From b01d9178d0ed008ac4e9cc8dad3a753c8ae36ad1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 1 Mar 2018 11:07:43 +0100 Subject: [PATCH] evolinux-users: split AllowGroups/AllowUsers modes If an AllowGroups directive is found or when using Debian 9+, we use the AllowGroups directive and comment AllowUsers that may be already present. When adding a user, we make sure that the allowed group exists and the use is in that group, to be sure that at least this user is allowed to connect. In other situations, we use the AllowUsers directive. --- CHANGELOG.md | 1 + evolinux-base/tasks/ssh.yml | 4 +- evolinux-users/defaults/main.yml | 3 ++ evolinux-users/tasks/ssh.yml | 68 +++-------------------------- evolinux-users/tasks/ssh_groups.yml | 65 +++++++++++++++++++++++++++ evolinux-users/tasks/ssh_users.yml | 53 ++++++++++++++++++++++ 6 files changed, 130 insertions(+), 64 deletions(-) create mode 100644 evolinux-users/tasks/ssh_groups.yml create mode 100644 evolinux-users/tasks/ssh_users.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 12c19b85..169554c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ The **patch** part changes incrementally at each release. * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`) * elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`). * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues) +* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives * mongodb: allow unauthenticated packages for Jessie * mongodb: configuration is forced by default but it's configurable (default: `false`) * mongodb: rename logrotate script diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 773de28f..40970ca6 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -63,16 +63,16 @@ - name: "Get current user" command: logname + changed_when: False register: logname check_mode: no - changed_when: False when: evolinux_ssh_allow_current_user # we must double-escape caracters, because python - name: verify AllowUsers directive command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False failed_when: False + changed_when: False register: grep_allowusers_ssh check_mode: no when: evolinux_ssh_allow_current_user diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml index d7d6f958..fe97185c 100644 --- a/evolinux-users/defaults/main.yml +++ b/evolinux-users/defaults/main.yml @@ -1,4 +1,7 @@ --- evolinux_users: {} + evolinux_sudo_group: "evolinux-sudo" +evolinux_ssh_group: "evolinux-ssh" + evolinux_root_disable_ssh: True diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 75b47ce2..6456bc24 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,6 +1,5 @@ --- - - name: "Create .ssh directory for '{{ user.name }}'" file: dest: '/home/{{ user.name }}/.ssh/' @@ -30,68 +29,13 @@ command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False failed_when: False - register: grep_allowgroups_ssh check_mode: no + register: grep_allowgroups_ssh - # If AllowGroups is present, we don't change -- debug: - msg: "AllowGroups detected : You have to configure SSH manually" - when: grep_allowgroups_ssh.rc == 0 - -- block: - # If AllowGroups is not present, we proceed as usual - - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - register: grep_allowusers_ssh - check_mode: no - - - name: "Add AllowUsers sshd directive for '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ user.name }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc != 0 - - - name: "Modify AllowUsers sshd directive for '{{ user.name }}'" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' - replace: '\1 {{ user.name }}' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc == 0 - - - name: "verify Match User directive" - command: "grep 'Match User' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - register: grep_matchuser_ssh - check_mode: no - - - name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" - insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: - - ansible_distribution_release == "jessie" - - grep_matchuser_ssh.rc != 0 - - - name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match User ((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: - - ansible_distribution_release == "jessie" - - grep_matchuser_ssh.rc == 0 +# If AllowGroups is present or Debian 9+, use AllowGroups mode +- include: ssh_groups.yml + when: grep_allowgroups_ssh.rc == 0 or ansible_distribution_major_version | version_compare('9', '>=') +# If AllowGroups is absent, use AllowUsers mode +- include: ssh_users.yml when: grep_allowgroups_ssh.rc != 0 diff --git a/evolinux-users/tasks/ssh_groups.yml b/evolinux-users/tasks/ssh_groups.yml new file mode 100644 index 00000000..66759ac8 --- /dev/null +++ b/evolinux-users/tasks/ssh_groups.yml @@ -0,0 +1,65 @@ +--- + +- name: "Unix group '{{ evolinux_ssh_group }}' is present" + group: + name: "{{ evolinux_ssh_group }}" + state: present + +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_ssh_group }}" + append: yes + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowGroups {{ evolinux_ssh_group }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowgroups_ssh.rc != 0 + +- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' + replace: '\1 {{ user.name }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowgroups_ssh.rc == 0 + +- name: disable AllowUsers directive if present + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers)' + replace: '# \1' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + +- name: "verify Match Group directive" + command: "grep 'Match Group' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_matchgroup_ssh + +- name: "Add Match Group sshd directive with '{{ evolinux_ssh_group }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch Group {{ evolinux_ssh_group }}\n PasswordAuthentication no" + insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: + - grep_matchgroup_ssh.rc != 0 + +- name: "Append '{{ evolinux_ssh_group }}' to Match Group's sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match Group ((?!{{ evolinux_ssh_group }}).)*)$' + replace: '\1,{{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: + - grep_matchgroup_ssh.rc == 0 diff --git a/evolinux-users/tasks/ssh_users.yml b/evolinux-users/tasks/ssh_users.yml new file mode 100644 index 00000000..a5bc3325 --- /dev/null +++ b/evolinux-users/tasks/ssh_users.yml @@ -0,0 +1,53 @@ +--- + +- name: verify AllowUsers directive + shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowusers_ssh + +- name: "Add AllowUsers sshd directive with '{{ user.name }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ user.name }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowusers_ssh.rc != 0 + +- name: "Append '{{ user.name }}' to AllowUsers sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' + replace: '\1 {{ user.name }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowusers_ssh.rc == 0 + +- name: "verify Match User directive" + command: "grep 'Match User' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_matchuser_ssh + +- name: "Add Match User sshd directive with '{{ user.name }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" + insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: + - grep_matchuser_ssh.rc != 0 + +- name: "Append '{{ user.name }}' to Match User's sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match User ((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: + - grep_matchuser_ssh.rc == 0