Stricter ssh and doas access - two separate groups actually needed
Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in.
This commit is contained in:
parent
4a0e552691
commit
78686b8730
|
@ -1,7 +1,12 @@
|
|||
---
|
||||
- name: "Create {{ evobsd_group }} group"
|
||||
- name: "Create {{ evobsd_ssh_group }} group"
|
||||
group:
|
||||
name: "{{ evobsd_group }}"
|
||||
name: "{{ evobsd_ssh_group }}"
|
||||
system: true
|
||||
|
||||
- name: "Create {{ evobsd_sudo_group }} group"
|
||||
group:
|
||||
name: "{{ evobsd_sudo_group }}"
|
||||
system: true
|
||||
|
||||
- name: Create user accounts
|
||||
|
@ -35,10 +40,10 @@
|
|||
ssh_allowgroups:
|
||||
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
|
||||
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowGroups {{ evobsd_group }}"
|
||||
line: "\nAllowGroups {{ evobsd_ssh_group }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
|
@ -46,11 +51,11 @@
|
|||
- ssh_allowgroups
|
||||
- grep_allowgroups_ssh.rc == 1
|
||||
|
||||
- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
|
||||
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
|
||||
replace: '\1 {{ evobsd_group }}'
|
||||
regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
|
||||
replace: '\1 {{ evobsd_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
|
@ -64,7 +69,7 @@
|
|||
block: |
|
||||
Match Address {{ evolix_trusted_ips | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group {{ evobsd_group }}
|
||||
Match Group {{ evobsd_ssh_group }}
|
||||
PasswordAuthentication no
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
|
|
|
@ -38,10 +38,18 @@
|
|||
tags:
|
||||
- admin
|
||||
|
||||
- name: "Add {{ user.name }} to {{ evobsd_group }} group"
|
||||
- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
|
||||
user:
|
||||
name: "{{ user.name }}"
|
||||
groups: "{{ evobsd_group }}"
|
||||
groups: "{{ evobsd_ssh_group }}"
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
||||
- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
|
||||
user:
|
||||
name: "{{ user.name }}"
|
||||
groups: "{{ evobsd_sudo_group }}"
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
|
||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }}
|
||||
permit nopass root
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit nopass _collectd as root cmd /bin/cat
|
||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||
|
|
|
@ -24,7 +24,8 @@
|
|||
# evomaintenance_urgency_from: mama.doe@example.com
|
||||
# evomaintenance_urgency_tel: "06.00.00.00.00"
|
||||
#
|
||||
evobsd_group: "evolix"
|
||||
# evobsd_ssh_group: "foo-ssh"
|
||||
# evobsd_sudo_group: "foo-sudo"
|
||||
#
|
||||
# evolix_users:
|
||||
# foo:
|
||||
|
|
Loading…
Reference in a new issue