From b31159c9d262b926f26f6bad3145a19ed1982943 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Sun, 22 Sep 2019 22:26:21 +0200
Subject: [PATCH] evolinux-base: use "evolinux_internal_group" for SSH
 authentication

---
 CHANGELOG.md                | 1 +
 evolinux-base/tasks/ssh.yml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff624daf..a4197e66 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 * elasticsearch: listen on local interface only by default
+* evolinux-base: use "evolinux_internal_group" for SSH authentication
 * squid: split systemd tasks into own file
 
 ### Fixed
diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml
index 2dab992b..187a26df 100644
--- a/evolinux-base/tasks/ssh.yml
+++ b/evolinux-base/tasks/ssh.yml
@@ -11,7 +11,7 @@
 # only the first instance of the keyword is applied. »
 #
 # We want to allow any user from a list of IP addresses to login with password,
-# but users of the "{{ evolinux_ssh_group }}" group can't login with password from other IP addresses
+# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
 
 - name: "Security directives for Evolinux (Debian 10 or later)"
   blockinfile:
@@ -20,7 +20,7 @@
     block: |
       Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
           PasswordAuthentication yes
-      Match Group {{ evolinux_ssh_group }}
+      Match Group {{ evolinux_internal_group }}
           PasswordAuthentication no
     insertafter: EOF
     validate: '/usr/sbin/sshd -t -f %s'