to allow any user from a list of IP addresses to login with password, +# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses + +- name: "Security directives for Evolinux (Debian 10 or later)" + ansible.builtin.blockinfile: + dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + Match Group {{ evolinux_internal_group }} + PasswordAuthentication no + insertafter: EOF + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version is version('10', '>=') + +- name: Security directives for Evolinux (Jessie/Stretch) + ansible.builtin.blockinfile: + dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + insertafter: EOF + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version is version('10', '<') + +# We disable AcceptEnv because it can be a security issue, but also because we +# do not want clients to push their environment variables like LANG. +- name: disable AcceptEnv in ssh config + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^AcceptEnv' + replace: "#AcceptEnv" + notify: reload sshd + when: evolinux_ssh_disable_acceptenv | bool + +- name: Set log level to verbose (for Debian >= 9) + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^#?LogLevel [A-Z]+' + replace: "LogLevel VERBOSE" + notify: reload sshd + when: ansible_distribution_major_version is version('9', '>=') + +- name: "Get current user" + ansible.builtin.command: + cmd: logname + changed_when: False + register: logname + check_mode: no + when: evolinux_ssh_allow_current_user | bool + +# we must double-escape caracters, because python +- name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no + when: evolinux_ssh_allow_current_user | bool + +- name: "Add AllowUsers sshd directive for current user" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ logname.stdout }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 + +- name: "Modify AllowUsers sshd directive for current user" + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' + replace: '\1 {{ logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 + +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.single-file.yml similarity index 90% rename from evolinux-base/tasks/ssh.yml rename to evolinux-base/tasks/ssh.single-file.yml index e063d164..e76d792f 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.single-file.yml @@ -1,5 +1,5 @@ --- -- debug: +- ansible.builtin.debug: msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" when: evolinux_ssh_password_auth_addresses == [] @@ -14,7 +14,7 @@ # but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses - name: "Security directives for Evolinux (Debian 10 or later)" - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" block: | @@ -30,7 +30,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Security directives for Evolinux (Jessie/Stretch) - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" block: | @@ -46,7 +46,7 @@ # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^AcceptEnv' replace: "#AcceptEnv" @@ -54,7 +54,7 @@ when: evolinux_ssh_disable_acceptenv | bool - name: Set log level to verbose (for Debian >= 9) - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?LogLevel [A-Z]+' replace: "LogLevel VERBOSE" @@ -62,7 +62,8 @@ when: ansible_distribution_major_version is version('9', '>=') - name: "Get current user" - command: logname + ansible.builtin.command: + cmd: logname changed_when: False register: logname check_mode: no @@ -70,7 +71,8 @@ # we must double-escape caracters, because python - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" failed_when: False changed_when: False register: grep_allowusers_ssh @@ -78,7 +80,7 @@ when: evolinux_ssh_allow_current_user | bool - name: "Add AllowUsers sshd directive for current user" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ logname.stdout }}" insertafter: 'Subsystem' @@ -87,7 +89,7 @@ when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 - name: "Modify AllowUsers sshd directive for current user" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' replace: '\1 {{ logname.stdout }}' @@ -95,4 +97,4 @@ notify: reload sshd when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers