forked from evolix/ansible-roles
Add match user and allow user ssh statements with join.
If the statements are not there, we do not need to worry about manual edits.
This commit is contained in:
Patrick Marchand
parent
75aad3e5d7
commit
e79455efae
|
|
@ -57,15 +57,29 @@
|
|||
- ssh_allowusers
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: "Add AllowUsers sshd directive with all users"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh == 0
|
||||
|
||||
- include: ssh_allowusers.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
- allow_users_present: "{{ grep_allowusers_ssh.rc == 0 }}"
|
||||
- match_users_present: "{{ grep_matchuser_ssh.rc == 0 }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when:
|
||||
- ssh_allowusers
|
||||
- not ssh_allowgroups
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: (grep_allowusers_ssh.rc != 0) or (grep_matchuser_ssh != 0)
|
||||
|
||||
- name: disable root login
|
||||
replace:
|
||||
|
|
|
|||
|
|
@ -1,15 +1,5 @@
|
|||
---
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: not allow_users_present or not added_allow_user.changed
|
||||
register: added_allow_user
|
||||
|
||||
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
|
|
@ -17,17 +7,6 @@
|
|||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: allow_users_present or added_allow_user.changed
|
||||
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: not match_users_present or not added_match_user.changed
|
||||
register: added_match_user
|
||||
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||
replace:
|
||||
|
|
@ -36,4 +15,3 @@
|
|||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: match_users_present or added_match_user.changed
|
||||
|
|
|
|||
Loading…
Reference in a new issue