evolinux-base: add ssh.yml
* disable root login * list authorized addresses * disable AcceptEnv
This commit is contained in:
parent
542cc0ef33
commit
b2971d1f7d
|
|
@ -25,5 +25,7 @@ Main variables are :
|
|||
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
|
||||
* `evolinux_postfix_slow_transports_enabled`: configure slow transports (default: `True`) ;
|
||||
* `evolinux_postfix_remove_exim`: remove Exim4 packages (default: `True`) ;
|
||||
* `evolinux_ssh_password_auth_addresses`: list of addresses that can authennticate with a password (default: `[]`)
|
||||
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`)
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
|||
|
|
@ -44,6 +44,11 @@ evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
|
|||
evolinux_default_www_nginx_enabled: False
|
||||
evolinux_default_www_apache_enabled: False
|
||||
|
||||
# ssh
|
||||
|
||||
evolinux_ssh_password_auth_addresses: []
|
||||
evolinux_ssh_disable_root: True
|
||||
|
||||
# misc.
|
||||
|
||||
evolinux_ntp_server: Null
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@
|
|||
- name: Root user configuration
|
||||
include: root.yml
|
||||
|
||||
- name: SSH configuration
|
||||
include: ssh.yml
|
||||
|
||||
- name: Postfix
|
||||
include: postfix.yml
|
||||
|
||||
|
|
|
|||
39
evolinux-base/tasks/ssh.yml
Normal file
39
evolinux-base/tasks/ssh.yml
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
- name: verify Match Address directive
|
||||
command: "grep 'Match Address' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: grep_matchaddress_ssh
|
||||
|
||||
- name: Add Match Address sshd directive
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify:
|
||||
- reload sshd
|
||||
when: grep_matchaddress_ssh.rc != 0
|
||||
|
||||
- name: Modify Match Address sshd directive
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match Address ((?!{{ item }}).)*)$'
|
||||
replace: '\1,{{ item }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
with_items: "{{ evolinux_ssh_password_auth_addresses }}"
|
||||
notify:
|
||||
- reload sshd
|
||||
when: grep_matchaddress_ssh.rc == 0
|
||||
|
||||
- name: disable SSH access for root
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
when: evolinux_ssh_disable_root
|
||||
|
||||
- name: disable AcceptEnv in ssh config
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^AcceptEnv'
|
||||
replace: "#AcceptEnv"
|
||||
Loading…
Reference in a new issue