forked from evolix/ansible-roles
5226082db0
(will be probably generalized to others modules if needed)
81 lines
2.6 KiB
YAML
81 lines
2.6 KiB
YAML
---
|
|
|
|
- fail:
|
|
msg: You must provide at least 1 ssh trusted IP
|
|
when: evolinux_ssh_password_auth_addresses == []
|
|
|
|
- name: Security directives for Evolinux
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
block: |
|
|
Match Group sudo
|
|
PasswordAuthentication no
|
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
|
PasswordAuthentication yes
|
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
|
insertafter: EOF
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
|
|
# - name: verify Match Address directive
|
|
# command: "grep 'Match Address' /etc/ssh/sshd_config"
|
|
# changed_when: False
|
|
# failed_when: False
|
|
# check_mode: no
|
|
# register: grep_matchaddress_ssh
|
|
#
|
|
# - name: Add Match Address sshd directive
|
|
# lineinfile:
|
|
# dest: /etc/ssh/sshd_config
|
|
# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
|
|
# insertafter: '# +ForceCommand cvs server'
|
|
# validate: '/usr/sbin/sshd -T -f %s'
|
|
# notify: reload sshd
|
|
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
|
|
#
|
|
# - name: Modify Match Address sshd directive
|
|
# replace:
|
|
# dest: /etc/ssh/sshd_config
|
|
# regexp: '^(Match Address ((?!{{ item }}).)*)$'
|
|
# replace: '\1,{{ item }}'
|
|
# validate: '/usr/sbin/sshd -T -f %s'
|
|
# with_items: "{{ evolinux_ssh_password_auth_addresses }}"
|
|
# notify: reload sshd
|
|
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
|
|
#
|
|
# - name: Add Match Group sudo without password
|
|
# lineinfile:
|
|
# dest: /etc/ssh/sshd_config
|
|
# line: "\nMatch Group sudo\n PasswordAuthentication no"
|
|
# insertbefore: '^Match Address'
|
|
# validate: '/usr/sbin/sshd -T -f %s'
|
|
# notify: reload sshd
|
|
|
|
- name: disable SSH access for root
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin (yes|without-password)'
|
|
replace: "PermitRootLogin no"
|
|
notify: reload sshd
|
|
when: evolinux_ssh_disable_root
|
|
|
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
|
# do not want clients to push their environment variables like LANG.
|
|
- name: disable AcceptEnv in ssh config
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^AcceptEnv'
|
|
replace: "#AcceptEnv"
|
|
notify: reload sshd
|
|
when: evolinux_ssh_disable_acceptenv
|
|
|
|
- name: Set log level to verbose (for Debian >= 9)
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?LogLevel [A-Z]+'
|
|
replace: "LogLevel VERBOSE"
|
|
notify: reload sshd
|
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
|
|
|
- meta: flush_handlers
|