Fix ssh security policy

admin-users/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 admin_users: {}
+admin_users_group: adm

admin-users/tasks/debian/ssh.yml

@@ -27,7 +27,7 @@
   lineinfile:
     dest: /etc/ssh/sshd_config
     line: "\nAllowUsers {{ user.name }}"
-    insertafter: '^#   ForceCommand cvs server'
+    insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -T -f %s'
   notify: reload sshd
   when: grep_allowusers_ssh.rc != 0

admin-users/tasks/debian/user.yml

@@ -28,10 +28,14 @@
    update_password: on_create
   when: uidisbusy.rc == 0
 
+- name: "Create {{ admin_users_group }}"
+  group:
+    name: "{{ admin_users_group }}"
+
 - name: "Add user to sudo group (Stretch)"
   user:
     name: '{{ user.name }}'
-    groups: sudo
+    groups: 'sudo,{{ admin_users_group }}'
     append: yes
   when: ansible_distribution_release == "stretch"
 

evolinux-base/tasks/ssh.yml

@@ -1,29 +1,51 @@
 ---
-- name: verify Match Address directive
-  command: "grep 'Match Address' /etc/ssh/sshd_config"
-  changed_when: False
-  failed_when: False
-  check_mode: no
 
-  register: grep_matchaddress_ssh
+- name: Security directives for Evolinux
-
+  blockinfile:
-- name: Add Match Address sshd directive
-  lineinfile:
     dest: /etc/ssh/sshd_config
-    line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n    PasswordAuthentication yes"
+    block: |
+      Match Group sudo
+          PasswordAuthentication no
+      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
+          PasswordAuthentication yes
+    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
+    insertafter: EOF
     validate: '/usr/sbin/sshd -T -f %s'
   notify: reload sshd
-  when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
 
-- name: Modify Match Address sshd directive
+# - name: verify Match Address directive
-  replace:
+#   command: "grep 'Match Address' /etc/ssh/sshd_config"
-    dest: /etc/ssh/sshd_config
+#   changed_when: False
-    regexp: '^(Match Address ((?!{{ item }}).)*)$'
+#   failed_when: False
-    replace: '\1,{{ item }}'
+#   check_mode: no
-    validate: '/usr/sbin/sshd -T -f %s'
+#   register: grep_matchaddress_ssh
-  with_items: "{{ evolinux_ssh_password_auth_addresses }}"
+#
-  notify: reload sshd
+# - name: Add Match Address sshd directive
-  when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
+#   lineinfile:
+#     dest: /etc/ssh/sshd_config
+#     line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n    PasswordAuthentication yes"
+#     insertafter: '# +ForceCommand cvs server'
+#     validate: '/usr/sbin/sshd -T -f %s'
+#   notify: reload sshd
+#   when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
+#
+# - name: Modify Match Address sshd directive
+#   replace:
+#     dest: /etc/ssh/sshd_config
+#     regexp: '^(Match Address ((?!{{ item }}).)*)$'
+#     replace: '\1,{{ item }}'
+#     validate: '/usr/sbin/sshd -T -f %s'
+#   with_items: "{{ evolinux_ssh_password_auth_addresses }}"
+#   notify: reload sshd
+#   when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
+#
+# - name: Add Match Group sudo without password
+#   lineinfile:
+#     dest: /etc/ssh/sshd_config
+#     line: "\nMatch Group sudo\n    PasswordAuthentication no"
+#     insertbefore: '^Match Address'
+#     validate: '/usr/sbin/sshd -T -f %s'
+#   notify: reload sshd
 
 - name: disable SSH access for root
   replace: