From 52651199129bf142114d89151b2b0d818f3dbb42 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Wed, 1 Mar 2023 11:58:23 +0100 Subject: [PATCH 01/15] evocheck/ssh: add Debian 12 condition --- evocheck/files/evocheck.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5b73eebf..d97020e7 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -231,8 +231,15 @@ check_customcrontab() { test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" } check_sshallowusers() { - grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ - || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" + if is_debian_bookworm; then + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*" + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \ + || failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config" + else + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" + fi } check_diskperf() { perfFile="/root/disk-perf.txt" From ec34d8afe150c5e27e619d5ee09046df22497b43 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 13 Mar 2023 17:58:57 +0100 Subject: [PATCH 02/15] Move PermitRootLogin to another file Debian >= 12. --- evolinux-base/tasks/root.yml | 16 +++++++++++++++- evolinux-users/tasks/ssh.yml | 19 ++++++++++++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 98cd3b3d..c7d7f1bd 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -97,7 +97,21 @@ replace: "PermitRootLogin no" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: evolinux_root_disable_ssh | bool + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('11', '<=') + +- name: disable SSH access for root (Debian <= 12) + replace: + path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf + line: "PermitRootLogin no" + create: yes + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('12', '>=') + ### Disabled : it seems useless and too dangerous for now # - name: remove root from AllowUsers directive diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 9110911f..3a03e175 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -2,7 +2,7 @@ - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + cmd: "grep -Er '^AllowGroups' /etc/ssh" changed_when: False failed_when: False check_mode: no @@ -14,7 +14,7 @@ - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + cmd: "grep -Er '^AllowUsers' /etc/ssh" changed_when: False failed_when: False check_mode: no @@ -62,6 +62,19 @@ regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd - when: evolinux_root_disable_ssh | bool + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('11', '<=') + +- name: disable root login (Debian <= 12) + replace: + path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf + line: "PermitRootLogin no" + create: yes + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('12', '>=') - ansible.builtin.meta: flush_handlers From eca2b5e4bf5ba30aa4c0f9b9738a552c94409667 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 31 Mar 2023 14:42:56 +0200 Subject: [PATCH 03/15] fqcn --- evolinux-base/tasks/root.yml | 2 +- evolinux-users/tasks/ssh.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index c7d7f1bd..2558897e 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -102,7 +102,7 @@ - ansible_distribution_major_version is version('11', '<=') - name: disable SSH access for root (Debian <= 12) - replace: + ansible.builtin.replace: path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf line: "PermitRootLogin no" create: yes diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 3a03e175..7998b714 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -67,7 +67,7 @@ - ansible_distribution_major_version is version('11', '<=') - name: disable root login (Debian <= 12) - replace: + ansible.builtin.replace: path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf line: "PermitRootLogin no" create: yes From fc241f28358b1aeaa59ff3a139e147dea0359c6f Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 7 Apr 2023 14:26:09 +0200 Subject: [PATCH 04/15] evolinux-base: Add SSH configuration template --- evolinux-base/tasks/ssh.included-files.yml | 89 ++++------------------ evolinux-base/templates/sshd/defaults.j2 | 13 ++++ 2 files changed, 26 insertions(+), 76 deletions(-) create mode 100644 evolinux-base/templates/sshd/defaults.j2 diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml index 952b661f..dfae0b2b 100644 --- a/evolinux-base/tasks/ssh.included-files.yml +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -1,71 +1,14 @@ --- -# This is a copy of ssh.single-file.yml -# It needs to be changed when we move to a included-files configuration - - - ansible.builtin.debug: - msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!" when: evolinux_ssh_password_auth_addresses == [] -# From 'man sshd_config' : -# « If all of the criteria on the Match line are satisfied, the keywords -# on the following lines override those set in the global section of the config -# file, until either another Match line or the end of the file. -# If a keyword appears in multiple Match blocks that are satisfied, -# only the first instance of the keyword is applied. » -# -# We want to allow any user from a list of IP addresses to login with password, -# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses +- name: add SSH server configuration template + ansible.builtin.template: + src: sshd/defaults.j2 + dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf -- name: "Security directives for Evolinux (Debian 10 or later)" - ansible.builtin.blockinfile: - dest: /etc/ssh/sshd_config - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" - block: | - Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} - PasswordAuthentication yes - Match Group {{ evolinux_internal_group }} - PasswordAuthentication no - insertafter: EOF - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: - - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version is version('10', '>=') - -- name: Security directives for Evolinux (Jessie/Stretch) - ansible.builtin.blockinfile: - dest: /etc/ssh/sshd_config - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - block: | - Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} - PasswordAuthentication yes - insertafter: EOF - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: - - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version is version('10', '<') - -# We disable AcceptEnv because it can be a security issue, but also because we -# do not want clients to push their environment variables like LANG. -- name: disable AcceptEnv in ssh config - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^AcceptEnv' - replace: "#AcceptEnv" - notify: reload sshd - when: evolinux_ssh_disable_acceptenv | bool - -- name: Set log level to verbose (for Debian >= 9) - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^#?LogLevel [A-Z]+' - replace: "LogLevel VERBOSE" - notify: reload sshd - when: ansible_distribution_major_version is version('9', '>=') - -- name: "Get current user" +- name: "Get current user's group" ansible.builtin.command: cmd: logname changed_when: False @@ -73,10 +16,9 @@ check_mode: no when: evolinux_ssh_allow_current_user | bool -# we must double-escape caracters, because python - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + cmd: "grep -ER '^AllowUsers' /etc/ssh" failed_when: False changed_when: False register: grep_allowusers_ssh @@ -85,20 +27,15 @@ - name: "Add AllowUsers sshd directive for current user" ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ logname.stdout }}" + dest: /etc/ssh/sshd_config.d/allow_evolinux_user + line: "AllowUsers {{ logname.stdout }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 -- name: "Modify AllowUsers sshd directive for current user" - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' - replace: '\1 {{ logname.stdout }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 - - ansible.builtin.meta: flush_handlers + +# TODO vérifier présence de Include /etc/ssh/sshd_config.d/*.conf +# TODO si allowusers et allowgroups, ajouter utilisateur aux deux +# TODO si allowgroups, ajouter groupe de l’utilisateur diff --git a/evolinux-base/templates/sshd/defaults.j2 b/evolinux-base/templates/sshd/defaults.j2 new file mode 100644 index 00000000..25baf475 --- /dev/null +++ b/evolinux-base/templates/sshd/defaults.j2 @@ -0,0 +1,13 @@ +Port 22 +PermitRootLogin no +LogLevel VERBOSE +SetEnv LC_ALL=en_US.UTF-8 + +{% if evolinux_ssh_password_auth_addresses %} +Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes +{% endif %} +{% if evolinux_internal_group %} +Match Group {{ evolinux_internal_group }} + PasswordAuthentication no +{% endif %} From 87711ef00c2ac21ef14812a3b7df353a53eeb3f3 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 17 Apr 2023 16:00:37 +0200 Subject: [PATCH 05/15] evolinux-base: PermitRootLogin depends on evolinux_root_disable_ssh --- evolinux-base/templates/sshd/defaults.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/evolinux-base/templates/sshd/defaults.j2 b/evolinux-base/templates/sshd/defaults.j2 index 25baf475..373141a6 100644 --- a/evolinux-base/templates/sshd/defaults.j2 +++ b/evolinux-base/templates/sshd/defaults.j2 @@ -1,5 +1,7 @@ Port 22 +{% if evolinux_root_disable_ssh %} PermitRootLogin no +{% endif %} LogLevel VERBOSE SetEnv LC_ALL=en_US.UTF-8 From fc8105e84edd24f523269b3a701d2eb2a767f61d Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 17 Apr 2023 18:03:19 +0200 Subject: [PATCH 06/15] evolinux-users: prepare SSH configuration for Debian 12 (wip) --- evolinux-users/tasks/ssh.yml | 18 +++++++++++++++++- evolinux-users/tasks/ssh_allowgroups.yml | 21 ++++++++++++++++++--- 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 7998b714..5b6967da 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -66,15 +66,31 @@ - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('11', '<=') +- name: verify PermitRootLogin directive + ansible.builtin.command: + cmd: "grep -Er '^PermitRootLogin' /etc/ssh" + changed_when: False + failed_when: False + check_mode: no + register: grep_permitrootlogin_ssh + when: + - ansible_distribution_major_version is version('12', '>=') + +# TODO avertir lorsque PermitRootLogin est déjà configuré? +- ansible.builtin.debug: + var: grep_permitrootlogin_ssh + verbosity: 1 + - name: disable root login (Debian <= 12) ansible.builtin.replace: path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf line: "PermitRootLogin no" create: yes - validate: '/usr/sbin/sshd -t -f %s' + validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-defaults.conf' notify: reload sshd when: - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('12', '>=') + - grep_permitrootlogin_ssh.rc != 1 - ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 2dac1f80..6972b82b 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -4,11 +4,13 @@ # even if it's been done before - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + cmd: "grep -E '^AllowGroups' /etc/ssh" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh + when: + - ansible_distribution_major_version is version('11', '<=') - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" ansible.builtin.lineinfile: @@ -17,7 +19,9 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc != 0 + when: + - grep_allowgroups_ssh.rc != 0 + - ansible_distribution_major_version is version('11', '<=') - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" ansible.builtin.replace: @@ -26,4 +30,15 @@ replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc == 0 + when: + - grep_allowgroups_ssh.rc == 0 + - ansible_distribution_major_version is version('11', '<=') + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/z-evolinux-users + line: "AllowGroups {{ evolinux_ssh_group }}" + create: yes + validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-users' + when: + - ansible_distribution_major_version is version('12', '>=') From e70ab6d039ac7b50d20df4b52f0261ce28a82633 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 20 Jun 2023 10:57:55 +0200 Subject: [PATCH 07/15] evolinux-users: Fix tests order --- evolinux-users/tasks/ssh_allowgroups.