evolinux-users: split AllowGroups/AllowUsers modes
If an AllowGroups directive is found or when using Debian 9+, we use the AllowGroups directive and comment AllowUsers that may be already present. When adding a user, we make sure that the allowed group exists and the use is in that group, to be sure that at least this user is allowed to connect. In other situations, we use the AllowUsers directive.
This commit is contained in:
parent
4749667f58
commit
fb3efabae6
|
@ -51,6 +51,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||||
|
* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
|
||||||
* mongodb: allow unauthenticated packages for Jessie
|
* mongodb: allow unauthenticated packages for Jessie
|
||||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||||
* mongodb: rename logrotate script
|
* mongodb: rename logrotate script
|
||||||
|
|
|
@ -63,16 +63,16 @@
|
||||||
|
|
||||||
- name: "Get current user"
|
- name: "Get current user"
|
||||||
command: logname
|
command: logname
|
||||||
|
changed_when: False
|
||||||
register: logname
|
register: logname
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: False
|
|
||||||
when: evolinux_ssh_allow_current_user
|
when: evolinux_ssh_allow_current_user
|
||||||
|
|
||||||
# we must double-escape caracters, because python
|
# we must double-escape caracters, because python
|
||||||
- name: verify AllowUsers directive
|
- name: verify AllowUsers directive
|
||||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
register: grep_allowusers_ssh
|
register: grep_allowusers_ssh
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when: evolinux_ssh_allow_current_user
|
when: evolinux_ssh_allow_current_user
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
---
|
---
|
||||||
evolinux_users: {}
|
evolinux_users: {}
|
||||||
|
|
||||||
evolinux_sudo_group: "evolinux-sudo"
|
evolinux_sudo_group: "evolinux-sudo"
|
||||||
|
evolinux_ssh_group: "evolinux-ssh"
|
||||||
|
|
||||||
evolinux_root_disable_ssh: True
|
evolinux_root_disable_ssh: True
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
- name: "Create .ssh directory for '{{ user.name }}'"
|
- name: "Create .ssh directory for '{{ user.name }}'"
|
||||||
file:
|
file:
|
||||||
dest: '/home/{{ user.name }}/.ssh/'
|
dest: '/home/{{ user.name }}/.ssh/'
|
||||||
|
@ -30,68 +29,13 @@
|
||||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
register: grep_allowgroups_ssh
|
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
register: grep_allowgroups_ssh
|
||||||
|
|
||||||
# If AllowGroups is present, we don't change
|
# If AllowGroups is present or Debian 9+, use AllowGroups mode
|
||||||
- debug:
|
- include: ssh_groups.yml
|
||||||
msg: "AllowGroups detected : You have to configure SSH manually"
|
when: grep_allowgroups_ssh.rc == 0 or ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
when: grep_allowgroups_ssh.rc == 0
|
|
||||||
|
|
||||||
- block:
|
|
||||||
# If AllowGroups is not present, we proceed as usual
|
|
||||||
- name: verify AllowUsers directive
|
|
||||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
register: grep_allowusers_ssh
|
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
line: "\nAllowUsers {{ user.name }}"
|
|
||||||
insertafter: 'Subsystem'
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when: grep_allowusers_ssh.rc != 0
|
|
||||||
|
|
||||||
- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
|
|
||||||
replace:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
|
||||||
replace: '\1 {{ user.name }}'
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when: grep_allowusers_ssh.rc == 0
|
|
||||||
|
|
||||||
- name: "verify Match User directive"
|
|
||||||
command: "grep 'Match User' /etc/ssh/sshd_config"
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
register: grep_matchuser_ssh
|
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)"
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
|
||||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when:
|
|
||||||
- ansible_distribution_release == "jessie"
|
|
||||||
- grep_matchuser_ssh.rc != 0
|
|
||||||
|
|
||||||
- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)"
|
|
||||||
replace:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
|
||||||
replace: '\1,{{ user.name }}'
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when:
|
|
||||||
- ansible_distribution_release == "jessie"
|
|
||||||
- grep_matchuser_ssh.rc == 0
|
|
||||||
|
|
||||||
|
# If AllowGroups is absent, use AllowUsers mode
|
||||||
|
- include: ssh_users.yml
|
||||||
when: grep_allowgroups_ssh.rc != 0
|
when: grep_allowgroups_ssh.rc != 0
|
||||||
|
|
65
evolinux-users/tasks/ssh_groups.yml
Normal file
65
evolinux-users/tasks/ssh_groups.yml
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present"
|
||||||
|
group:
|
||||||
|
name: "{{ evolinux_ssh_group }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'"
|
||||||
|
user:
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
groups: "{{ evolinux_ssh_group }}"
|
||||||
|
append: yes
|
||||||
|
|
||||||
|
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||||
|
insertafter: 'Subsystem'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowgroups_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||||
|
replace: '\1 {{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowgroups_ssh.rc == 0
|
||||||
|
|
||||||
|
- name: disable AllowUsers directive if present
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowUsers)'
|
||||||
|
replace: '# \1'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
|
||||||
|
- name: "verify Match Group directive"
|
||||||
|
command: "grep 'Match Group' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_matchgroup_ssh
|
||||||
|
|
||||||
|
- name: "Add Match Group sshd directive with '{{ evolinux_ssh_group }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nMatch Group {{ evolinux_ssh_group }}\n PasswordAuthentication no"
|
||||||
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- grep_matchgroup_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ evolinux_ssh_group }}' to Match Group's sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(Match Group ((?!{{ evolinux_ssh_group }}).)*)$'
|
||||||
|
replace: '\1,{{ evolinux_ssh_group }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- grep_matchgroup_ssh.rc == 0
|
53
evolinux-users/tasks/ssh_users.yml
Normal file
53
evolinux-users/tasks/ssh_users.yml
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: verify AllowUsers directive
|
||||||
|
shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_allowusers_ssh
|
||||||
|
|
||||||
|
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nAllowUsers {{ user.name }}"
|
||||||
|
insertafter: 'Subsystem'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowusers_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||||
|
replace: '\1 {{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowusers_ssh.rc == 0
|
||||||
|
|
||||||
|
- name: "verify Match User directive"
|
||||||
|
command: "grep 'Match User' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_matchuser_ssh
|
||||||
|
|
||||||
|
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||||
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- grep_matchuser_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||||
|
replace: '\1,{{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- grep_matchuser_ssh.rc == 0
|
Loading…
Reference in a new issue