Browse Source

Stricter ssh and doas access - better version

Fix #34

We now use a unique evobsd_group (evolix by default).
Each user has 2 groups : evobsd_group and user.name.
Only evobsd_group can ssh to server and use doas.

I also added a password restrictions block for IPs/group.
And we make sure the home folder is only readable by owner.
tags/6.8.0^2
Jérémy Dubois 2 weeks ago
parent
commit
2bf8a7e872
4 changed files with 41 additions and 37 deletions
  1. +20
    -22
      roles/accounts/tasks/main.yml
  2. +17
    -10
      roles/accounts/tasks/user.yml
  3. +2
    -2
      roles/base/templates/doas.conf.j2
  4. +2
    -3
      vars/main.yml

+ 20
- 22
roles/accounts/tasks/main.yml View File

@@ -1,20 +1,15 @@
---
- name: "Create {{ evolinux_sudo_group }}"
- name: "Create {{ evobsd_group }} group"
group:
name: "{{ evolinux_sudo_group }}"
system: true

- name: "Create {{ evolinux_ssh_group }}"
group:
name: "{{ evolinux_ssh_group }}"
name: "{{ evobsd_group }}"
system: true

- name: Create user accounts
include: user.yml
vars:
user: "{{ item.value }}"
with_dict: "{{ evolinux_users }}"
when: evolinux_users != {}
with_dict: "{{ evolix_users }}"
when: evolix_users != {}

- name: verify AllowGroups directive
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
@@ -40,10 +35,10 @@
ssh_allowgroups:
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"

- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}"
line: "\nAllowGroups {{ evobsd_group }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
@@ -51,30 +46,33 @@
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 1

- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ evolinux_ssh_group }}'
regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
replace: '\1 {{ evobsd_group }}'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 0

- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
replace:
- name: "Security directives for EvoBSD"
blockinfile:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
replace: '\1 {{ item.name }}'
marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
block: |
Match Address {{ evolix_trusted_ips | join(',') }}
PasswordAuthentication yes
Match Group {{ evobsd_group }}
PasswordAuthentication no
insertafter: EOF
validate: '/usr/sbin/sshd -t -f %s'
with_dict: "{{ evolinux_users }}"
notify: reload sshd
when:
- not ssh_allowgroups
- grep_allowusers_ssh == 1
- evolix_trusted_ips != []

- name: disable root login
- name: "Disable root login"
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'


+ 17
- 10
roles/accounts/tasks/user.yml View File

@@ -1,16 +1,31 @@
---
- name: "Group '{{ user.name }}' is present"
group:
state: present
name: "{{ user.name }}"
gid: "{{ user.uid }}"

- name: "User '{{ user.name }}' is present"
user:
state: present
name: '{{ user.name }}'
uid: '{{ user.uid }}'
password: '{{ user.password_hash_openbsd }}'
group: "{{ user.name }}"
groups: wheel
shell: /bin/ksh
append: true
tags:
- admin

- name: "Home directory for '{{ user.name }}' is only accesible by owner"
file:
name: '/home/{{ user.name }}'
mode: "0700"
owner: "{{ user.name }}"
group: "{{ user.name }}"
state: directory

- name: "SSH public keys for '{{ user.name }}' are present"
authorized_key:
user: "{{ user.name }}"
@@ -23,18 +38,10 @@
tags:
- admin

- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
user:
name: "{{ user.name }}"
groups: "{{ evolinux_sudo_group }}"
append: true
tags:
- admin

- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group"
- name: "Add {{ user.name }} to {{ evobsd_group }} group"
user:
name: "{{ user.name }}"
groups: "{{ evolinux_ssh_group }}"
groups: "{{ evobsd_group }}"
append: true
tags:
- admin

+ 2
- 2
roles/base/templates/doas.conf.j2 View File

@@ -1,7 +1,7 @@
# {{ ansible_managed }}
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
permit nopass root
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
permit nopass _collectd as root cmd /usr/sbin/bgpctl
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq


+ 2
- 3
vars/main.yml View File

@@ -8,9 +8,6 @@
#
# general_alert_email: "root@localhost"
# general_technical_realm: "example.com"
evolinux_ssh_group: "evolinux-ssh"
evolinux_sudo_group: "evolinux-sudo"
evolinux_root_disable_ssh: true
#
# evomaintenance_realm: "example.com"
# evomaintenance_alert_email:
@@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true
# evomaintenance_urgency_from: mama.doe@example.com
# evomaintenance_urgency_tel: "06.00.00.00.00"
#
evobsd_group: "evolix"
#
# evolix_users:
# foo:
# name: foo


Loading…
Cancel
Save