2016-11-07 14:00:57 +01:00
|
|
|
---
|
|
|
|
|
2018-02-08 15:29:53 +01:00
|
|
|
- name: verify AllowGroups directive
|
2018-04-04 23:22:46 +02:00
|
|
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
2016-12-27 14:04:02 +01:00
|
|
|
changed_when: False
|
|
|
|
failed_when: False
|
2017-03-24 14:15:09 +01:00
|
|
|
check_mode: no
|
2018-03-01 11:07:43 +01:00
|
|
|
register: grep_allowgroups_ssh
|
2017-03-24 14:15:09 +01:00
|
|
|
|
2018-03-01 18:26:18 +01:00
|
|
|
- debug:
|
|
|
|
var: grep_allowgroups_ssh
|
|
|
|
verbosity: 1
|
|
|
|
|
2018-03-01 15:57:17 +01:00
|
|
|
- name: verify AllowUsers directive
|
2018-03-01 18:26:18 +01:00
|
|
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
2018-03-01 15:57:17 +01:00
|
|
|
changed_when: False
|
|
|
|
failed_when: False
|
|
|
|
check_mode: no
|
|
|
|
register: grep_allowusers_ssh
|
|
|
|
|
2018-03-01 18:26:18 +01:00
|
|
|
- debug:
|
|
|
|
var: grep_allowusers_ssh
|
|
|
|
verbosity: 1
|
|
|
|
|
2018-04-18 18:20:23 +02:00
|
|
|
- assert:
|
|
|
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
|
|
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
|
|
|
|
2018-03-01 18:26:18 +01:00
|
|
|
- set_fact:
|
|
|
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 9+",
|
2018-04-15 22:24:13 +02:00
|
|
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('9', '>='))) }}"
|
2018-04-18 18:20:23 +02:00
|
|
|
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <9"
|
|
|
|
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('9', '<'))) }}"
|
2018-03-01 18:26:18 +01:00
|
|
|
|
|
|
|
- debug:
|
|
|
|
var: ssh_allowgroups
|
|
|
|
verbosity: 1
|
|
|
|
|
|
|
|
- debug:
|
|
|
|
var: ssh_allowusers
|
|
|
|
verbosity: 1
|
|
|
|
|
2018-03-01 11:59:36 +01:00
|
|
|
- include: ssh_allowgroups.yml
|
2018-03-01 18:26:18 +01:00
|
|
|
when:
|
2018-04-15 16:59:00 +02:00
|
|
|
- ssh_allowgroups
|
|
|
|
- not ssh_allowusers
|
2016-11-07 14:00:57 +01:00
|
|
|
|
2018-03-01 11:59:36 +01:00
|
|
|
- include: ssh_allowusers.yml
|
2018-03-01 18:26:18 +01:00
|
|
|
vars:
|
|
|
|
user: "{{ item.value }}"
|
|
|
|
with_dict: "{{ evolinux_users }}"
|
|
|
|
when:
|
2018-04-15 16:59:00 +02:00
|
|
|
- ssh_allowusers
|
|
|
|
- not ssh_allowgroups
|
2018-03-01 18:26:18 +01:00
|
|
|
|
|
|
|
- name: disable root login
|
|
|
|
replace:
|
|
|
|
dest: /etc/ssh/sshd_config
|
|
|
|
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
|
|
|
replace: "PermitRootLogin no"
|
|
|
|
notify: reload sshd
|
|
|
|
when: evolinux_root_disable_ssh
|
|
|
|
|
|
|
|
- meta: flush_handlers
|