evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity
EvoBSD/roles/base/templates/doas.conf.j2
Jérémy Dubois 2bf8a7e872
Some checks failed
continuous-integration/drone/push Build is failing
Details
Stricter ssh and doas access - better version 
Fix #34

We now use a unique evobsd_group (evolix by default).
Each user has 2 groups : evobsd_group and user.name.
Only evobsd_group can ssh to server and use doas.

I also added a password restrictions block for IPs/group.
And we make sure the home folder is only readable by owner.
2020-10-13 16:03:54 +02:00

17 lines
1.2 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
permit nopass root
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
permit nopass _collectd as root cmd /usr/sbin/bgpctl
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
Reference in a new issue View git blame Copy permalink