forked from evolix/ansible-roles
98 lines
2.8 KiB
YAML
98 lines
2.8 KiB
YAML
---
|
|
|
|
|
|
- name: "Create .ssh directory for '{{ user.name }}'"
|
|
file:
|
|
dest: '/home/{{ user.name }}/.ssh/'
|
|
state: directory
|
|
mode: "0700"
|
|
owner: '{{ user.name }}'
|
|
group: '{{ user.name }}'
|
|
|
|
- name: "Add user's SSH public key for '{{ user.name }}'"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ user.ssh_key }}"
|
|
state: present
|
|
when: user.ssh_key is defined
|
|
|
|
- name: "Add user's SSH public keys for '{{ user.name }}'"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ ssk_key }}"
|
|
state: present
|
|
with_items: "{{ user.ssh_keys }}"
|
|
loop_control:
|
|
loop_var: ssk_key
|
|
when: user.ssh_keys is defined
|
|
|
|
- name: verify AllowGroups directive
|
|
shell: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
register: grep_allowgroups_ssh
|
|
check_mode: no
|
|
|
|
# If AllowGroups is present, we don't change
|
|
- debug:
|
|
msg: "AllowGroups detected : You have to configure SSH manually"
|
|
when: grep_allowgroups_ssh.rc == 0
|
|
|
|
- block:
|
|
# If AllowGroups is not present, we proceed as usual
|
|
- name: verify AllowUsers directive
|
|
shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
register: grep_allowusers_ssh
|
|
check_mode: no
|
|
|
|
- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nAllowUsers {{ user.name }}"
|
|
insertafter: 'Subsystem'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: grep_allowusers_ssh.rc != 0
|
|
|
|
- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
|
replace: '\1 {{ user.name }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: grep_allowusers_ssh.rc == 0
|
|
|
|
- name: "verify Match User directive"
|
|
command: "grep 'Match User' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
register: grep_matchuser_ssh
|
|
check_mode: no
|
|
|
|
- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)"
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- ansible_distribution_release == "jessie"
|
|
- grep_matchuser_ssh.rc != 0
|
|
|
|
- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)"
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
|
replace: '\1,{{ user.name }}'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- ansible_distribution_release == "jessie"
|
|
- grep_matchuser_ssh.rc == 0
|
|
|
|
when: grep_allowgroups_ssh.rc != 0
|