From 8384e8ba43809d71feca591e73422febe3eff3e5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 20 Apr 2018 14:38:45 +0200 Subject: [PATCH] evolinux: groups for SSH configuration are used with Debian 10 and later --- CHANGELOG.md | 1 + evolinux-base/tasks/ssh.yml | 8 ++++---- evolinux-users/tasks/user.yml | 8 ++++---- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d7267eae..dda51696 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added ### Changed +* evolinux: groups for SSH configuration are used with Debian 10 and later * evolinux-base: fail2ban is not enabled by default * evolinux-users: refactoring of the SSH configuration * mysql-oracle: copy evolinux config files in mysql.cond.d diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 40970ca6..323ef8ae 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -13,7 +13,7 @@ # We want to allow any user from a list of IP addresses to login with password, # but users of the "evolix" group can't login with password from other IP addresses -- name: Security directives for Evolinux (Debian 9 or later)" +- name: Security directives for Evolinux (Debian 10 or later)" blockinfile: dest: /etc/ssh/sshd_config block: | @@ -27,9 +27,9 @@ notify: reload sshd when: - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') -- name: Security directives for Evolinux (Jessie) +- name: Security directives for Evolinux (Jessie/Stretch) blockinfile: dest: /etc/ssh/sshd_config block: | @@ -41,7 +41,7 @@ notify: reload sshd when: - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_release == "jessie" + - ansible_distribution_major_version | version_compare('10', '<') # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index ff2b7390..21cb97b3 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -43,18 +43,18 @@ # Unix groups -- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 9 or later)" +- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" group: name: "{{ evolinux_ssh_group }}" state: present - when: ansible_distribution_major_version | version_compare('9', '>=') + when: ansible_distribution_major_version | version_compare('10', '>=') -- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 9 or later)" +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_ssh_group }}" append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') + when: ansible_distribution_major_version | version_compare('10', '>=') - name: "Secondary Unix groups are present" group: