Stricter ssh and doas access - two separate groups actually needed
Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in.
This commit is contained in:
parent
4a0e552691
commit
78686b8730
|
@ -1,7 +1,12 @@
|
||||||
---
|
---
|
||||||
- name: "Create {{ evobsd_group }} group"
|
- name: "Create {{ evobsd_ssh_group }} group"
|
||||||
group:
|
group:
|
||||||
name: "{{ evobsd_group }}"
|
name: "{{ evobsd_ssh_group }}"
|
||||||
|
system: true
|
||||||
|
|
||||||
|
- name: "Create {{ evobsd_sudo_group }} group"
|
||||||
|
group:
|
||||||
|
name: "{{ evobsd_sudo_group }}"
|
||||||
system: true
|
system: true
|
||||||
|
|
||||||
- name: Create user accounts
|
- name: Create user accounts
|
||||||
|
@ -35,10 +40,10 @@
|
||||||
ssh_allowgroups:
|
ssh_allowgroups:
|
||||||
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||||
|
|
||||||
- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
|
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
line: "\nAllowGroups {{ evobsd_group }}"
|
line: "\nAllowGroups {{ evobsd_ssh_group }}"
|
||||||
insertafter: 'Subsystem'
|
insertafter: 'Subsystem'
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
@ -46,11 +51,11 @@
|
||||||
- ssh_allowgroups
|
- ssh_allowgroups
|
||||||
- grep_allowgroups_ssh.rc == 1
|
- grep_allowgroups_ssh.rc == 1
|
||||||
|
|
||||||
- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
|
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
|
regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
|
||||||
replace: '\1 {{ evobsd_group }}'
|
replace: '\1 {{ evobsd_ssh_group }}'
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
|
@ -64,7 +69,7 @@
|
||||||
block: |
|
block: |
|
||||||
Match Address {{ evolix_trusted_ips | join(',') }}
|
Match Address {{ evolix_trusted_ips | join(',') }}
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
Match Group {{ evobsd_group }}
|
Match Group {{ evobsd_ssh_group }}
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
|
|
@ -38,10 +38,18 @@
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
- name: "Add {{ user.name }} to {{ evobsd_group }} group"
|
- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
|
||||||
user:
|
user:
|
||||||
name: "{{ user.name }}"
|
name: "{{ user.name }}"
|
||||||
groups: "{{ evobsd_group }}"
|
groups: "{{ evobsd_ssh_group }}"
|
||||||
|
append: true
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
|
- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
|
||||||
|
user:
|
||||||
|
name: "{{ user.name }}"
|
||||||
|
groups: "{{ evobsd_sudo_group }}"
|
||||||
append: true
|
append: true
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
|
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }}
|
||||||
permit nopass root
|
permit nopass root
|
||||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||||
permit nopass _collectd as root cmd /bin/cat
|
permit nopass _collectd as root cmd /bin/cat
|
||||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||||
|
|
|
@ -24,7 +24,8 @@
|
||||||
# evomaintenance_urgency_from: mama.doe@example.com
|
# evomaintenance_urgency_from: mama.doe@example.com
|
||||||
# evomaintenance_urgency_tel: "06.00.00.00.00"
|
# evomaintenance_urgency_tel: "06.00.00.00.00"
|
||||||
#
|
#
|
||||||
evobsd_group: "evolix"
|
# evobsd_ssh_group: "foo-ssh"
|
||||||
|
# evobsd_sudo_group: "foo-sudo"
|
||||||
#
|
#
|
||||||
# evolix_users:
|
# evolix_users:
|
||||||
# foo:
|
# foo:
|
||||||
|
|
Loading…
Reference in a new issue