evolinux-users: improve SSH configuration

2024-05-07 15:11:09 +02:00 · 2024-05-07 15:11:09 +02:00 · 346317081e
parent 5be04c36ee
commit 346317081e
4 changed files with 159 additions and 45 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,6 +19,7 @@ The **patch** part is incremented if multiple releases happen the same month

 * evobackup-client: upstream release 24.05
 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
+* evolinux-users: improve SSH configuration

 ### Fixed

--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@ -1,8 +1,23 @@
 ---

+- name: Fetch SSHd config files
+  ansible.builtin.command:
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
+- ansible.builtin.debug:
+    var: _ssh_config_paths
+    verbosity: 1
+
+############################
+# AllowUsers or AllowGroups
+############################
+
 - name: verify AllowGroups directive
  ansible.builtin.command:
-    cmd: "grep -Er '^AllowGroups' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
@ -14,7 +29,7 @@

 - name: verify AllowUsers directive
  ansible.builtin.command:
-    cmd: "grep -Er '^AllowUsers' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
@ -42,12 +57,14 @@
    var: ssh_allowusers
    verbosity: 1

- ansible.builtin.include: ssh_allowgroups.yml
+- name: Configure SSH in AllowGroups mode
+  ansible.builtin.include: ssh_allowgroups.yml
  when:
    - ssh_allowgroups
    - not ssh_allowusers

- ansible.builtin.include: ssh_allowusers.yml
+- name: Configure SSH in AllowUsers mode
+  ansible.builtin.include: ssh_allowusers.yml
  vars:
    user: "{{ item.value }}"
  loop: "{{ evolinux_users | dict2items }}"
@ -56,7 +73,24 @@
    - ssh_allowusers
    - not ssh_allowgroups

- name: disable root login
+# Do this again, to update the value
+
+- name: Fetch SSHd config files
+  ansible.builtin.command:
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
+##################
+# PermitRootLogin
+##################
+
+### For Debian < 12
+#   if there is a commented value for PermitRootLogin
+#   we replace it with a "no"
+
+- name: Root login is disabled (Debian < 12)
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
@ -64,11 +98,15 @@
  notify: reload sshd
  when:
    - evolinux_root_disable_ssh | bool
-    - ansible_distribution_major_version is version('11', '<=')
+    - ansible_distribution_major_version is version('12', '<')
+
+### For Debian >= 12
+#   if there is no value for PermitRootLogin (anywhere)
+#   we add a "no" in z-evolinux-users.conf 

 - name: verify PermitRootLogin directive (Debian >= 12)
  ansible.builtin.command:
-    cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
@ -76,12 +114,7 @@
  when:
    - ansible_distribution_major_version is version('12', '>=')

-# TODO avertir lorsque PermitRootLogin est déjà configuré?
- ansible.builtin.debug:
-    var: grep_permitrootlogin_ssh
-    verbosity: 1
-
- name: disable root login (Debian >= 12)
+- name: Root login is disabled (Debian >= 12)
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
    line: "PermitRootLogin no"
@ -93,6 +126,48 @@
  when:
    - evolinux_root_disable_ssh | bool
    - ansible_distribution_major_version is version('12', '>=')
-    - grep_permitrootlogin_ssh.rc == 1
+    - grep_permitrootlogin_ssh.rc != 0
+
+#####################
+# Allow current user 
+#####################
+
+- name: Allow current user
+  block:
+  - name: Check if evolinux ssh group is used
+    ansible.builtin.command:
+      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
+    changed_when: False
+    failed_when: False
+    check_mode: no
+    register: grep_evolinux_group_ssh
+
+  - debug:
+      var: grep_evolinux_group_ssh
+
+  - name: "Get current user's login"
+    ansible.builtin.command:
+      cmd: logname
+    changed_when: False
+    register: _logname
+    check_mode: no
+
+  - debug:
+      var: evolinux_ssh_group
+
+  - debug:
+      var: evolinux_ssh_allow_current_user
+
+  - name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
+    ansible.builtin.user:
+      name: "{{ _logname.stdout }}"
+      groups: "{{ evolinux_ssh_group }}"
+      append: yes
+    when:
+      - grep_evolinux_group_ssh.rc == 0
+  when:
+    - evolinux_ssh_group is defined
+    - evolinux_ssh_group | length > 0
+    - evolinux_ssh_allow_current_user | bool

