Add stricter ssh and doas access

4 years ago · 8b1ce861e3
parent d736455327
commit 8b1ce861e3
5 changed files with 93 additions and 6 deletions
--- a/roles/accounts/handlers/main.yml
+++ b/roles/accounts/handlers/main.yml
@ -0,0 +1,6 @@
+---
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
--- a/roles/accounts/tasks/main.yml
+++ b/roles/accounts/tasks/main.yml
@ -1,7 +1,75 @@
 ---
+- name: "Create {{ evolinux_sudo_group }}"
+  group:
+    name: "{{ evolinux_sudo_group }}"
+    system: true
+
 - name: Create user accounts
  include: user.yml
  vars:
    user: "{{ item.value }}"
  with_dict: "{{ evolinux_users }}"
-  when: evolinux_users != {}
+  when: evolinux_users != {}
+
+- name: verify AllowGroups directive
+  command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: grep_allowgroups_ssh
+
+- name: verify AllowUsers directive
+  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: grep_allowusers_ssh
+
+- assert:
+    that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
+    msg: "We can't deal with AllowUsers and AllowGroups at the same time"
+
+- set_fact:
+    # If "AllowGroups is present"
+    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowGroups {{ evolinux_ssh_group }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - ssh_allowgroups
+    - grep_allowgroups_ssh.rc == 1
+
+- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
+    replace: '\1 {{ evolinux_ssh_group }}'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - ssh_allowgroups
+    - grep_allowgroups_ssh.rc == 0
+
+- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
+    replace: '\1 {{ item.name }}'
+    validate: '/usr/sbin/sshd -t -f %s'
+  with_dict: "{{ evolinux_users }}"
+  notify: reload sshd
+  when:
+    - not ssh_allowgroups
+    - grep_allowusers_ssh == 1
+
+- name: disable root login
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    replace: "PermitRootLogin no"
+  notify: reload sshd
--- a/roles/accounts/tasks/user.yml
+++ b/roles/accounts/tasks/user.yml
@ -7,7 +7,7 @@
    password: '{{ user.password_hash_openbsd }}'
    groups: wheel
    shell: /bin/ksh
-    append: yes
+    append: true
  tags:
    - admin

@ -21,4 +21,12 @@
    loop_var: ssk_key
  when: user.ssh_keys is defined
  tags:
-    - admin
+    - admin
+
+- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
+  user:
+    name: "{{ user.name }}"
+    groups: "{{ evolinux_sudo_group }}"
+    append: true
+  tags:
+    - admin
--- a/roles/base/templates/doas.conf.j2
+++ b/roles/base/templates/doas.conf.j2
@ -1,7 +1,7 @@
 # {{ ansible_managed }}
-permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel
+permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
 permit nopass root
-permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh
+permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
 permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh
 permit nopass _nrpe as root cmd /sbin/bioctl args sd2
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd
--- a/vars/main.yml
+++ b/vars/main.yml
@ -2,12 +2,17 @@
 ########################################################
 ## Edit and uncomment to overwrite the default values ##
 ########################################################
-
+general_alert_email: "alert4@evolix.net"
+general_technical_realm: "evolix.ca"
+evomaintenance_realm: "evolix.fr"
 #ntpd_servers:
 #- "ntp.evolix.net"
 #
 #general_alert_email: "root@localhost"
 #general_technical_realm: "example.com"
+evolinux_ssh_group: "evolinux-ssh"
+evolinux_sudo_group: "evolinux-sudo"
+evolinux_root_disable_ssh: true
 #
 #evomaintenance_realm: "example.com"
 #evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"