From 9049a9779215ff1900d6315b51108ad42e950a09 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 6 Aug 2019 17:53:21 -0400 Subject: [PATCH 1/9] Simplify evolinux-users ssh tasks It makes no sense to make a check before you include the task and do lt again after. Just use the pre-registered variables. This removes two tasks per user loop and one overall task. --- evolinux-users/tasks/ssh.yml | 14 ++++++++++++++ evolinux-users/tasks/ssh_allowgroups.yml | 13 ++----------- evolinux-users/tasks/ssh_allowusers.yml | 24 ++++-------------------- 3 files changed, 20 insertions(+), 31 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 70570c63..52348c7a 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -41,13 +41,27 @@ verbosity: 1 - include: ssh_allowgroups.yml + vars: + - allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}" when: - ssh_allowgroups - not ssh_allowusers +- name: "verify Match User directive" + command: "grep -E '^Match User' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_matchuser_ssh + when: + - ssh_allowusers + - not ssh_allowgroups + - include: ssh_allowusers.yml vars: user: "{{ item.value }}" + - allow_users_present: "{{ grep_allowusers_ssh.rc == 0 }}" + - match_users_present: "{{ grep_matchuser_ssh.rc == 0 }}" with_dict: "{{ evolinux_users }}" when: - ssh_allowusers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index a4e4ee54..bef0a393 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -1,14 +1,5 @@ --- -# this check must be repeated for each user -# even if it's been done before -- name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowgroups_ssh - - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: dest: /etc/ssh/sshd_config @@ -16,7 +7,7 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc != 0 + when: not allow_groups_present - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" replace: @@ -25,4 +16,4 @@ replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc == 0 + when: allow_groups_present diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 1aa31f3c..dc9338dc 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,14 +1,5 @@ --- -# this check must be repeated for each user -# even if it's been done before -- name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowusers_ssh - - name: "Add AllowUsers sshd directive with '{{ user.name }}'" lineinfile: dest: /etc/ssh/sshd_config @@ -16,7 +7,7 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc != 0 + when: not allow_users_present - name: "Append '{{ user.name }}' to AllowUsers sshd directive" replace: @@ -25,14 +16,7 @@ replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc == 0 - -- name: "verify Match User directive" - command: "grep -E '^Match User' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchuser_ssh + when: allow_users_present - name: "Add Match User sshd directive with '{{ user.name }}'" lineinfile: @@ -41,7 +25,7 @@ insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc != 0 + when: not allow_users_present - name: "Append '{{ user.name }}' to Match User's sshd directive" replace: @@ -50,4 +34,4 @@ replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc == 0 + when: match_users_present -- 2.39.2 From 3feb0cc3b49c5930e5162f2f631b7c64fbc4bfcf Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 6 Aug 2019 17:57:35 -0400 Subject: [PATCH 2/9] Simplify sudo tasks for evolinux-users Move two template creation tasks out of the loop. This means that the task runs only once instead of one time per user in the loop. --- evolinux-users/tasks/main.yml | 3 --- evolinux-users/tasks/sudo.yml | 25 +++++++++++++++++++++++++ evolinux-users/tasks/sudo_jessie.yml | 9 --------- evolinux-users/tasks/sudo_stretch.yml | 9 --------- 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index e5872a91..6ee9c512 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -20,9 +20,6 @@ - name: Configure sudo include: sudo.yml - vars: - user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" when: evolinux_users != {} - name: Configure SSH diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index ed696b43..406cda0b 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -1,9 +1,34 @@ --- +- name: "Verify 'evolinux' sudoers file presence for debian jessie" + template: + src: "sudoers_jessie.j2" + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_release == "jessie" + +- name: "Verify 'evolinux' sudoers file presence for debian 9 or bigger" + template: + src: "sudoers_stretch.j2" + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_major_version | version_compare('9', '>=') - include: sudo_jessie.yml + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" when: ansible_distribution_release == "jessie" - include: sudo_stretch.yml + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" when: ansible_distribution_major_version | version_compare('9', '>=') - meta: flush_handlers diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index f675954e..6f13541e 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -1,14 +1,5 @@ --- -- name: "Verify Evolinux sudoers file presence (jessie)" - template: - src: sudoers_jessie.j2 - dest: /etc/sudoers.d/evolinux - force: no - mode: "0440" - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - - name: "Add user in sudoers file for '{{ user.name }}' (jessie)" replace: dest: /etc/sudoers.d/evolinux diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index dc744c56..ae18bce5 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -1,14 +1,5 @@ --- -- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)" - template: - src: sudoers_stretch.j2 - dest: /etc/sudoers.d/evolinux - force: no - mode: "0440" - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - - name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" group: name: "{{ evolinux_sudo_group }}" -- 2.39.2 From 75aad3e5d7724df0b0c837c0cc5fff92d1313277 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 7 Aug 2019 12:15:57 -0400 Subject: [PATCH 3/9] Fixed regression in evolinux-users ssh tasks We need to register that the match user and allow user is now present after adding the first user. --- evolinux-users/tasks/ssh_allowusers.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index dc9338dc..19b7d03e 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -7,7 +7,8 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: not allow_users_present + when: not allow_users_present or not added_allow_user.changed + register: added_allow_user - name: "Append '{{ user.name }}' to AllowUsers sshd directive" replace: @@ -16,7 +17,7 @@ replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: allow_users_present + when: allow_users_present or added_allow_user.changed - name: "Add Match User sshd directive with '{{ user.name }}'" lineinfile: @@ -25,7 +26,8 @@ insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: not allow_users_present + when: not match_users_present or not added_match_user.changed + register: added_match_user - name: "Append '{{ user.name }}' to Match User's sshd directive" replace: @@ -34,4 +36,4 @@ replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: match_users_present + when: match_users_present or added_match_user.changed -- 2.39.2 From e79455efaef85b23a2bc45c879e637728dacfb16 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 11 Sep 2019 11:29:18 -0400 Subject: [PATCH 4/9] Add match user and allow user ssh statements with join. If the statements are not there, we do not need to worry about manual edits. --- evolinux-users/tasks/ssh.yml | 26 +++++++++++++++++++------ evolinux-users/tasks/ssh_allowusers.yml | 22 --------------------- 2 files changed, 20 insertions(+), 28 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 52348c7a..0e352119 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -57,15 +57,29 @@ - ssh_allowusers - not ssh_allowgroups +- name: "Add AllowUsers sshd directive with all users" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: grep_allowusers_ssh.rc == 0 + +- name: "Add Match User sshd directive with '{{ user.name }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n PasswordAuthentication no" + insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: grep_matchuser_ssh == 0 + - include: ssh_allowusers.yml vars: user: "{{ item.value }}" - - allow_users_present: "{{ grep_allowusers_ssh.rc == 0 }}" - - match_users_present: "{{ grep_matchuser_ssh.rc == 0 }}" - with_dict: "{{ evolinux_users }}" - when: - - ssh_allowusers - - not ssh_allowgroups + with_dict: "{{ evolinux_users }}" + when: (grep_allowusers_ssh.rc != 0) or (grep_matchuser_ssh != 0) - name: disable root login replace: diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 19b7d03e..d6bd0154 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,15 +1,5 @@ --- -- name: "Add AllowUsers sshd directive with '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ user.name }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: not allow_users_present or not added_allow_user.changed - register: added_allow_user - - name: "Append '{{ user.name }}' to AllowUsers sshd directive" replace: dest: /etc/ssh/sshd_config @@ -17,17 +7,6 @@ replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: allow_users_present or added_allow_user.changed - -- name: "Add Match User sshd directive with '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" - insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: not match_users_present or not added_match_user.changed - register: added_match_user - name: "Append '{{ user.name }}' to Match User's sshd directive" replace: @@ -36,4 +15,3 @@ replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: match_users_present or added_match_user.changed -- 2.39.2 From f73667ea3c6755ffc9cebc81fcc94c73aa2c5904 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 11 Sep 2019 11:53:51 -0400 Subject: [PATCH 5/9] Inline ssh_allow_user file --- evolinux-users/tasks/ssh.yml | 47 +++++++++++++++++-------- evolinux-users/tasks/ssh_allowusers.yml | 17 --------- 2 files changed, 32 insertions(+), 32 deletions(-) delete mode 100644 evolinux-users/tasks/ssh_allowusers.yml diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 0e352119..7a9907aa 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -47,6 +47,28 @@ - ssh_allowgroups - not ssh_allowusers +- name: "Add AllowUsers sshd directive with all users" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc == 0 + - ssh_allowusers + - not ssh_allowgroups + +- name: "Append '{{ item.name }}' to AllowUsers sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' + replace: '\1 {{ item.name }}' + validate: '/usr/sbin/sshd -t -f %s' + with_dict: "{{ evolinux_users }}" + notify: reload sshd + when: grep_allowusers_ssh.rc != 0 + - name: "verify Match User directive" command: "grep -E '^Match User' /etc/ssh/sshd_config" changed_when: False @@ -57,16 +79,7 @@ - ssh_allowusers - not ssh_allowgroups -- name: "Add AllowUsers sshd directive with all users" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc == 0 - -- name: "Add Match User sshd directive with '{{ user.name }}'" +- name: "Add Match User sshd directive with all users" lineinfile: dest: /etc/ssh/sshd_config line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n PasswordAuthentication no" @@ -75,11 +88,15 @@ notify: reload sshd when: grep_matchuser_ssh == 0 -- include: ssh_allowusers.yml - vars: - user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" - when: (grep_allowusers_ssh.rc != 0) or (grep_matchuser_ssh != 0) +- name: "Append '{{ item.name }}' to Match User's sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match User ((?!{{ item.name }}).)*)$' + replace: '\1,{{ item.name }}' + validate: '/usr/sbin/sshd -t -f %s' + with_dict: "{{ evolinux_users }}" + notify: reload sshd + when: grep_matchuser_ssh.rc != 0 - name: disable root login replace: diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml deleted file mode 100644 index d6bd0154..00000000 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "Append '{{ user.name }}' to AllowUsers sshd directive" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' - replace: '\1 {{ user.name }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - -- name: "Append '{{ user.name }}' to Match User's sshd directive" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match User ((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd -- 2.39.2 From 255023b91e75d913fd4d03eb02fdb1ef0e62dddc Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 11 Sep 2019 14:29:47 -0400 Subject: [PATCH 6/9] Inverse erroneous condition in evolinux-users/tasks/ssh.yml --- evolinux-users/tasks/ssh.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 7a9907aa..547542ba 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -55,7 +55,7 @@ validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - - grep_allowusers_ssh.rc == 0 + - grep_allowusers_ssh.rc != 0 - ssh_allowusers - not ssh_allowgroups @@ -67,7 +67,7 @@ validate: '/usr/sbin/sshd -t -f %s' with_dict: "{{ evolinux_users }}" notify: reload sshd - when: grep_allowusers_ssh.rc != 0 + when: grep_allowusers_ssh.rc == 0 - name: "verify Match User directive" command: "grep -E '^Match User' /etc/ssh/sshd_config" @@ -86,7 +86,7 @@ insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh == 0 + when: grep_matchuser_ssh != 0 - name: "Append '{{ item.name }}' to Match User's sshd directive" replace: @@ -96,7 +96,7 @@ validate: '/usr/sbin/sshd -t -f %s' with_dict: "{{ evolinux_users }}" notify: reload sshd - when: grep_matchuser_ssh.rc != 0 + when: grep_matchuser_ssh.rc == 0 - name: disable root login replace: -- 2.39.2 From 331ad978f19c533e9ae29bd7263ad8db84015ec2 