From 4b8456c5b7773ac7648435c844368a92ea65da99 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 5 Aug 2017 12:13:24 -0400 Subject: [PATCH] Fix ssh security policy --- admin-users/defaults/main.yml | 1 + admin-users/tasks/debian/ssh.yml | 2 +- admin-users/tasks/debian/user.yml | 6 ++- evolinux-base/tasks/ssh.yml | 62 +++++++++++++++++++++---------- 4 files changed, 49 insertions(+), 22 deletions(-) diff --git a/admin-users/defaults/main.yml b/admin-users/defaults/main.yml index e0c1ff04..ad5f42cb 100644 --- a/admin-users/defaults/main.yml +++ b/admin-users/defaults/main.yml @@ -1,2 +1,3 @@ --- admin_users: {} +admin_users_group: adm diff --git a/admin-users/tasks/debian/ssh.yml b/admin-users/tasks/debian/ssh.yml index 0ee7d2d8..d74a51f2 100644 --- a/admin-users/tasks/debian/ssh.yml +++ b/admin-users/tasks/debian/ssh.yml @@ -27,7 +27,7 @@ lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" - insertafter: '^# ForceCommand cvs server' + insertafter: 'Subsystem' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_allowusers_ssh.rc != 0 diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml index 10e4980c..7de5b778 100644 --- a/admin-users/tasks/debian/user.yml +++ b/admin-users/tasks/debian/user.yml @@ -28,10 +28,14 @@ update_password: on_create when: uidisbusy.rc == 0 +- name: "Create {{ admin_users_group }}" + group: + name: "{{ admin_users_group }}" + - name: "Add user to sudo group (Stretch)" user: name: '{{ user.name }}' - groups: sudo + groups: 'sudo,{{ admin_users_group }}' append: yes when: ansible_distribution_release == "stretch" diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index d74dcef3..6f79c982 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -1,29 +1,51 @@ --- -- name: verify Match Address directive - command: "grep 'Match Address' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchaddress_ssh - -- name: Add Match Address sshd directive - lineinfile: +- name: Security directives for Evolinux + blockinfile: dest: /etc/ssh/sshd_config - line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" + block: | + Match Group sudo + PasswordAuthentication no + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" + insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd - when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] -- name: Modify Match Address sshd directive - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match Address ((?!{{ item }}).)*)$' - replace: '\1,{{ item }}' - validate: '/usr/sbin/sshd -T -f %s' - with_items: "{{ evolinux_ssh_password_auth_addresses }}" - notify: reload sshd - when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 +# - name: verify Match Address directive +# command: "grep 'Match Address' /etc/ssh/sshd_config" +# changed_when: False +# failed_when: False +# check_mode: no +# register: grep_matchaddress_ssh +# +# - name: Add Match Address sshd directive +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" +# insertafter: '# +ForceCommand cvs server' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd +# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] +# +# - name: Modify Match Address sshd directive +# replace: +# dest: /etc/ssh/sshd_config +# regexp: '^(Match Address ((?!{{ item }}).)*)$' +# replace: '\1,{{ item }}' +# validate: '/usr/sbin/sshd -T -f %s' +# with_items: "{{ evolinux_ssh_password_auth_addresses }}" +# notify: reload sshd +# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 +# +# - name: Add Match Group sudo without password +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch Group sudo\n PasswordAuthentication no" +# insertbefore: '^Match Address' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd - name: disable SSH access for root replace: