From 8b1ce861e3a95bd532c82bebb295c42afec5ffdb Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 19 Sep 2019 17:07:01 -0400 Subject: [PATCH 1/2] Add stricter ssh and doas access --- roles/accounts/handlers/main.yml | 6 +++ roles/accounts/tasks/main.yml | 70 ++++++++++++++++++++++++++++++- roles/accounts/tasks/user.yml | 12 +++++- roles/base/templates/doas.conf.j2 | 4 +- vars/main.yml | 7 +++- 5 files changed, 93 insertions(+), 6 deletions(-) create mode 100644 roles/accounts/handlers/main.yml diff --git a/roles/accounts/handlers/main.yml b/roles/accounts/handlers/main.yml new file mode 100644 index 0000000..5d24c46 --- /dev/null +++ b/roles/accounts/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: reload sshd + service: + name: sshd + state: reloaded diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 0524374..4805b2a 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -1,7 +1,75 @@ --- +- name: "Create {{ evolinux_sudo_group }}" + group: + name: "{{ evolinux_sudo_group }}" + system: true + - name: Create user accounts include: user.yml vars: user: "{{ item.value }}" with_dict: "{{ evolinux_users }}" - when: evolinux_users != {} \ No newline at end of file + when: evolinux_users != {} + +- name: verify AllowGroups directive + command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + changed_when: false + failed_when: false + check_mode: false + register: grep_allowgroups_ssh + +- name: verify AllowUsers directive + command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: false + failed_when: false + check_mode: false + register: grep_allowusers_ssh + +- assert: + that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" + msg: "We can't deal with AllowUsers and AllowGroups at the same time" + +- set_fact: + # If "AllowGroups is present" + ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowGroups {{ evolinux_ssh_group }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - ssh_allowgroups + - grep_allowgroups_ssh.rc == 1 + +- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - ssh_allowgroups + - grep_allowgroups_ssh.rc == 0 + +- name: "Append '{{ item.name }}' to AllowUsers sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' + replace: '\1 {{ item.name }}' + validate: '/usr/sbin/sshd -t -f %s' + with_dict: "{{ evolinux_users }}" + notify: reload sshd + when: + - not ssh_allowgroups + - grep_allowusers_ssh == 1 + +- name: disable root login + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + replace: "PermitRootLogin no" + notify: reload sshd diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index 109c8a5..03af553 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -7,7 +7,7 @@ password: '{{ user.password_hash_openbsd }}' groups: wheel shell: /bin/ksh - append: yes + append: true tags: - admin @@ -21,4 +21,12 @@ loop_var: ssk_key when: user.ssh_keys is defined tags: - - admin \ No newline at end of file + - admin + +- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group" + user: + name: "{{ user.name }}" + groups: "{{ evolinux_sudo_group }}" + append: true + tags: + - admin diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 1a56e79..67241cc 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} -permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel +permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }} permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd diff --git a/vars/main.yml b/vars/main.yml index ed3fb9f..fff786a 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,12 +2,17 @@ ######################################################## ## Edit and uncomment to overwrite the default values ## ######################################################## - +general_alert_email: "alert4@evolix.net" +general_technical_realm: "evolix.ca" +evomaintenance_realm: "evolix.fr" #ntpd_servers: #- "ntp.evolix.net" # #general_alert_email: "root@localhost" #general_technical_realm: "example.com" +evolinux_ssh_group: "evolinux-ssh" +evolinux_sudo_group: "evolinux-sudo" +evolinux_root_disable_ssh: true # #evomaintenance_realm: "example.com" #evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" From 67d6c0ab622e7c55c0e5a84f177db820ad606b06 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 19 Sep 2019 17:12:21 -0400 Subject: [PATCH 2/2] revert forgotten extra variables in main --- vars/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index fff786a..098a8d2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,9 +2,7 @@ ######################################################## ## Edit and uncomment to overwrite the default values ## ######################################################## -general_alert_email: "alert4@evolix.net" -general_technical_realm: "evolix.ca" -evomaintenance_realm: "evolix.fr" + #ntpd_servers: #- "ntp.evolix.net" #