diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 09142d78..f8477346 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -25,5 +25,7 @@ Main variables are : * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_slow_transports_enabled`: configure slow transports (default: `True`) ; * `evolinux_postfix_remove_exim`: remove Exim4 packages (default: `True`) ; +* `evolinux_ssh_password_auth_addresses`: list of addresses that can authennticate with a password (default: `[]`) +* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 94067d1b..42e3ad32 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -44,6 +44,11 @@ evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}" evolinux_default_www_nginx_enabled: False evolinux_default_www_apache_enabled: False +# ssh + +evolinux_ssh_password_auth_addresses: [] +evolinux_ssh_disable_root: True + # misc. evolinux_ntp_server: Null diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index bf6dacb8..e08e2226 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -20,6 +20,9 @@ - name: Root user configuration include: root.yml +- name: SSH configuration + include: ssh.yml + - name: Postfix include: postfix.yml diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml new file mode 100644 index 00000000..7be52de2 --- /dev/null +++ b/evolinux-base/tasks/ssh.yml @@ -0,0 +1,39 @@ +--- +- name: verify Match Address directive + command: "grep 'Match Address' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + register: grep_matchaddress_ssh + +- name: Add Match Address sshd directive + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" + validate: '/usr/sbin/sshd -T -f %s' + notify: + - reload sshd + when: grep_matchaddress_ssh.rc != 0 + +- name: Modify Match Address sshd directive + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match Address ((?!{{ item }}).)*)$' + replace: '\1,{{ item }}' + validate: '/usr/sbin/sshd -T -f %s' + with_items: "{{ evolinux_ssh_password_auth_addresses }}" + notify: + - reload sshd + when: grep_matchaddress_ssh.rc == 0 + +- name: disable SSH access for root + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password)' + replace: "PermitRootLogin no" + when: evolinux_ssh_disable_root + +- name: disable AcceptEnv in ssh config + replace: + dest: /etc/ssh/sshd_config + regexp: '^AcceptEnv' + replace: "#AcceptEnv"