Compare commits
16 commits
b92871bfef
...
36cd982f35
Author | SHA1 | Date | |
---|---|---|---|
36cd982f35 | |||
263f940c3d | |||
a478348716 | |||
f7f578705c | |||
4a0d3a4965 | |||
fbb0b73e3a | |||
7e15e01b14 | |||
86978a8225 | |||
0098cd2f08 | |||
e70ab6d039 | |||
fc8105e84e | |||
87711ef00c | |||
fc241f2835 | |||
eca2b5e4bf | |||
ec34d8afe1 | |||
5265119912 |
|
@ -31,6 +31,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* userlogrotate: add a userlogpurge script disabled by default
|
||||
* evolinux-base: configure bashrc for all users
|
||||
* bind: Add reload-zone helper
|
||||
* evolinux-base: add splitted SSH configuration for Debian >= 12
|
||||
* evolinux-users: add splitted SSH configuration for Debian >= 12
|
||||
* evocheck: add support for Debian >= 12 splitted SSH configuration
|
||||
|
||||
### Changed
|
||||
|
||||
|
|
|
@ -231,8 +231,15 @@ check_customcrontab() {
|
|||
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
|
||||
}
|
||||
check_sshallowusers() {
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
||||
if is_debian_bookworm; then
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
|
||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|
||||
|| failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
|
||||
else
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
||||
fi
|
||||
}
|
||||
check_diskperf() {
|
||||
perfFile="/root/disk-perf.txt"
|
||||
|
|
|
@ -97,7 +97,21 @@
|
|||
replace: "PermitRootLogin no"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: disable SSH access for root (Debian >= 12)
|
||||
ansible.builtin.replace:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
line: "PermitRootLogin no"
|
||||
create: yes
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
|
||||
### Disabled : it seems useless and too dangerous for now
|
||||
# - name: remove root from AllowUsers directive
|
||||
|
|
|
@ -1,71 +1,14 @@
|
|||
---
|
||||
# This is a copy of ssh.single-file.yml
|
||||
# It needs to be changed when we move to a included-files configuration
|
||||
|
||||
|
||||
- ansible.builtin.debug:
|
||||
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
||||
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
|
||||
when: evolinux_ssh_password_auth_addresses == []
|
||||
|
||||
# From 'man sshd_config' :
|
||||
# « If all of the criteria on the Match line are satisfied, the keywords
|
||||
# on the following lines override those set in the global section of the config
|
||||
# file, until either another Match line or the end of the file.
|
||||
# If a keyword appears in multiple Match blocks that are satisfied,
|
||||
# only the first instance of the keyword is applied. »
|
||||
#
|
||||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||
- name: add SSH server configuration template
|
||||
ansible.builtin.template:
|
||||
src: sshd/defaults.j2
|
||||
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
|
||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
ansible.builtin.blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group {{ evolinux_internal_group }}
|
||||
PasswordAuthentication no
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||
ansible.builtin.blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||
# do not want clients to push their environment variables like LANG.
|
||||
- name: disable AcceptEnv in ssh config
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^AcceptEnv'
|
||||
replace: "#AcceptEnv"
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_disable_acceptenv | bool
|
||||
|
||||
- name: Set log level to verbose (for Debian >= 9)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#?LogLevel [A-Z]+'
|
||||
replace: "LogLevel VERBOSE"
|
||||
notify: reload sshd
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- name: "Get current user"
|
||||
- name: "Get current user's group"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
|
@ -73,10 +16,9 @@
|
|||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "grep -ER '^AllowUsers' /etc/ssh"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
|
@ -85,20 +27,15 @@
|
|||
|
||||
- name: "Add AllowUsers sshd directive for current user"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ logname.stdout }}"
|
||||
dest: /etc/ssh/sshd_config.d/allow_evolinux_user
|
||||
line: "AllowUsers {{ logname.stdout }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for current user"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
||||
# TODO vérifier présence de Include /etc/ssh/sshd_config.d/*.conf
|
||||
# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
|
||||
# TODO si allowgroups, ajouter groupe de l’utilisateur
|
||||
|
|
15
evolinux-base/templates/sshd/defaults.j2
Normal file
15
evolinux-base/templates/sshd/defaults.j2
Normal file
|
@ -0,0 +1,15 @@
|
|||
Port 22
|
||||
{% if evolinux_root_disable_ssh %}
|
||||
PermitRootLogin no
|
||||
{% endif %}
|
||||
LogLevel VERBOSE
|
||||
SetEnv LC_ALL=en_US.UTF-8
|
||||
|
||||
{% if evolinux_ssh_password_auth_addresses %}
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
{% endif %}
|
||||
{% if evolinux_internal_group %}
|
||||
Match Group {{ evolinux_internal_group }}
|
||||
PasswordAuthentication no
|
||||
{% endif %}
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -14,7 +14,7 @@
|
|||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowUsers' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -62,6 +62,36 @@
|
|||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: verify PermitRootLogin directive (Debian >= 12)
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_permitrootlogin_ssh
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
# TODO avertir lorsque PermitRootLogin est déjà configuré?
|
||||
- ansible.builtin.debug:
|
||||
var: grep_permitrootlogin_ssh
|
||||
verbosity: 1
|
||||
|
||||
- name: disable root login (Debian >= 12)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "PermitRootLogin no"
|
||||
create: yes
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
insertbefore: "BOF"
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_permitrootlogin_ssh.rc == 1
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -4,11 +4,13 @@
|
|||
# even if it's been done before
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
ansible.builtin.lineinfile:
|
||||
|
@ -17,7 +19,9 @@
|
|||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc != 0
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
|
@ -26,4 +30,15 @@
|
|||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc == 0
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "AllowGroups {{ evolinux_ssh_group }}"
|
||||
create: yes
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
|
Loading…
Reference in a new issue