Add stricter ssh and doas access
This commit is contained in:
parent
d736455327
commit
8b1ce861e3
6
roles/accounts/handlers/main.yml
Normal file
6
roles/accounts/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: reload sshd
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: reloaded
|
|
@ -1,7 +1,75 @@
|
||||||
---
|
---
|
||||||
|
- name: "Create {{ evolinux_sudo_group }}"
|
||||||
|
group:
|
||||||
|
name: "{{ evolinux_sudo_group }}"
|
||||||
|
system: true
|
||||||
|
|
||||||
- name: Create user accounts
|
- name: Create user accounts
|
||||||
include: user.yml
|
include: user.yml
|
||||||
vars:
|
vars:
|
||||||
user: "{{ item.value }}"
|
user: "{{ item.value }}"
|
||||||
with_dict: "{{ evolinux_users }}"
|
with_dict: "{{ evolinux_users }}"
|
||||||
when: evolinux_users != {}
|
when: evolinux_users != {}
|
||||||
|
|
||||||
|
- name: verify AllowGroups directive
|
||||||
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: grep_allowgroups_ssh
|
||||||
|
|
||||||
|
- name: verify AllowUsers directive
|
||||||
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: grep_allowusers_ssh
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
||||||
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
# If "AllowGroups is present"
|
||||||
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||||
|
|
||||||
|
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||||
|
insertafter: 'Subsystem'
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- ssh_allowgroups
|
||||||
|
- grep_allowgroups_ssh.rc == 1
|
||||||
|
|
||||||
|
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||||
|
replace: '\1 {{ evolinux_ssh_group }}'
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- ssh_allowgroups
|
||||||
|
- grep_allowgroups_ssh.rc == 0
|
||||||
|
|
||||||
|
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
|
||||||
|
replace: '\1 {{ item.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
with_dict: "{{ evolinux_users }}"
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- not ssh_allowgroups
|
||||||
|
- grep_allowusers_ssh == 1
|
||||||
|
|
||||||
|
- name: disable root login
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
|
replace: "PermitRootLogin no"
|
||||||
|
notify: reload sshd
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
password: '{{ user.password_hash_openbsd }}'
|
password: '{{ user.password_hash_openbsd }}'
|
||||||
groups: wheel
|
groups: wheel
|
||||||
shell: /bin/ksh
|
shell: /bin/ksh
|
||||||
append: yes
|
append: true
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
|
@ -21,4 +21,12 @@
|
||||||
loop_var: ssk_key
|
loop_var: ssk_key
|
||||||
when: user.ssh_keys is defined
|
when: user.ssh_keys is defined
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
|
- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
|
||||||
|
user:
|
||||||
|
name: "{{ user.name }}"
|
||||||
|
groups: "{{ evolinux_sudo_group }}"
|
||||||
|
append: true
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel
|
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
|
||||||
permit nopass root
|
permit nopass root
|
||||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh
|
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||||
permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh
|
permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh
|
||||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd
|
||||||
|
|
|
@ -2,12 +2,17 @@
|
||||||
########################################################
|
########################################################
|
||||||
## Edit and uncomment to overwrite the default values ##
|
## Edit and uncomment to overwrite the default values ##
|
||||||
########################################################
|
########################################################
|
||||||
|
general_alert_email: "alert4@evolix.net"
|
||||||
|
general_technical_realm: "evolix.ca"
|
||||||
|
evomaintenance_realm: "evolix.fr"
|
||||||
#ntpd_servers:
|
#ntpd_servers:
|
||||||
#- "ntp.evolix.net"
|
#- "ntp.evolix.net"
|
||||||
#
|
#
|
||||||
#general_alert_email: "root@localhost"
|
#general_alert_email: "root@localhost"
|
||||||
#general_technical_realm: "example.com"
|
#general_technical_realm: "example.com"
|
||||||
|
evolinux_ssh_group: "evolinux-ssh"
|
||||||
|
evolinux_sudo_group: "evolinux-sudo"
|
||||||
|
evolinux_root_disable_ssh: true
|
||||||
#
|
#
|
||||||
#evomaintenance_realm: "example.com"
|
#evomaintenance_realm: "example.com"
|
||||||
#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
|
#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
|
||||||
|
|
Loading…
Reference in a new issue