diff --git a/CHANGELOG.md b/CHANGELOG.md index f3454c23..c939b93a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part is incremented if multiple releases happen the same month * evobackup-client: upstream release 24.05 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers +* evolinux-users: improve SSH configuration ### Fixed diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 9a696901..d630bccb 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,8 +1,23 @@ --- +- name: Fetch SSHd config files + ansible.builtin.command: + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + +- ansible.builtin.debug: + var: _ssh_config_paths + verbosity: 1 + +############################ +# AllowUsers or AllowGroups +############################ + - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -Er '^AllowGroups' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no @@ -14,7 +29,7 @@ - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep -Er '^AllowUsers' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no @@ -42,12 +57,14 @@ var: ssh_allowusers verbosity: 1 -- ansible.builtin.include: ssh_allowgroups.yml +- name: Configure SSH in AllowGroups mode + ansible.builtin.include: ssh_allowgroups.yml when: - ssh_allowgroups - not ssh_allowusers -- ansible.builtin.include: ssh_allowusers.yml +- name: Configure SSH in AllowUsers mode + ansible.builtin.include: ssh_allowusers.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -56,7 +73,24 @@ - ssh_allowusers - not ssh_allowgroups -- name: disable root login +# Do this again, to update the value + +- name: Fetch SSHd config files + ansible.builtin.command: + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + +################## +# PermitRootLogin +################## + +### For Debian < 12 +# if there is a commented value for PermitRootLogin +# we replace it with a "no" + +- name: Root login is disabled (Debian < 12) ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' @@ -64,11 +98,15 @@ notify: reload sshd when: - evolinux_root_disable_ssh | bool - - ansible_distribution_major_version is version('11', '<=') + - ansible_distribution_major_version is version('12', '<') + +### For Debian >= 12 +# if there is no value for PermitRootLogin (anywhere) +# we add a "no" in z-evolinux-users.conf - name: verify PermitRootLogin directive (Debian >= 12) ansible.builtin.command: - cmd: "grep -Er '^PermitRootLogin' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no @@ -76,12 +114,7 @@ when: - ansible_distribution_major_version is version('12', '>=') -# TODO avertir lorsque PermitRootLogin est déjà configuré? -- ansible.builtin.debug: - var: grep_permitrootlogin_ssh - verbosity: 1 - -- name: disable root login (Debian >= 12) +- name: Root login is disabled (Debian >= 12) ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/z-evolinux-users.conf line: "PermitRootLogin no" @@ -93,6 +126,48 @@ when: - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('12', '>=') - - grep_permitrootlogin_ssh.rc == 1 + - grep_permitrootlogin_ssh.rc != 0 + +##################### +# Allow current user +##################### + +- name: Allow current user + block: + - name: Check if evolinux ssh group is used + ansible.builtin.command: + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}" + changed_when: False + failed_when: False + check_mode: no + register: grep_evolinux_group_ssh + + - debug: + var: grep_evolinux_group_ssh + + - name: "Get current user's login" + ansible.builtin.command: + cmd: logname + changed_when: False + register: _logname + check_mode: no + + - debug: + var: evolinux_ssh_group + + - debug: + var: evolinux_ssh_allow_current_user + + - name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group" + ansible.builtin.user: + name: "{{ _logname.stdout }}" + groups: "{{ evolinux_ssh_group }}" + append: yes + when: + - grep_evolinux_group_ssh.rc == 0 + when: + - evolinux_ssh_group is defined + - evolinux_ssh_group | length > 0 + - evolinux_ssh_allow_current_user | bool - ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 11446b4d..bbd0e78f 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -1,18 +1,27 @@ --- +### # this check must be repeated for each user # even if it's been done before + +- name: Fetch SSHd config files + ansible.builtin.command: + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -Er '^AllowGroups' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh - when: - - ansible_distribution_major_version is version('11', '<=') -- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" +### + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian < 12)" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowGroups {{ evolinux_ssh_group }}" @@ -21,25 +30,25 @@ notify: reload sshd when: - ansible_distribution_major_version is version('11', '<=') - - grep_allowgroups_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 1 # Not found + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian >= 12)" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf + line: "\nAllowGroups {{ evolinux_ssh_group }}" + validate: '/usr/sbin/sshd -t -f %s' + create: yes + notify: reload sshd + when: + - ansible_distribution_major_version is version('12', '>=') + - grep_allowgroups_ssh.rc == 1 # Not found - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" ansible.builtin.replace: - dest: /etc/ssh/sshd_config + dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}" regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - - ansible_distribution_major_version is version('11', '<=') - - grep_allowgroups_ssh.rc == 0 - -- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config.d/z-evolinux-users.conf - line: "AllowGroups {{ evolinux_ssh_group }}" - create: yes - mode: "0644" - validate: '/usr/sbin/sshd -t -f %s' - when: - - ansible_distribution_major_version is version('12', '>=') + - grep_allowgroups_ssh.rc == 0 or grep_allowgroups_ssh.rc == 2 # Found, return code can be 0 or 2 diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 00827a46..d9ccd1f1 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,55 +1,84 @@ --- -# this check must be repeated for each user +### +# these checks must be repeated for each user # even if it's been done before -- name: verify AllowUsers directive + +- name: Fetch SSHd config files ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + +- name: Verify AllowUsers directive + ansible.builtin.command: + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh -- name: "Add AllowUsers sshd directive with '{{ user.name }}'" +### + +- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian < 12)" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc != 0 + when: + - grep_allowusers_ssh.rc != 0 + - ansible_distribution_major_version is version('12', '<') + +- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian >= 12)" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf + line: "\nAllowUsers {{ user.name }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc != 0 + - ansible_distribution_major_version is version('12', '>=') - name: "Append '{{ user.name }}' to AllowUsers sshd directive" ansible.builtin.replace: - dest: /etc/ssh/sshd_config + dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}" regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc == 0 + when: + - grep_allowusers_ssh.rc == 0 - name: "verify Match User directive" ansible.builtin.command: - cmd: "grep -E '^Match User' /etc/ssh/sshd_config" + cmd: "grep --extended-regexp --recursive --files-with-matches '^Match User' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no register: grep_matchuser_ssh -- name: "Add Match User sshd directive with '{{ user.name }}'" +- name: "Add Match User sshd directive with '{{ user.name }}' (Debian <= 10)" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc != 0 + when: + - grep_matchuser_ssh.rc != 0 + - ansible_distribution_major_version is version('10', '<=') -- name: "Append '{{ user.name }}' to Match User's sshd directive" +- name: "Append '{{ user.name }}' to Match User's sshd directive (Debian <= 10)" ansible.builtin.replace: - dest: /etc/ssh/sshd_config + dest: "{{ grep_matchuser_ssh.stdout_lines[0] }}" regexp: '^(Match User ((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc == 0 + when: + - grep_matchuser_ssh.rc == 0 + - ansible_distribution_major_version is version('10', '<=')