Jérémy Lecour
b01d9178d0
If an AllowGroups directive is found or when using Debian 9+, we use the AllowGroups directive and comment AllowUsers that may be already present. When adding a user, we make sure that the allowed group exists and the use is in that group, to be sure that at least this user is allowed to connect. In other situations, we use the AllowUsers directive.
54 lines
1.6 KiB
YAML
54 lines
1.6 KiB
YAML
---
|
|
|
|
- name: verify AllowUsers directive
|
|
shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_allowusers_ssh
|
|
|
|
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nAllowUsers {{ user.name }}"
|
|
insertafter: 'Subsystem'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: grep_allowusers_ssh.rc != 0
|
|
|
|
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
|
replace: '\1 {{ user.name }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: grep_allowusers_ssh.rc == 0
|
|
|
|
- name: "verify Match User directive"
|
|
command: "grep 'Match User' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_matchuser_ssh
|
|
|
|
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- grep_matchuser_ssh.rc != 0
|
|
|
|
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
|
replace: '\1,{{ user.name }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- grep_matchuser_ssh.rc == 0
|