evolinux-base: reorganize ssh section
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|4717|90|4627|233|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/218//ansiblelint">Evolix » ansible-roles » unstable #218</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|4717|90|4627|233|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/218//ansiblelint">Evolix » ansible-roles » unstable #218</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
38b106a8f2
commit
958109c3b3
|
@ -56,9 +56,17 @@
|
||||||
name: evolix/evomaintenance
|
name: evolix/evomaintenance
|
||||||
when: evolinux_evomaintenance_include | bool
|
when: evolinux_evomaintenance_include | bool
|
||||||
|
|
||||||
- name: SSH configuration
|
- name: SSH configuration (single file)
|
||||||
include: ssh.yml
|
import_tasks: ssh.single-file.yml
|
||||||
when: evolinux_ssh_include | bool
|
when:
|
||||||
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
|
- evolinux_ssh_include | bool
|
||||||
|
|
||||||
|
- name: SSH configuration (included-files)
|
||||||
|
import_tasks: ssh.included-files.yml
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
- evolinux_ssh_include | bool
|
||||||
|
|
||||||
### disabled because of a memory leak
|
### disabled because of a memory leak
|
||||||
# - name: Create evolinux users
|
# - name: Create evolinux users
|
||||||
|
|
104
evolinux-base/tasks/ssh.included-files.yml
Normal file
104
evolinux-base/tasks/ssh.included-files.yml
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
---
|
||||||
|
# This is a copy of ssh.single-file.yml
|
||||||
|
# It needs to be changed when we move to a included-files configuration
|
||||||
|
|
||||||
|
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
||||||
|
when: evolinux_ssh_password_auth_addresses == []
|
||||||
|
|
||||||
|
# From 'man sshd_config' :
|
||||||
|
# « If all of the criteria on the Match line are satisfied, the keywords
|
||||||
|
# on the following lines override those set in the global section of the config
|
||||||
|
# file, until either another Match line or the end of the file.
|
||||||
|
# If a keyword appears in multiple Match blocks that are satisfied,
|
||||||
|
# only the first instance of the keyword is applied. »
|
||||||
|
#
|
||||||
|
# We want to allow any user from a list of IP addresses to login with password,
|
||||||
|
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||||
|
|
||||||
|
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||||
|
ansible.builtin.blockinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||||
|
block: |
|
||||||
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
Match Group {{ evolinux_internal_group }}
|
||||||
|
PasswordAuthentication no
|
||||||
|
insertafter: EOF
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- evolinux_ssh_password_auth_addresses != []
|
||||||
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
|
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||||
|
ansible.builtin.blockinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
|
block: |
|
||||||
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
insertafter: EOF
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- evolinux_ssh_password_auth_addresses != []
|
||||||
|
- ansible_distribution_major_version is version('10', '<')
|
||||||
|
|
||||||
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||||
|
# do not want clients to push their environment variables like LANG.
|
||||||
|
- name: disable AcceptEnv in ssh config
|
||||||
|
ansible.builtin.replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^AcceptEnv'
|
||||||
|
replace: "#AcceptEnv"
|
||||||
|
notify: reload sshd
|
||||||
|
when: evolinux_ssh_disable_acceptenv | bool
|
||||||
|
|
||||||
|
- name: Set log level to verbose (for Debian >= 9)
|
||||||
|
ansible.builtin.replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^#?LogLevel [A-Z]+'
|
||||||
|
replace: "LogLevel VERBOSE"
|
||||||
|
notify: reload sshd
|
||||||
|
when: ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
|
- name: "Get current user"
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: logname
|
||||||
|
changed_when: False
|
||||||
|
register: logname
|
||||||
|
check_mode: no
|
||||||
|
when: evolinux_ssh_allow_current_user | bool
|
||||||
|
|
||||||
|
# we must double-escape caracters, because python
|
||||||
|
- name: verify AllowUsers directive
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
register: grep_allowusers_ssh
|
||||||
|
check_mode: no
|
||||||
|
when: evolinux_ssh_allow_current_user | bool
|
||||||
|
|
||||||
|
- name: "Add AllowUsers sshd directive for current user"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nAllowUsers {{ logname.stdout }}"
|
||||||
|
insertafter: 'Subsystem'
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Modify AllowUsers sshd directive for current user"
|
||||||
|
ansible.builtin.replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
||||||
|
replace: '\1 {{ logname.stdout }}'
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
||||||
|
|
||||||
|
- ansible.builtin.meta: flush_handlers
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
||||||
when: evolinux_ssh_password_auth_addresses == []
|
when: evolinux_ssh_password_auth_addresses == []
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@
|
||||||
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||||
|
|
||||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||||
block: |
|
block: |
|
||||||
|
@ -30,7 +30,7 @@
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
block: |
|
block: |
|
||||||
|
@ -46,7 +46,7 @@
|
||||||
# We disable AcceptEnv because it can be a security issue, but also because we
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||||
# do not want clients to push their environment variables like LANG.
|
# do not want clients to push their environment variables like LANG.
|
||||||
- name: disable AcceptEnv in ssh config
|
- name: disable AcceptEnv in ssh config
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^AcceptEnv'
|
regexp: '^AcceptEnv'
|
||||||
replace: "#AcceptEnv"
|
replace: "#AcceptEnv"
|
||||||
|
@ -54,7 +54,7 @@
|
||||||
when: evolinux_ssh_disable_acceptenv | bool
|
when: evolinux_ssh_disable_acceptenv | bool
|
||||||
|
|
||||||
- name: Set log level to verbose (for Debian >= 9)
|
- name: Set log level to verbose (for Debian >= 9)
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^#?LogLevel [A-Z]+'
|
regexp: '^#?LogLevel [A-Z]+'
|
||||||
replace: "LogLevel VERBOSE"
|
replace: "LogLevel VERBOSE"
|
||||||
|
@ -62,7 +62,8 @@
|
||||||
when: ansible_distribution_major_version is version('9', '>=')
|
when: ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- name: "Get current user"
|
- name: "Get current user"
|
||||||
command: logname
|
ansible.builtin.command:
|
||||||
|
cmd: logname
|
||||||
changed_when: False
|
changed_when: False
|
||||||
register: logname
|
register: logname
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
@ -70,7 +71,8 @@
|
||||||
|
|
||||||
# we must double-escape caracters, because python
|
# we must double-escape caracters, because python
|
||||||
- name: verify AllowUsers directive
|
- name: verify AllowUsers directive
|
||||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
ansible.builtin.command:
|
||||||
|
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
register: grep_allowusers_ssh
|
register: grep_allowusers_ssh
|
||||||
|
@ -78,7 +80,7 @@
|
||||||
when: evolinux_ssh_allow_current_user | bool
|
when: evolinux_ssh_allow_current_user | bool
|
||||||
|
|
||||||
- name: "Add AllowUsers sshd directive for current user"
|
- name: "Add AllowUsers sshd directive for current user"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
line: "\nAllowUsers {{ logname.stdout }}"
|
line: "\nAllowUsers {{ logname.stdout }}"
|
||||||
insertafter: 'Subsystem'
|
insertafter: 'Subsystem'
|
||||||
|
@ -87,7 +89,7 @@
|
||||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||||
|
|
||||||
- name: "Modify AllowUsers sshd directive for current user"
|
- name: "Modify AllowUsers sshd directive for current user"
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
||||||
replace: '\1 {{ logname.stdout }}'
|
replace: '\1 {{ logname.stdout }}'
|
||||||
|
@ -95,4 +97,4 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
Loading…
Reference in a new issue