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 11 Sep 2019 14:36:18 -0400 Subject: [PATCH 7/9] The evolinux_sudo_group for debian 9 only needs to be created once --- evolinux-users/tasks/sudo.yml | 6 ++++++ evolinux-users/tasks/sudo_stretch.yml | 5 ----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 406cda0b..ac8fb645 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -25,6 +25,12 @@ with_dict: "{{ evolinux_users }}" when: ansible_distribution_release == "jessie" +- name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" + group: + name: "{{ evolinux_sudo_group }}" + system: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + - include: sudo_stretch.yml vars: user: "{{ item.value }}" diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index ae18bce5..97f1f77d 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -1,10 +1,5 @@ --- -- name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" - group: - name: "{{ evolinux_sudo_group }}" - system: yes - - name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)" user: name: '{{ user.name }}' -- 2.39.2 From 6ac874cbc6e0d97875629c9d51c1a01faa4936ed Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 11 Sep 2019 14:50:34 -0400 Subject: [PATCH 8/9] Inline sudo_jessie.yml --- evolinux-users/tasks/sudo.yml | 13 +++++++++---- evolinux-users/tasks/sudo_jessie.yml | 9 --------- 2 files changed, 9 insertions(+), 13 deletions(-) delete mode 100644 evolinux-users/tasks/sudo_jessie.yml diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index ac8fb645..48d4422e 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -19,11 +19,16 @@ register: copy_sudoers_evolinux when: ansible_distribution_major_version | version_compare('9', '>=') -- include: sudo_jessie.yml - vars: - user: "{{ item.value }}" +- name: "Add user in sudoers file for '{{ item.name }}' (jessie)" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ item.name }}).)*)$' + replace: '\1,{{ item.name }}' + validate: '/usr/sbin/visudo -cf %s' with_dict: "{{ evolinux_users }}" - when: ansible_distribution_release == "jessie" + when: + - not copy_sudoers_evolinux.changed + - ansible_distribution_release == "jessie" - name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" group: diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml deleted file mode 100644 index 6f13541e..00000000 --- a/evolinux-users/tasks/sudo_jessie.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed -- 2.39.2 From cf9ea7415a700c1119373a8226bcd044d23b27fd Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 24 Sep 2019 09:03:08 -0400 Subject: [PATCH 9/9] Normalize conditions and check Match User statement better No need for two facts if one invalidates the other. --- evolinux-users/tasks/ssh.yml | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 547542ba..3acb78a4 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -29,23 +29,16 @@ - set_fact: # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}" - # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" - ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}" - debug: var: ssh_allowgroups verbosity: 1 -- debug: - var: ssh_allowusers - verbosity: 1 - - include: ssh_allowgroups.yml vars: - allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}" when: - ssh_allowgroups - - not ssh_allowusers - name: "Add AllowUsers sshd directive with all users" lineinfile: @@ -56,7 +49,6 @@ notify: reload sshd when: - grep_allowusers_ssh.rc != 0 - - ssh_allowusers - not ssh_allowgroups - name: "Append '{{ item.name }}' to AllowUsers sshd directive" @@ -67,7 +59,9 @@ validate: '/usr/sbin/sshd -t -f %s' with_dict: "{{ evolinux_users }}" notify: reload sshd - when: grep_allowusers_ssh.rc == 0 + when: + - grep_allowusers_ssh.rc == 0 + - not ssh_allowgroups - name: "verify Match User directive" command: "grep -E '^Match User' /etc/ssh/sshd_config" @@ -75,9 +69,7 @@ failed_when: False check_mode: no register: grep_matchuser_ssh - when: - - ssh_allowusers - - not ssh_allowgroups + when: not ssh_allowgroups - name: "Add Match User sshd directive with all users" lineinfile: @@ -86,7 +78,9 @@ insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh != 0 + when: + - grep_matchuser_ssh != 0 + - not ssh_allowgroups - name: "Append '{{ item.name }}' to Match User's sshd directive" replace: @@ -96,7 +90,9 @@ validate: '/usr/sbin/sshd -t -f %s' with_dict: "{{ evolinux_users }}" notify: reload sshd - when: grep_matchuser_ssh.rc == 0 + when: + - grep_matchuser_ssh.rc == 0 + - not ssh_allowgroups - name: disable root login replace: -- 2.39.2