Jérémy Lecour
b01d9178d0
If an AllowGroups directive is found or when using Debian 9+, we use the AllowGroups directive and comment AllowUsers that may be already present. When adding a user, we make sure that the allowed group exists and the use is in that group, to be sure that at least this user is allowed to connect. In other situations, we use the AllowUsers directive.
42 lines
1.1 KiB
YAML
42 lines
1.1 KiB
YAML
---
|
|
|
|
- name: "Create .ssh directory for '{{ user.name }}'"
|
|
file:
|
|
dest: '/home/{{ user.name }}/.ssh/'
|
|
state: directory
|
|
mode: "0700"
|
|
owner: '{{ user.name }}'
|
|
group: '{{ user.name }}'
|
|
|
|
- name: "Add user's SSH public key for '{{ user.name }}'"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ user.ssh_key }}"
|
|
state: present
|
|
when: user.ssh_key is defined
|
|
|
|
- name: "Add user's SSH public keys for '{{ user.name }}'"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ ssk_key }}"
|
|
state: present
|
|
with_items: "{{ user.ssh_keys }}"
|
|
loop_control:
|
|
loop_var: ssk_key
|
|
when: user.ssh_keys is defined
|
|
|
|
- name: verify AllowGroups directive
|
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_allowgroups_ssh
|
|
|
|
# If AllowGroups is present or Debian 9+, use AllowGroups mode
|
|
- include: ssh_groups.yml
|
|
when: grep_allowgroups_ssh.rc == 0 or ansible_distribution_major_version | version_compare('9', '>=')
|
|
|
|
# If AllowGroups is absent, use AllowUsers mode
|
|
- include: ssh_users.yml
|
|
when: grep_allowgroups_ssh.rc != 0
|