Add stricter ssh and doas access

This commit is contained in:
Patrick Marchand 2019-09-19 17:07:01 -04:00
parent d736455327
commit 8b1ce861e3
5 changed files with 93 additions and 6 deletions

View File

@ -0,0 +1,6 @@
---
- name: reload sshd
service:
name: sshd
state: reloaded

View File

@ -1,7 +1,75 @@
---
- name: "Create {{ evolinux_sudo_group }}"
group:
name: "{{ evolinux_sudo_group }}"
system: true
- name: Create user accounts
include: user.yml
vars:
user: "{{ item.value }}"
with_dict: "{{ evolinux_users }}"
when: evolinux_users != {}
when: evolinux_users != {}
- name: verify AllowGroups directive
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
changed_when: false
failed_when: false
check_mode: false
register: grep_allowgroups_ssh
- name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: false
failed_when: false
check_mode: false
register: grep_allowusers_ssh
- assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
- set_fact:
# If "AllowGroups is present"
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 1
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ evolinux_ssh_group }}'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 0
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
replace: '\1 {{ item.name }}'
validate: '/usr/sbin/sshd -t -f %s'
with_dict: "{{ evolinux_users }}"
notify: reload sshd
when:
- not ssh_allowgroups
- grep_allowusers_ssh == 1
- name: disable root login
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd

View File

@ -7,7 +7,7 @@
password: '{{ user.password_hash_openbsd }}'
groups: wheel
shell: /bin/ksh
append: yes
append: true
tags:
- admin
@ -21,4 +21,12 @@
loop_var: ssk_key
when: user.ssh_keys is defined
tags:
- admin
- admin
- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
user:
name: "{{ user.name }}"
groups: "{{ evolinux_sudo_group }}"
append: true
tags:
- admin

View File

@ -1,7 +1,7 @@
# {{ ansible_managed }}
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
permit nopass root
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd

View File

@ -2,12 +2,17 @@
########################################################
## Edit and uncomment to overwrite the default values ##
########################################################
general_alert_email: "alert4@evolix.net"
general_technical_realm: "evolix.ca"
evomaintenance_realm: "evolix.fr"
#ntpd_servers:
#- "ntp.evolix.net"
#
#general_alert_email: "root@localhost"
#general_technical_realm: "example.com"
evolinux_ssh_group: "evolinux-ssh"
evolinux_sudo_group: "evolinux-sudo"
evolinux_root_disable_ssh: true
#
#evomaintenance_realm: "example.com"
#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"