forked from evolix/ansible-roles
Jérémy Lecour
b01d9178d0
If an AllowGroups directive is found or when using Debian 9+, we use the AllowGroups directive and comment AllowUsers that may be already present. When adding a user, we make sure that the allowed group exists and the use is in that group, to be sure that at least this user is allowed to connect. In other situations, we use the AllowUsers directive.
99 lines
3.3 KiB
YAML
99 lines
3.3 KiB
YAML
---
|
|
- debug:
|
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
|
when: evolinux_ssh_password_auth_addresses == []
|
|
|
|
# From 'man sshd_config' :
|
|
# « If all of the criteria on the Match line are satisfied, the keywords
|
|
# on the following lines override those set in the global section of the config
|
|
# file, until either another Match line or the end of the file.
|
|
# If a keyword appears in multiple Match blocks that are satisfied,
|
|
# only the first instance of the keyword is applied. »
|
|
#
|
|
# We want to allow any user from a list of IP addresses to login with password,
|
|
# but users of the "evolix" group can't login with password from other IP addresses
|
|
|
|
- name: Security directives for Evolinux (Debian 9 or later)"
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
block: |
|
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
|
PasswordAuthentication yes
|
|
Match Group evolix
|
|
PasswordAuthentication no
|
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
|
insertafter: EOF
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- evolinux_ssh_password_auth_addresses != []
|
|
- ansible_distribution_major_version | version_compare('9', '>=')
|
|
|
|
- name: Security directives for Evolinux (Jessie)
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
block: |
|
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
|
PasswordAuthentication yes
|
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
insertafter: EOF
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- evolinux_ssh_password_auth_addresses != []
|
|
- ansible_distribution_release == "jessie"
|
|
|
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
|
# do not want clients to push their environment variables like LANG.
|
|
- name: disable AcceptEnv in ssh config
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^AcceptEnv'
|
|
replace: "#AcceptEnv"
|
|
notify: reload sshd
|
|
when: evolinux_ssh_disable_acceptenv
|
|
|
|
- name: Set log level to verbose (for Debian >= 9)
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?LogLevel [A-Z]+'
|
|
replace: "LogLevel VERBOSE"
|
|
notify: reload sshd
|
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
|
|
|
- name: "Get current user"
|
|
command: logname
|
|
changed_when: False
|
|
register: logname
|
|
check_mode: no
|
|
when: evolinux_ssh_allow_current_user
|
|
|
|
# we must double-escape caracters, because python
|
|
- name: verify AllowUsers directive
|
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
failed_when: False
|
|
changed_when: False
|
|
register: grep_allowusers_ssh
|
|
check_mode: no
|
|
when: evolinux_ssh_allow_current_user
|
|
|
|
- name: "Add AllowUsers sshd directive for current user"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nAllowUsers {{ logname.stdout }}"
|
|
insertafter: 'Subsystem'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
|
|
|
- name: "Modify AllowUsers sshd directive for current user"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
|
replace: '\1 {{ logname.stdout }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
|
|
|
- meta: flush_handlers
|