 - ansible.builtin.meta: flush_handlers
--- a/evolinux-users/tasks/ssh_allowgroups.yml
+++ b/evolinux-users/tasks/ssh_allowgroups.yml
@ -1,18 +1,27 @@
 ---

+###
 # this check must be repeated for each user
 # even if it's been done before
+
+- name: Fetch SSHd config files
+  ansible.builtin.command:
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
 - name: verify AllowGroups directive
  ansible.builtin.command:
-    cmd: "grep -Er '^AllowGroups' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowgroups_ssh
-  when:
-    - ansible_distribution_major_version is version('11', '<=')

- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+###
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian < 12)"
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowGroups {{ evolinux_ssh_group }}"
@ -21,25 +30,25 @@
  notify: reload sshd
  when:
    - ansible_distribution_major_version is version('11', '<=')
-    - grep_allowgroups_ssh.rc != 0
+    - grep_allowgroups_ssh.rc == 1 # Not found
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian >= 12)"
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "\nAllowGroups {{ evolinux_ssh_group }}"
+    validate: '/usr/sbin/sshd -t -f %s'
+    create: yes
+  notify: reload sshd
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+    - grep_allowgroups_ssh.rc == 1 # Not found

 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
+    dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
    regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
    replace: '\1 {{ evolinux_ssh_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
-    - ansible_distribution_major_version is version('11', '<=')
-    - grep_allowgroups_ssh.rc == 0
-
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
-    line: "AllowGroups {{ evolinux_ssh_group }}"
-    create: yes
-    mode: "0644"
-    validate: '/usr/sbin/sshd -t -f %s'
-  when:
-    - ansible_distribution_major_version is version('12', '>=')
+    - grep_allowgroups_ssh.rc == 0 or grep_allowgroups_ssh.rc == 2 # Found, return code can be 0 or 2
--- a/evolinux-users/tasks/ssh_allowusers.yml
+++ b/evolinux-users/tasks/ssh_allowusers.yml
@ -1,55 +1,84 @@
 ---

-# this check must be repeated for each user
+###
+# these checks must be repeated for each user
 # even if it's been done before
- name: verify AllowUsers directive
+
+- name: Fetch SSHd config files
  ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
+- name: Verify AllowUsers directive
+  ansible.builtin.command:
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowusers_ssh

- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
+###
+
+- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian < 12)"
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowUsers {{ user.name }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: grep_allowusers_ssh.rc != 0
+  when:
+    - grep_allowusers_ssh.rc != 0
+    - ansible_distribution_major_version is version('12', '<')
+
+- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian >= 12)"
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "\nAllowUsers {{ user.name }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - grep_allowusers_ssh.rc != 0
+    - ansible_distribution_major_version is version('12', '>=')

 - name: "Append '{{ user.name }}' to AllowUsers sshd directive"
  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
+    dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
    regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
    replace: '\1 {{ user.name }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: grep_allowusers_ssh.rc == 0
+  when:
+    - grep_allowusers_ssh.rc == 0

 - name: "verify Match User directive"
  ansible.builtin.command:
-    cmd: "grep -E '^Match User' /etc/ssh/sshd_config"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^Match User' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_matchuser_ssh

- name: "Add Match User sshd directive with '{{ user.name }}'"
+- name: "Add Match User sshd directive with '{{ user.name }}' (Debian <= 10)"
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
    insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: grep_matchuser_ssh.rc != 0
+  when:
+    - grep_matchuser_ssh.rc != 0
+    - ansible_distribution_major_version is version('10', '<=')

- name: "Append '{{ user.name }}' to Match User's sshd directive"
+- name: "Append '{{ user.name }}' to Match User's sshd directive (Debian <= 10)"
  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
+    dest: "{{ grep_matchuser_ssh.stdout_lines[0] }}"
    regexp: '^(Match User ((?!{{ user.name }}).)*)$'
    replace: '\1,{{ user.name }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: grep_matchuser_ssh.rc == 0
+  when:
+    - grep_matchuser_ssh.rc == 0
+    - ansible_distribution_major_version is version('10', '<=')