evolinux-users: split AllowGroups/AllowUsers modes

If an AllowGroups directive is found or when using Debian 9+,
we use the AllowGroups directive and comment AllowUsers that may be
already present.
When adding a user, we make sure that the allowed group exists
and the use is in that group, to be sure that at least this user
is allowed to connect.

In other situations, we use the AllowUsers directive.
This commit is contained in:
Jérémy Lecour 2018-03-01 11:07:43 +01:00 committed by Jérémy Lecour
parent b866b6fa0a
commit b01d9178d0
6 changed files with 130 additions and 64 deletions

View File

@ -53,6 +53,7 @@ The **patch** part changes incrementally at each release.
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
* mongodb: allow unauthenticated packages for Jessie
* mongodb: configuration is forced by default but it's configurable (default: `false`)
* mongodb: rename logrotate script

View File

@ -63,16 +63,16 @@
- name: "Get current user"
command: logname
changed_when: False
register: logname
check_mode: no
changed_when: False
when: evolinux_ssh_allow_current_user
# we must double-escape caracters, because python
- name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
changed_when: False
register: grep_allowusers_ssh
check_mode: no
when: evolinux_ssh_allow_current_user

View File

@ -1,4 +1,7 @@
---
evolinux_users: {}
evolinux_sudo_group: "evolinux-sudo"
evolinux_ssh_group: "evolinux-ssh"
evolinux_root_disable_ssh: True

View File

@ -1,6 +1,5 @@
---
- name: "Create .ssh directory for '{{ user.name }}'"
file:
dest: '/home/{{ user.name }}/.ssh/'
@ -30,68 +29,13 @@
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
register: grep_allowgroups_ssh
check_mode: no
register: grep_allowgroups_ssh
# If AllowGroups is present, we don't change
- debug:
msg: "AllowGroups detected : You have to configure SSH manually"
when: grep_allowgroups_ssh.rc == 0
- block:
# If AllowGroups is not present, we proceed as usual
- name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
register: grep_allowusers_ssh
check_mode: no
- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ user.name }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc != 0
- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
replace: '\1 {{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc == 0
- name: "verify Match User directive"
command: "grep 'Match User' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
register: grep_matchuser_ssh
check_mode: no
- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when:
- ansible_distribution_release == "jessie"
- grep_matchuser_ssh.rc != 0
- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when:
- ansible_distribution_release == "jessie"
- grep_matchuser_ssh.rc == 0
# If AllowGroups is present or Debian 9+, use AllowGroups mode
- include: ssh_groups.yml
when: grep_allowgroups_ssh.rc == 0 or ansible_distribution_major_version | version_compare('9', '>=')
# If AllowGroups is absent, use AllowUsers mode
- include: ssh_users.yml
when: grep_allowgroups_ssh.rc != 0

View File

@ -0,0 +1,65 @@
---
- name: "Unix group '{{ evolinux_ssh_group }}' is present"
group:
name: "{{ evolinux_ssh_group }}"
state: present
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_ssh_group }}"
append: yes
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc != 0
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc == 0
- name: disable AllowUsers directive if present
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers)'
replace: '# \1'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
- name: "verify Match Group directive"
command: "grep 'Match Group' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
check_mode: no
register: grep_matchgroup_ssh
- name: "Add Match Group sshd directive with '{{ evolinux_ssh_group }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nMatch Group {{ evolinux_ssh_group }}\n PasswordAuthentication no"
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when:
- grep_matchgroup_ssh.rc != 0
- name: "Append '{{ evolinux_ssh_group }}' to Match Group's sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(Match Group ((?!{{ evolinux_ssh_group }}).)*)$'
replace: '\1,{{ evolinux_ssh_group }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when:
- grep_matchgroup_ssh.rc == 0

View File

@ -0,0 +1,53 @@
---
- name: verify AllowUsers directive
shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
check_mode: no
register: grep_allowusers_ssh
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ user.name }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc != 0
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
replace: '\1 {{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc == 0
- name: "verify Match User directive"
command: "grep 'Match User' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
check_mode: no
register: grep_matchuser_ssh
- name: "Add Match User sshd directive with '{{ user.name }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when:
- grep_matchuser_ssh.rc != 0
- name: "Append '{{ user.name }}' to Match User's sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when:
- grep_matchuser_ssh.rc == 0