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 6972b82b..198a7222 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -20,8 +20,8 @@ validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - - grep_allowgroups_ssh.rc != 0 - ansible_distribution_major_version is version('11', '<=') + - grep_allowgroups_ssh.rc != 0 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" ansible.builtin.replace: @@ -31,8 +31,8 @@ validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - - grep_allowgroups_ssh.rc == 0 - ansible_distribution_major_version is version('11', '<=') + - grep_allowgroups_ssh.rc == 0 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" ansible.builtin.lineinfile: From 0098cd2f08dfa38d63792d06b600920d5a94e437 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 20 Jun 2023 10:58:29 +0200 Subject: [PATCH 08/15] evolinux-users: Fix "validate" syntax --- evolinux-users/tasks/ssh_allowgroups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 198a7222..b332b514 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -39,6 +39,6 @@ path: /etc/ssh/sshd_config.d/z-evolinux-users line: "AllowGroups {{ evolinux_ssh_group }}" create: yes - validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-users' + validate: '/usr/sbin/sshd -t -f %s' when: - ansible_distribution_major_version is version('12', '>=') From 86978a8225a5f3e452eebfaf3a7749925ba3ac70 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 20 Jun 2023 11:58:18 +0200 Subject: [PATCH 09/15] evolinux-users: Fix "disable root login" task --- evolinux-users/tasks/ssh.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 5b6967da..660fb766 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -66,7 +66,7 @@ - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('11', '<=') -- name: verify PermitRootLogin directive +- name: verify PermitRootLogin directive (Debian >= 12) ansible.builtin.command: cmd: "grep -Er '^PermitRootLogin' /etc/ssh" changed_when: False @@ -81,12 +81,12 @@ var: grep_permitrootlogin_ssh verbosity: 1 -- name: disable root login (Debian <= 12) - ansible.builtin.replace: +- name: disable root login (Debian >= 12) + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf line: "PermitRootLogin no" create: yes - validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-defaults.conf' + validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - evolinux_root_disable_ssh | bool From 7e15e01b14a9b46482881b52edd6b7a15f369e1a Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 21 Jul 2023 11:49:00 +0200 Subject: [PATCH 10/15] Fix task name --- evolinux-base/tasks/root.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 2558897e..0baad708 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -101,7 +101,7 @@ - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('11', '<=') -- name: disable SSH access for root (Debian <= 12) +- name: disable SSH access for root (Debian >= 12) ansible.builtin.replace: path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf line: "PermitRootLogin no" From fbb0b73e3a6e9d984eb217eb61f52bb3f6f8cf96 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 21 Jul 2023 11:49:35 +0200 Subject: [PATCH 11/15] Add permitrootlogin at beginning of file --- evolinux-users/tasks/ssh.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 660fb766..af889f71 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -83,10 +83,11 @@ - name: disable root login (Debian >= 12) ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf + path: /etc/ssh/sshd_config.d/z-evolinux-users.conf line: "PermitRootLogin no" create: yes validate: '/usr/sbin/sshd -t -f %s' + insertbefore: "BOF" notify: reload sshd when: - evolinux_root_disable_ssh | bool From 4a0d3a49659e57efce782a29556549ff288149fe Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 21 Jul 2023 12:58:08 +0200 Subject: [PATCH 12/15] Fix permitrootlogin condition --- evolinux-users/tasks/ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index af889f71..ae1db373 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -92,6 +92,6 @@ when: - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('12', '>=') - - grep_permitrootlogin_ssh.rc != 1 + - grep_permitrootlogin_ssh.rc == 1 - ansible.builtin.meta: flush_handlers From f7f578705c4e1c00f84042c4d4bfbd860485d1f8 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 21 Jul 2023 12:58:55 +0200 Subject: [PATCH 13/15] Fix config file path --- evolinux-users/tasks/ssh_allowgroups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index b332b514..236a985b 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -36,7 +36,7 @@ - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config.d/z-evolinux-users + path: /etc/ssh/sshd_config.d/z-evolinux-users.conf line: "AllowGroups {{ evolinux_ssh_group }}" create: yes validate: '/usr/sbin/sshd -t -f %s' From a47834871634ed8855367feed74b649a6645d542 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Wed, 16 Aug 2023 14:26:35 +0200 Subject: [PATCH 14/15] Fix grep under /etc/ssh --- evolinux-users/tasks/ssh_allowgroups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 236a985b..fd74a7c0 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -4,7 +4,7 @@ # even if it's been done before - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -E '^AllowGroups' /etc/ssh" + cmd: "grep -Er '^AllowGroups' /etc/ssh" changed_when: False failed_when: False check_mode: no From 263f940c3d727e73b9fc31db7f8f3fa260132188 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Wed, 16 Aug 2023 16:14:42 +0200 Subject: [PATCH 15/15] Update Changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index adf6be36..0b44a889 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * userlogrotate: add a userlogpurge script disabled by default * evolinux-base: configure bashrc for all users * bind: Add reload-zone helper +* evolinux-base: add splitted SSH configuration for Debian >= 12 +* evolinux-users: add splitted SSH configuration for Debian >= 12 +* evocheck: add support for Debian >= 12 splitted SSH configuration ### Changed