Browse Source

evolinux-users: Validate sshd config with "-t" instead of "-T"

See #52
pull/53/head
Ludovic Poujol 9 months ago
parent
commit
890055753e
3 changed files with 7 additions and 6 deletions
  1. +1
    -0
      CHANGELOG.md
  2. +2
    -2
      evolinux-users/tasks/ssh_allowgroups.yml
  3. +4
    -4
      evolinux-users/tasks/ssh_allowusers.yml

+ 1
- 0
CHANGELOG.md View File

@@ -32,6 +32,7 @@ The **patch** part changes incrementally at each release.
* redmine: fix 500 error on logging
* evolinux-base: Validate sshd config with "-t" instead of "-T"
* evolinux-base: Ensure rename is present
* evolinux-users: Validate sshd config with "-t" instead of "-T"

### Security



+ 2
- 2
evolinux-users/tasks/ssh_allowgroups.yml View File

@@ -14,7 +14,7 @@
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc != 0

@@ -23,6 +23,6 @@
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ evolinux_ssh_group }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc == 0

+ 4
- 4
evolinux-users/tasks/ssh_allowusers.yml View File

@@ -14,7 +14,7 @@
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ user.name }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc != 0

@@ -23,7 +23,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
replace: '\1 {{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc == 0

@@ -39,7 +39,7 @@
dest: /etc/ssh/sshd_config
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_matchuser_ssh.rc != 0

@@ -48,6 +48,6 @@
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_matchuser_ssh.rc == 0

Loading…
Cancel
Save