diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 960345cf..aeaeb8de 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -32,9 +32,17 @@ check_mode: no register: grep_allowgroups_ssh -# If AllowGroups is present or Debian 9+, use AllowGroups mode +- name: verify AllowUsers directive + shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowusers_ssh + +# If AllowGroups is present or +# if AllowUsers is absent and Debian 9+, use AllowGroups mode - include: ssh_allowgroups.yml - when: grep_allowgroups_ssh.rc == 0 or ansible_distribution_major_version | version_compare('9', '>=') + when: grep_allowgroups_ssh.rc == 0 or (grep_allowusers_ssh.rc != 0 and ansible_distribution_major_version | version_compare('9', '>=')) # If AllowGroups is absent, use AllowUsers mode - include: ssh_allowusers.yml diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 66759ac8..7e8f8211 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -29,13 +29,13 @@ notify: reload sshd when: grep_allowgroups_ssh.rc == 0 -- name: disable AllowUsers directive if present - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers)' - replace: '# \1' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd +# - name: disable AllowUsers directive if present +# replace: +# dest: /etc/ssh/sshd_config +# regexp: '^(AllowUsers)' +# replace: '# \1' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd - name: "verify Match Group directive" command: "grep 'Match Group' /etc/ssh/sshd_config" diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index a5bc3325..3676c418 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,12 +1,5 @@ --- -- name: verify AllowUsers directive - shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowusers_ssh - - name: "Add AllowUsers sshd directive with '{{ user.name }}'" lineinfile: dest: /etc/ssh/sshd_config