-- name: limit allowed users (2/2)
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
- state: absent
- when: not sshd_allowusers_set | default(true)
- notify: restart ssh
+- block:
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowGroups"
+ line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
+ user:
+ name: "{{ item }}"
+ groups: "{{ sshd_allowgroup }}"
+ append: True
+ with_items: "{{ sshd_allowusers }}"
+
+ when: sshd_allowgroup is defined