evolinux-users: improve SSH configuration
This commit is contained in:
parent
5be04c36ee
commit
346317081e
|
@ -19,6 +19,7 @@ The **patch** part is incremented if multiple releases happen the same month
|
|||
|
||||
* evobackup-client: upstream release 24.05
|
||||
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
|
||||
* evolinux-users: improve SSH configuration
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -1,8 +1,23 @@
|
|||
---
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
- ansible.builtin.debug:
|
||||
var: _ssh_config_paths
|
||||
verbosity: 1
|
||||
|
||||
############################
|
||||
# AllowUsers or AllowGroups
|
||||
############################
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -14,7 +29,7 @@
|
|||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^AllowUsers' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -42,12 +57,14 @@
|
|||
var: ssh_allowusers
|
||||
verbosity: 1
|
||||
|
||||
- ansible.builtin.include: ssh_allowgroups.yml
|
||||
- name: Configure SSH in AllowGroups mode
|
||||
ansible.builtin.include: ssh_allowgroups.yml
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- not ssh_allowusers
|
||||
|
||||
- ansible.builtin.include: ssh_allowusers.yml
|
||||
- name: Configure SSH in AllowUsers mode
|
||||
ansible.builtin.include: ssh_allowusers.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
|
@ -56,7 +73,24 @@
|
|||
- ssh_allowusers
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: disable root login
|
||||
# Do this again, to update the value
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
##################
|
||||
# PermitRootLogin
|
||||
##################
|
||||
|
||||
### For Debian < 12
|
||||
# if there is a commented value for PermitRootLogin
|
||||
# we replace it with a "no"
|
||||
|
||||
- name: Root login is disabled (Debian < 12)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
|
@ -64,11 +98,15 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- ansible_distribution_major_version is version('12', '<')
|
||||
|
||||
### For Debian >= 12
|
||||
# if there is no value for PermitRootLogin (anywhere)
|
||||
# we add a "no" in z-evolinux-users.conf
|
||||
|
||||
- name: verify PermitRootLogin directive (Debian >= 12)
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -76,12 +114,7 @@
|
|||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
# TODO avertir lorsque PermitRootLogin est déjà configuré?
|
||||
- ansible.builtin.debug:
|
||||
var: grep_permitrootlogin_ssh
|
||||
verbosity: 1
|
||||
|
||||
- name: disable root login (Debian >= 12)
|
||||
- name: Root login is disabled (Debian >= 12)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "PermitRootLogin no"
|
||||
|
@ -93,6 +126,48 @@
|
|||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_permitrootlogin_ssh.rc == 1
|
||||
- grep_permitrootlogin_ssh.rc != 0
|
||||
|
||||
#####################
|
||||
# Allow current user
|
||||
#####################
|
||||
|
||||
- name: Allow current user
|
||||
block:
|
||||
- name: Check if evolinux ssh group is used
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_evolinux_group_ssh
|
||||
|
||||
- debug:
|
||||
var: grep_evolinux_group_ssh
|
||||
|
||||
- name: "Get current user's login"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: _logname
|
||||
check_mode: no
|
||||
|
||||
- debug:
|
||||
var: evolinux_ssh_group
|
||||
|
||||
- debug:
|
||||
var: evolinux_ssh_allow_current_user
|
||||
|
||||
- name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
|
||||
ansible.builtin.user:
|
||||
name: "{{ _logname.stdout }}"
|
||||
groups: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when:
|
||||
- grep_evolinux_group_ssh.rc == 0
|
||||
when:
|
||||
- evolinux_ssh_group is defined
|
||||
- evolinux_ssh_group | length > 0
|
||||
- evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,18 +1,27 @@
|
|||
---
|
||||
|
||||
###
|
||||
# this check must be repeated for each user
|
||||
# even if it's been done before
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
###
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian < 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
|
@ -21,25 +30,25 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 1 # Not found
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian >= 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
create: yes
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_allowgroups_ssh.rc == 1 # Not found
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "AllowGroups {{ evolinux_ssh_group }}"
|
||||
create: yes
|
||||
mode: "0644"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_allowgroups_ssh.rc == 0 or grep_allowgroups_ssh.rc == 2 # Found, return code can be 0 or 2
|
||||
|
|
|
@ -1,55 +1,84 @@
|
|||
---
|
||||
|
||||
# this check must be repeated for each user
|
||||
###
|
||||
# these checks must be repeated for each user
|
||||
# even if it's been done before
|
||||
- name: verify AllowUsers directive
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
- name: Verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowusers_ssh
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||
###
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian < 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc != 0
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- ansible_distribution_major_version is version('12', '<')
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian >= 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
|
||||
- name: "verify Match User directive"
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^Match User' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_matchuser_ssh
|
||||
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}' (Debian <= 10)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc != 0
|
||||
when:
|
||||
- grep_matchuser_ssh.rc != 0
|
||||
- ansible_distribution_major_version is version('10', '<=')
|
||||
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive (Debian <= 10)"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
dest: "{{ grep_matchuser_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc == 0
|
||||
when:
|
||||
- grep_matchuser_ssh.rc == 0
|
||||
- ansible_distribution_major_version is version('10', '<=')
|
||||
|
|
Loading…
Reference in a new issue