admin-users: AllowUsers + Match User
This commit is contained in:
parent
b2971d1f7d
commit
65c57a61aa
|
@ -55,30 +55,63 @@
|
||||||
group: '{{ user.name }}'
|
group: '{{ user.name }}'
|
||||||
|
|
||||||
- name: Add user's SSH public key for '{{ user.name }}'
|
- name: Add user's SSH public key for '{{ user.name }}'
|
||||||
|
authorized_key:
|
||||||
|
user: "{{ user.name }}"
|
||||||
|
key: "{{ user.ssh_key }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: verify AllowUsers directive
|
||||||
|
command: "grep AllowUsers /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
register: grep_allowusers_ssh
|
||||||
|
|
||||||
|
- name: Add AllowUsers' sshd directive for '{{ user.name }}'
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: '/home/{{ user.name }}/.ssh/authorized_keys'
|
dest: /etc/ssh/sshd_config
|
||||||
create: yes
|
line: "\nAllowUsers {{ user.name }}"
|
||||||
line: '{{ user.ssh_key }}'
|
insertafter: '^UsePAM'
|
||||||
owner: '{{ user.name }}'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
group: '{{ user.name }}'
|
notify:
|
||||||
|
- reload sshd
|
||||||
|
when: grep_allowusers_ssh.rc != 0
|
||||||
|
|
||||||
- name: Modify AllowUsers' sshd directive for '{{ user.name }}'
|
- name: Modify AllowUsers' sshd directive for '{{ user.name }}'
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
|
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
|
||||||
replace: '\1 {{ user.name }}'
|
replace: '\1 {{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify:
|
||||||
|
- reload sshd
|
||||||
|
when: grep_allowusers_ssh.rc == 0
|
||||||
|
|
||||||
|
- name: verify Match User directive
|
||||||
|
command: "grep 'Match User' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
register: grep_matchuser_ssh
|
||||||
|
|
||||||
|
- name: Add Match User sshd directive for '{{ user.name }}'
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify:
|
notify:
|
||||||
- reload sshd
|
- reload sshd
|
||||||
|
when: grep_matchuser_ssh.rc != 0
|
||||||
|
|
||||||
- name: Modify Match User's sshd directive for '{{ user.name }}'
|
- name: Modify Match User's sshd directive for '{{ user.name }}'
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||||
replace: '\1,{{ user.name }}'
|
replace: '\1,{{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify:
|
notify:
|
||||||
- reload sshd
|
- reload sshd
|
||||||
|
when: grep_matchuser_ssh.rc == 0
|
||||||
|
|
||||||
- name: Evolinux sudoers file is present
|
- name: Verify Evolinux sudoers file presence
|
||||||
template:
|
template:
|
||||||
src: sudoers_debian.j2
|
src: sudoers_debian.j2
|
||||||
dest: /etc/sudoers.d/evolinux
|
dest: /etc/sudoers.d/evolinux
|
||||||
|
|
Loading…
Reference in a new issue