Stricter ssh and doas access - better version
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner.
This commit is contained in:
parent
a606230d93
commit
2bf8a7e872
|
@ -1,20 +1,15 @@
|
||||||
---
|
---
|
||||||
- name: "Create {{ evolinux_sudo_group }}"
|
- name: "Create {{ evobsd_group }} group"
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_sudo_group }}"
|
name: "{{ evobsd_group }}"
|
||||||
system: true
|
|
||||||
|
|
||||||
- name: "Create {{ evolinux_ssh_group }}"
|
|
||||||
group:
|
|
||||||
name: "{{ evolinux_ssh_group }}"
|
|
||||||
system: true
|
system: true
|
||||||
|
|
||||||
- name: Create user accounts
|
- name: Create user accounts
|
||||||
include: user.yml
|
include: user.yml
|
||||||
vars:
|
vars:
|
||||||
user: "{{ item.value }}"
|
user: "{{ item.value }}"
|
||||||
with_dict: "{{ evolinux_users }}"
|
with_dict: "{{ evolix_users }}"
|
||||||
when: evolinux_users != {}
|
when: evolix_users != {}
|
||||||
|
|
||||||
- name: verify AllowGroups directive
|
- name: verify AllowGroups directive
|
||||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||||
|
@ -40,10 +35,10 @@
|
||||||
ssh_allowgroups:
|
ssh_allowgroups:
|
||||||
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||||
|
|
||||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
line: "\nAllowGroups {{ evobsd_group }}"
|
||||||
insertafter: 'Subsystem'
|
insertafter: 'Subsystem'
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
@ -51,30 +46,33 @@
|
||||||
- ssh_allowgroups
|
- ssh_allowgroups
|
||||||
- grep_allowgroups_ssh.rc == 1
|
- grep_allowgroups_ssh.rc == 1
|
||||||
|
|
||||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
|
||||||
replace: '\1 {{ evolinux_ssh_group }}'
|
replace: '\1 {{ evobsd_group }}'
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- ssh_allowgroups
|
- ssh_allowgroups
|
||||||
- grep_allowgroups_ssh.rc == 0
|
- grep_allowgroups_ssh.rc == 0
|
||||||
|
|
||||||
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
- name: "Security directives for EvoBSD"
|
||||||
replace:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
|
marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
|
||||||
replace: '\1 {{ item.name }}'
|
block: |
|
||||||
|
Match Address {{ evolix_trusted_ips | join(',') }}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
Match Group {{ evobsd_group }}
|
||||||
|
PasswordAuthentication no
|
||||||
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
with_dict: "{{ evolinux_users }}"
|
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- not ssh_allowgroups
|
- evolix_trusted_ips != []
|
||||||
- grep_allowusers_ssh == 1
|
|
||||||
|
|
||||||
- name: disable root login
|
- name: "Disable root login"
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
|
|
|
@ -1,16 +1,31 @@
|
||||||
---
|
---
|
||||||
|
- name: "Group '{{ user.name }}' is present"
|
||||||
|
group:
|
||||||
|
state: present
|
||||||
|
name: "{{ user.name }}"
|
||||||
|
gid: "{{ user.uid }}"
|
||||||
|
|
||||||
- name: "User '{{ user.name }}' is present"
|
- name: "User '{{ user.name }}' is present"
|
||||||
user:
|
user:
|
||||||
state: present
|
state: present
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
uid: '{{ user.uid }}'
|
uid: '{{ user.uid }}'
|
||||||
password: '{{ user.password_hash_openbsd }}'
|
password: '{{ user.password_hash_openbsd }}'
|
||||||
|
group: "{{ user.name }}"
|
||||||
groups: wheel
|
groups: wheel
|
||||||
shell: /bin/ksh
|
shell: /bin/ksh
|
||||||
append: true
|
append: true
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
|
- name: "Home directory for '{{ user.name }}' is only accesible by owner"
|
||||||
|
file:
|
||||||
|
name: '/home/{{ user.name }}'
|
||||||
|
mode: "0700"
|
||||||
|
owner: "{{ user.name }}"
|
||||||
|
group: "{{ user.name }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
- name: "SSH public keys for '{{ user.name }}' are present"
|
- name: "SSH public keys for '{{ user.name }}' are present"
|
||||||
authorized_key:
|
authorized_key:
|
||||||
user: "{{ user.name }}"
|
user: "{{ user.name }}"
|
||||||
|
@ -23,18 +38,10 @@
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
|
- name: "Add {{ user.name }} to {{ evobsd_group }} group"
|
||||||
user:
|
user:
|
||||||
name: "{{ user.name }}"
|
name: "{{ user.name }}"
|
||||||
groups: "{{ evolinux_sudo_group }}"
|
groups: "{{ evobsd_group }}"
|
||||||
append: true
|
|
||||||
tags:
|
|
||||||
- admin
|
|
||||||
|
|
||||||
- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group"
|
|
||||||
user:
|
|
||||||
name: "{{ user.name }}"
|
|
||||||
groups: "{{ evolinux_ssh_group }}"
|
|
||||||
append: true
|
append: true
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
|
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
|
||||||
permit nopass root
|
permit nopass root
|
||||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
|
||||||
|
|
|
@ -8,9 +8,6 @@
|
||||||
#
|
#
|
||||||
# general_alert_email: "root@localhost"
|
# general_alert_email: "root@localhost"
|
||||||
# general_technical_realm: "example.com"
|
# general_technical_realm: "example.com"
|
||||||
evolinux_ssh_group: "evolinux-ssh"
|
|
||||||
evolinux_sudo_group: "evolinux-sudo"
|
|
||||||
evolinux_root_disable_ssh: true
|
|
||||||
#
|
#
|
||||||
# evomaintenance_realm: "example.com"
|
# evomaintenance_realm: "example.com"
|
||||||
# evomaintenance_alert_email:
|
# evomaintenance_alert_email:
|
||||||
|
@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true
|
||||||
# evomaintenance_urgency_from: mama.doe@example.com
|
# evomaintenance_urgency_from: mama.doe@example.com
|
||||||
# evomaintenance_urgency_tel: "06.00.00.00.00"
|
# evomaintenance_urgency_tel: "06.00.00.00.00"
|
||||||
#
|
#
|
||||||
|
evobsd_group: "evolix"
|
||||||
|
#
|
||||||
# evolix_users:
|
# evolix_users:
|
||||||
# foo:
|
# foo:
|
||||||
# name: foo
|
# name: foo
|
||||||
|
|
Loading…
Reference in a new issue