Fix ssh security policy
This commit is contained in:
parent
db2b418be4
commit
4b8456c5b7
|
@ -1,2 +1,3 @@
|
||||||
---
|
---
|
||||||
admin_users: {}
|
admin_users: {}
|
||||||
|
admin_users_group: adm
|
||||||
|
|
|
@ -27,7 +27,7 @@
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
line: "\nAllowUsers {{ user.name }}"
|
line: "\nAllowUsers {{ user.name }}"
|
||||||
insertafter: '^# ForceCommand cvs server'
|
insertafter: 'Subsystem'
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_allowusers_ssh.rc != 0
|
when: grep_allowusers_ssh.rc != 0
|
||||||
|
|
|
@ -28,10 +28,14 @@
|
||||||
update_password: on_create
|
update_password: on_create
|
||||||
when: uidisbusy.rc == 0
|
when: uidisbusy.rc == 0
|
||||||
|
|
||||||
|
- name: "Create {{ admin_users_group }}"
|
||||||
|
group:
|
||||||
|
name: "{{ admin_users_group }}"
|
||||||
|
|
||||||
- name: "Add user to sudo group (Stretch)"
|
- name: "Add user to sudo group (Stretch)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: sudo
|
groups: 'sudo,{{ admin_users_group }}'
|
||||||
append: yes
|
append: yes
|
||||||
when: ansible_distribution_release == "stretch"
|
when: ansible_distribution_release == "stretch"
|
||||||
|
|
||||||
|
|
|
@ -1,29 +1,51 @@
|
||||||
---
|
---
|
||||||
- name: verify Match Address directive
|
|
||||||
command: "grep 'Match Address' /etc/ssh/sshd_config"
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
register: grep_matchaddress_ssh
|
- name: Security directives for Evolinux
|
||||||
|
blockinfile:
|
||||||
- name: Add Match Address sshd directive
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
|
block: |
|
||||||
|
Match Group sudo
|
||||||
|
PasswordAuthentication no
|
||||||
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||||
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
|
|
||||||
|
|
||||||
- name: Modify Match Address sshd directive
|
# - name: verify Match Address directive
|
||||||
replace:
|
# command: "grep 'Match Address' /etc/ssh/sshd_config"
|
||||||
dest: /etc/ssh/sshd_config
|
# changed_when: False
|
||||||
regexp: '^(Match Address ((?!{{ item }}).)*)$'
|
# failed_when: False
|
||||||
replace: '\1,{{ item }}'
|
# check_mode: no
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
# register: grep_matchaddress_ssh
|
||||||
with_items: "{{ evolinux_ssh_password_auth_addresses }}"
|
#
|
||||||
notify: reload sshd
|
# - name: Add Match Address sshd directive
|
||||||
when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
|
# lineinfile:
|
||||||
|
# dest: /etc/ssh/sshd_config
|
||||||
|
# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
|
||||||
|
# insertafter: '# +ForceCommand cvs server'
|
||||||
|
# validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
# notify: reload sshd
|
||||||
|
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
|
||||||
|
#
|
||||||
|
# - name: Modify Match Address sshd directive
|
||||||
|
# replace:
|
||||||
|
# dest: /etc/ssh/sshd_config
|
||||||
|
# regexp: '^(Match Address ((?!{{ item }}).)*)$'
|
||||||
|
# replace: '\1,{{ item }}'
|
||||||
|
# validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
# with_items: "{{ evolinux_ssh_password_auth_addresses }}"
|
||||||
|
# notify: reload sshd
|
||||||
|
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
|
||||||
|
#
|
||||||
|
# - name: Add Match Group sudo without password
|
||||||
|
# lineinfile:
|
||||||
|
# dest: /etc/ssh/sshd_config
|
||||||
|
# line: "\nMatch Group sudo\n PasswordAuthentication no"
|
||||||
|
# insertbefore: '^Match Address'
|
||||||
|
# validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
# notify: reload sshd
|
||||||
|
|
||||||
- name: disable SSH access for root
|
- name: disable SSH access for root
|
||||||
replace:
|
replace:
|
||||||
|
|
Loading…
Reference in a new issue