Normalize conditions and check Match User statement better
No need for two facts if one invalidates the other.
This commit is contained in:
parent
6ac874cbc6
commit
cf9ea7415a
|
@ -29,23 +29,16 @@
|
||||||
- set_fact:
|
- set_fact:
|
||||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
||||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
|
||||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
var: ssh_allowgroups
|
var: ssh_allowgroups
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
|
||||||
- debug:
|
|
||||||
var: ssh_allowusers
|
|
||||||
verbosity: 1
|
|
||||||
|
|
||||||
- include: ssh_allowgroups.yml
|
- include: ssh_allowgroups.yml
|
||||||
vars:
|
vars:
|
||||||
- allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}"
|
- allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}"
|
||||||
when:
|
when:
|
||||||
- ssh_allowgroups
|
- ssh_allowgroups
|
||||||
- not ssh_allowusers
|
|
||||||
|
|
||||||
- name: "Add AllowUsers sshd directive with all users"
|
- name: "Add AllowUsers sshd directive with all users"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -56,7 +49,6 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- grep_allowusers_ssh.rc != 0
|
- grep_allowusers_ssh.rc != 0
|
||||||
- ssh_allowusers
|
|
||||||
- not ssh_allowgroups
|
- not ssh_allowgroups
|
||||||
|
|
||||||
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
||||||
|
@ -67,7 +59,9 @@
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
with_dict: "{{ evolinux_users }}"
|
with_dict: "{{ evolinux_users }}"
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_allowusers_ssh.rc == 0
|
when:
|
||||||
|
- grep_allowusers_ssh.rc == 0
|
||||||
|
- not ssh_allowgroups
|
||||||
|
|
||||||
- name: "verify Match User directive"
|
- name: "verify Match User directive"
|
||||||
command: "grep -E '^Match User' /etc/ssh/sshd_config"
|
command: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||||
|
@ -75,9 +69,7 @@
|
||||||
failed_when: False
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: grep_matchuser_ssh
|
register: grep_matchuser_ssh
|
||||||
when:
|
when: not ssh_allowgroups
|
||||||
- ssh_allowusers
|
|
||||||
- not ssh_allowgroups
|
|
||||||
|
|
||||||
- name: "Add Match User sshd directive with all users"
|
- name: "Add Match User sshd directive with all users"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -86,7 +78,9 @@
|
||||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_matchuser_ssh != 0
|
when:
|
||||||
|
- grep_matchuser_ssh != 0
|
||||||
|
- not ssh_allowgroups
|
||||||
|
|
||||||
- name: "Append '{{ item.name }}' to Match User's sshd directive"
|
- name: "Append '{{ item.name }}' to Match User's sshd directive"
|
||||||
replace:
|
replace:
|
||||||
|
@ -96,7 +90,9 @@
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
with_dict: "{{ evolinux_users }}"
|
with_dict: "{{ evolinux_users }}"
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_matchuser_ssh.rc == 0
|
when:
|
||||||
|
- grep_matchuser_ssh.rc == 0
|
||||||
|
- not ssh_allowgroups
|
||||||
|
|
||||||
- name: disable root login
|
- name: disable root login
|
||||||
replace:
|
replace:
|
||||||
|
|
Loading…
Reference in a new issue