Stricter ssh and doas access - better version

Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner.
2020-10-13 16:03:54 +02:00 · 2020-10-13 16:03:54 +02:00 · 2bf8a7e872
Parent a606230d93
--- a/roles/accounts/tasks/main.yml
+++ b/roles/accounts/tasks/main.yml
@ -1,20 +1,15 @@
 ---
- name: "Create {{ evolinux_sudo_group }}"
+- name: "Create {{ evobsd_group }} group"
  group:
-    name: "{{ evolinux_sudo_group }}"
-    system: true
-
- name: "Create {{ evolinux_ssh_group }}"
-  group:
-    name: "{{ evolinux_ssh_group }}"
+    name: "{{ evobsd_group }}"
    system: true

 - name: Create user accounts
  include: user.yml
  vars:
    user: "{{ item.value }}"
-  with_dict: "{{ evolinux_users }}"
-  when: evolinux_users != {}
+  with_dict: "{{ evolix_users }}"
+  when: evolix_users != {}

 - name: verify AllowGroups directive
  command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
@ -40,10 +35,10 @@
    ssh_allowgroups:
      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"

- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
  lineinfile:
    dest: /etc/ssh/sshd_config
-    line: "\nAllowGroups {{ evolinux_ssh_group }}"
+    line: "\nAllowGroups {{ evobsd_group }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
@ -51,30 +46,33 @@
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 1

- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
+- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
  replace:
    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
-    replace: '\1 {{ evolinux_ssh_group }}'
+    regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
+    replace: '\1 {{ evobsd_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 0

- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
-  replace:
+- name: "Security directives for EvoBSD"
+  blockinfile:
    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
-    replace: '\1 {{ item.name }}'
+    marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
+    block: |
+      Match Address {{ evolix_trusted_ips | join(',') }}
+          PasswordAuthentication yes
+      Match Group {{ evobsd_group }}
+          PasswordAuthentication no
+    insertafter: EOF
    validate: '/usr/sbin/sshd -t -f %s'
-  with_dict: "{{ evolinux_users }}"
  notify: reload sshd
  when:
-    - not ssh_allowgroups
-    - grep_allowusers_ssh == 1
+    - evolix_trusted_ips != []

- name: disable root login
+- name: "Disable root login"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
--- a/roles/accounts/tasks/user.yml
+++ b/roles/accounts/tasks/user.yml
@ -1,16 +1,31 @@
 ---
+- name: "Group '{{ user.name }}' is present"
+  group:
+    state: present
+    name: "{{ user.name }}"
+    gid: "{{ user.uid }}"
+
 - name: "User '{{ user.name }}' is present"
  user:
    state: present
    name: '{{ user.name }}'
    uid: '{{ user.uid }}'
    password: '{{ user.password_hash_openbsd }}'
+    group: "{{ user.name }}"
    groups: wheel
    shell: /bin/ksh
    append: true
  tags:
    - admin

+- name: "Home directory for '{{ user.name }}' is only accesible by owner"
+  file:
+    name: '/home/{{ user.name }}'
+    mode: "0700"
+    owner: "{{ user.name }}"
+    group: "{{ user.name }}"
+    state: directory
+
 - name: "SSH public keys for '{{ user.name }}' are present"
  authorized_key:
    user: "{{ user.name }}"
@ -23,18 +38,10 @@
  tags:
    - admin

- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
+- name: "Add {{ user.name }} to {{ evobsd_group }} group"
  user:
    name: "{{ user.name }}"
-    groups: "{{ evolinux_sudo_group }}"
-    append: true
-  tags:
-    - admin
-
- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group"
-  user:
-    name: "{{ user.name }}"
-    groups: "{{ evolinux_ssh_group }}"
+    groups: "{{ evobsd_group }}"
    append: true
  tags:
    - admin
--- a/roles/base/templates/doas.conf.j2
+++ b/roles/base/templates/doas.conf.j2
@ -1,7 +1,7 @@
 # {{ ansible_managed }}
-permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
+permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
 permit nopass root
-permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
+permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
 permit nopass _collectd as root cmd /usr/sbin/bgpctl
 permit nopass _nrpe as root cmd /sbin/bioctl args sd2
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
--- a/vars/main.yml
+++ b/vars/main.yml
@ -8,9 +8,6 @@
 #
 # general_alert_email: "root@localhost"
 # general_technical_realm: "example.com"
-evolinux_ssh_group: "evolinux-ssh"
-evolinux_sudo_group: "evolinux-sudo"
-evolinux_root_disable_ssh: true
 #
 # evomaintenance_realm: "example.com"
 # evomaintenance_alert_email:
@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true
 # evomaintenance_urgency_from: mama.doe@example.com
 # evomaintenance_urgency_tel: "06.00.00.00.00"
 #
+evobsd_group: "evolix"
+#
 # evolix_users:
 #  foo:
 #    name: foo