Jérémy Lecour
b01d9178d0
If an AllowGroups directive is found or when using Debian 9+, we use the AllowGroups directive and comment AllowUsers that may be already present. When adding a user, we make sure that the allowed group exists and the use is in that group, to be sure that at least this user is allowed to connect. In other situations, we use the AllowUsers directive.
66 lines
2 KiB
YAML
66 lines
2 KiB
YAML
---
|
|
|
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present"
|
|
group:
|
|
name: "{{ evolinux_ssh_group }}"
|
|
state: present
|
|
|
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'"
|
|
user:
|
|
name: '{{ user.name }}'
|
|
groups: "{{ evolinux_ssh_group }}"
|
|
append: yes
|
|
|
|
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
|
insertafter: 'Subsystem'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: grep_allowgroups_ssh.rc != 0
|
|
|
|
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
|
replace: '\1 {{ user.name }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: grep_allowgroups_ssh.rc == 0
|
|
|
|
- name: disable AllowUsers directive if present
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(AllowUsers)'
|
|
replace: '# \1'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
|
|
- name: "verify Match Group directive"
|
|
command: "grep 'Match Group' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_matchgroup_ssh
|
|
|
|
- name: "Add Match Group sshd directive with '{{ evolinux_ssh_group }}'"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nMatch Group {{ evolinux_ssh_group }}\n PasswordAuthentication no"
|
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- grep_matchgroup_ssh.rc != 0
|
|
|
|
- name: "Append '{{ evolinux_ssh_group }}' to Match Group's sshd directive"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(Match Group ((?!{{ evolinux_ssh_group }}).)*)$'
|
|
replace: '\1,{{ evolinux_ssh_group }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- grep_matchgroup_ssh.rc == 0
|