diff --git a/CHANGELOG.md b/CHANGELOG.md index a111b6e7..fc5741b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part is incremented if multiple releases happen the same month ### Changed * evobackup-client: upstream release 24.05 +* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers ### Fixed diff --git a/evolinux-base/README.md b/evolinux-base/README.md index dbcf7762..486a8dc2 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -37,6 +37,6 @@ Main variables are: * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) * `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`) -* `evolinux_ssh_allow_current_user`: don't lock yourself out (default: `False`) +* `evolinux_ssh_allow_current_user`: don't lock yourself out is there is an AllowUsers or AllowGroups directive (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml index 6454e390..7fe76346 100644 --- a/evolinux-base/tasks/ssh.included-files.yml +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -16,34 +16,75 @@ dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf mode: "0644" -- name: "Get current user's group" - ansible.builtin.command: - cmd: logname - changed_when: False - register: logname - check_mode: no - when: evolinux_ssh_allow_current_user | bool +# Should we allow the current user? +- name: Allow the current user + block: + - name: "Get current user's login" + ansible.builtin.command: + cmd: logname + changed_when: False + register: _logname + check_mode: no -- name: verify AllowUsers directive - ansible.builtin.command: - cmd: "grep -ER '^AllowUsers' /etc/ssh" - failed_when: False - changed_when: False - register: grep_allowusers_ssh - check_mode: no - when: evolinux_ssh_allow_current_user | bool + - name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no -- name: "Add AllowUsers sshd directive for current user" - ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf - create: yes - line: "AllowUsers {{ logname.stdout }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 + - name: verify AllowGroups directive + ansible.builtin.command: + cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" + failed_when: False + changed_when: False + register: grep_allowgroups_ssh + check_mode: no + + # If we have AllowUsers but not AllowGroups, append the user to the list + # (in the first file where we found the directive) + + - name: "Append user to existing AllowUsers sshd directive" + ansible.builtin.replace: + dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}" + regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$' + replace: '\1 {{ _logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc == 0 + - grep_allowgroups_ssh.rc != 0 + + # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list + # (in the first file where we found the directive) + + - name: "Append evolinux ssh group to AllowGroups sshd directive" + ansible.builtin.replace: + dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}" + regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + + - name: "evolinux ssh group is present" + ansible.builtin.group: + name: "{{ evolinux_ssh_group }}" + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + + - name: "Add current user to evolinux ssh group" + ansible.builtin.user: + name: "{{ _logname.stdout }}" + group: "{{ evolinux_ssh_group }}" + append: yes + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + when: evolinux_ssh_allow_current_user | bool - ansible.builtin.meta: flush_handlers - -# TODO si allowusers et allowgroups, ajouter utilisateur aux deux -# TODO si allowgroups, ajouter groupe de l’utilisateur diff --git a/evolinux-base/tasks/ssh.single-file.yml b/evolinux-base/tasks/ssh.single-file.yml index e76d792f..1b3802d3 100644 --- a/evolinux-base/tasks/ssh.single-file.yml +++ b/evolinux-base/tasks/ssh.single-file.yml @@ -61,40 +61,66 @@ notify: reload sshd when: ansible_distribution_major_version is version('9', '>=') -- name: "Get current user" - ansible.builtin.command: - cmd: logname - changed_when: False - register: logname - check_mode: no +# Should we allow the current user? +- name: Allow the current user + block: + - name: "Get current user" + ansible.builtin.command: + cmd: logname + changed_when: False + register: _logname + check_mode: no + + - name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no + + - name: verify AllowGroups directive + ansible.builtin.command: + cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowgroups_ssh + check_mode: no + + # If we have AllowUsers but not AllowGroups, append the user to the list + + - name: "Modify AllowUsers sshd directive for current user" + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$' + replace: '\1 {{ _logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc == 0 + - grep_allowgroups_ssh.rc != 0 + + # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list + + - name: "Add current user to {{ evolinux_ssh_group }} group" + ansible.builtin.user: + name: "{{ _logname.stdout }}" + group: "{{ evolinux_ssh_group }}" + append: yes + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + + - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" + ansible.builtin.replace: + dest: "/etc/ssh/sshd_config" + regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 when: evolinux_ssh_allow_current_user | bool -# we must double-escape caracters, because python -- name: verify AllowUsers directive - ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - failed_when: False - changed_when: False - register: grep_allowusers_ssh - check_mode: no - when: evolinux_ssh_allow_current_user | bool - -- name: "Add AllowUsers sshd directive for current user" - ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ logname.stdout }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 - -- name: "Modify AllowUsers sshd directive for current user" - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' - replace: '\1 {{ logname.stdout }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 - - ansible.builtin.meta: flush_handlers