evolinux: groups for SSH configuration are used with Debian 10 and later

This commit is contained in:
Jérémy Lecour 2018-04-20 14:38:45 +02:00 committed by Jérémy Lecour
parent e79640d770
commit 8384e8ba43
3 changed files with 9 additions and 8 deletions

View File

@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
### Added
### Changed
* evolinux: groups for SSH configuration are used with Debian 10 and later
* evolinux-base: fail2ban is not enabled by default
* evolinux-users: refactoring of the SSH configuration
* mysql-oracle: copy evolinux config files in mysql.cond.d

View File

@ -13,7 +13,7 @@
# We want to allow any user from a list of IP addresses to login with password,
# but users of the "evolix" group can't login with password from other IP addresses
- name: Security directives for Evolinux (Debian 9 or later)"
- name: Security directives for Evolinux (Debian 10 or later)"
blockinfile:
dest: /etc/ssh/sshd_config
block: |
@ -27,9 +27,9 @@
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
- ansible_distribution_major_version | version_compare('9', '>=')
- ansible_distribution_major_version | version_compare('10', '>=')
- name: Security directives for Evolinux (Jessie)
- name: Security directives for Evolinux (Jessie/Stretch)
blockinfile:
dest: /etc/ssh/sshd_config
block: |
@ -41,7 +41,7 @@
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
- ansible_distribution_release == "jessie"
- ansible_distribution_major_version | version_compare('10', '<')
# We disable AcceptEnv because it can be a security issue, but also because we
# do not want clients to push their environment variables like LANG.

View File

@ -43,18 +43,18 @@
# Unix groups
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 9 or later)"
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
group:
name: "{{ evolinux_ssh_group }}"
state: present
when: ansible_distribution_major_version | version_compare('9', '>=')
when: ansible_distribution_major_version | version_compare('10', '>=')
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 9 or later)"
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_ssh_group }}"
append: yes
when: ansible_distribution_major_version | version_compare('9', '>=')
when: ansible_distribution_major_version | version_compare('10', '>=')
- name: "Secondary Unix groups are present"
group: