Merge branch 'ssh-split' into unstable

2023-08-16 16:15:00 +02:00 · 2023-08-16 16:15:00 +02:00 · 36cd982f35
parent b92871bfef 263f940c3d
commit 36cd982f35
7 changed files with 106 additions and 85 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -31,6 +31,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * userlogrotate: add a userlogpurge script disabled by default
 * evolinux-base: configure bashrc for all users
 * bind: Add reload-zone helper
+* evolinux-base: add splitted SSH configuration for Debian >= 12
+* evolinux-users: add splitted SSH configuration for Debian >= 12
+* evocheck: add support for Debian >= 12 splitted SSH configuration

 ### Changed

--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@ -231,8 +231,15 @@ check_customcrontab() {
    test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
 }
 check_sshallowusers() {
-    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
-        || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
+    if is_debian_bookworm; then
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
+            || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
+            || failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
+    else
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
+            || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
+    fi
 }
 check_diskperf() {
    perfFile="/root/disk-perf.txt"
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@ -97,7 +97,21 @@
    replace: "PermitRootLogin no"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: evolinux_root_disable_ssh | bool
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: disable SSH access for root (Debian >= 12)
+  ansible.builtin.replace:
+    path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
+    line: "PermitRootLogin no"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+

 ### Disabled : it seems useless and too dangerous for now
 # - name: remove root from AllowUsers directive
--- a/evolinux-base/tasks/ssh.included-files.yml
+++ b/evolinux-base/tasks/ssh.included-files.yml
@ -1,71 +1,14 @@
 ---
-# This is a copy of ssh.single-file.yml
-# It needs to be changed when we move to a included-files configuration
-
-
 - ansible.builtin.debug:
-    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
+    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
  when: evolinux_ssh_password_auth_addresses == []

-# From 'man sshd_config' :
-# « If all of the criteria on the Match line are satisfied, the keywords
-# on the following lines override those set in the global section of the config
-# file, until either another Match line or the end of the file.
-# If a keyword appears in multiple Match blocks that are satisfied,
-# only the first instance of the keyword is applied. »
-#
-# We want to allow any user from a list of IP addresses to login with password,
-# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
+- name: add SSH server configuration template
+  ansible.builtin.template:
+    src: sshd/defaults.j2
+    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf

- name: "Security directives for Evolinux (Debian 10 or later)"
-  ansible.builtin.blockinfile:
-    dest: /etc/ssh/sshd_config
-    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
-    block: |
-      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
-          PasswordAuthentication yes
-      Match Group {{ evolinux_internal_group }}
-          PasswordAuthentication no
-    insertafter: EOF
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when:
-    - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_major_version is version('10', '>=')
-
- name: Security directives for Evolinux (Jessie/Stretch)
-  ansible.builtin.blockinfile:
-    dest: /etc/ssh/sshd_config
-    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
-    block: |
-      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
-          PasswordAuthentication yes
-    insertafter: EOF
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when:
-    - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_major_version is version('10', '<')
-
-# We disable AcceptEnv because it can be a security issue, but also because we
-# do not want clients to push their environment variables like LANG.
- name: disable AcceptEnv in ssh config
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^AcceptEnv'
-    replace: "#AcceptEnv"
-  notify: reload sshd
-  when: evolinux_ssh_disable_acceptenv | bool
-
- name: Set log level to verbose (for Debian >= 9)
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^#?LogLevel [A-Z]+'
-    replace: "LogLevel VERBOSE"
-  notify: reload sshd
-  when: ansible_distribution_major_version is version('9', '>=')
-
- name: "Get current user"
+- name: "Get current user's group"
  ansible.builtin.command:
    cmd: logname
  changed_when: False
@ -73,10 +16,9 @@
  check_mode: no
  when: evolinux_ssh_allow_current_user | bool

-# we must double-escape caracters, because python
 - name: verify AllowUsers directive
  ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "grep -ER '^AllowUsers' /etc/ssh"
  failed_when: False
  changed_when: False
  register: grep_allowusers_ssh
@ -85,20 +27,15 @@

 - name: "Add AllowUsers sshd directive for current user"
  ansible.builtin.lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nAllowUsers {{ logname.stdout }}"
+    dest: /etc/ssh/sshd_config.d/allow_evolinux_user
+    line: "AllowUsers {{ logname.stdout }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0

- name: "Modify AllowUsers sshd directive for current user"
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
-    replace: '\1 {{ logname.stdout }}'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
-
 - ansible.builtin.meta: flush_handlers
+
+# TODO vérifier présence de Include /etc/ssh/sshd_config.d/*.conf
+# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
+# TODO si allowgroups, ajouter groupe de l’utilisateur
--- a/evolinux-base/templates/sshd/defaults.j2
+++ b/evolinux-base/templates/sshd/defaults.j2
@ -0,0 +1,15 @@
+Port 22
+{% if evolinux_root_disable_ssh %}
+PermitRootLogin no
+{% endif %}
+LogLevel VERBOSE
+SetEnv LC_ALL=en_US.UTF-8
+
+{% if evolinux_ssh_password_auth_addresses %}
+Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
+    PasswordAuthentication yes
+{% endif %}
+{% if evolinux_internal_group %}
+Match Group {{ evolinux_internal_group }}
+    PasswordAuthentication no
+{% endif %}
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@ -2,7 +2,7 @@

 - name: verify AllowGroups directive
  ansible.builtin.command:
-    cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowGroups' /etc/ssh"
  changed_when: False
  failed_when: False
  check_mode: no
@ -14,7 +14,7 @@

 - name: verify AllowUsers directive
  ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowUsers' /etc/ssh"
  changed_when: False
  failed_when: False
  check_mode: no
@ -62,6 +62,36 @@
    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
  notify: reload sshd
-  when: evolinux_root_disable_ssh | bool
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: verify PermitRootLogin directive (Debian >= 12)
+  ansible.builtin.command:
+    cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_permitrootlogin_ssh
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+
+# TODO avertir lorsque PermitRootLogin est déjà configuré?
+- ansible.builtin.debug:
+    var: grep_permitrootlogin_ssh
+    verbosity: 1
+
+- name: disable root login (Debian >= 12)
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "PermitRootLogin no"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+    insertbefore: "BOF"
+  notify: reload sshd
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+    - grep_permitrootlogin_ssh.rc == 1

 - ansible.builtin.meta: flush_handlers
--- a/evolinux-users/tasks/ssh_allowgroups.yml
+++ b/evolinux-users/tasks/ssh_allowgroups.yml
@ -4,11 +4,13 @@
 # even if it's been done before
 - name: verify AllowGroups directive
  ansible.builtin.command:
-    cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowGroups' /etc/ssh"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowgroups_ssh
+  when:
+    - ansible_distribution_major_version is version('11', '<=')

 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
  ansible.builtin.lineinfile:
@ -17,7 +19,9 @@
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: grep_allowgroups_ssh.rc != 0
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
+    - grep_allowgroups_ssh.rc != 0

 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
  ansible.builtin.replace:
@ -26,4 +30,15 @@
    replace: '\1 {{ evolinux_ssh_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
-  when: grep_allowgroups_ssh.rc == 0
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
+    - grep_allowgroups_ssh.rc == 0
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "AllowGroups {{ evolinux_ssh_group }}"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  when:
+    - ansible_distribution_major_version is version('12', '>=')