projects
/
noc.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
ansible/role/base: Fixup the sshd_allowusers mess
[noc.git]
/
ansible
/
roles
/
base
/
tasks
/
main.yaml
diff --git
a/ansible/roles/base/tasks/main.yaml
b/ansible/roles/base/tasks/main.yaml
index
c62d223
..
df3b075
100644
(file)
--- a/
ansible/roles/base/tasks/main.yaml
+++ b/
ansible/roles/base/tasks/main.yaml
@@
-1,7
+1,8
@@
---
- set_fact:
sshd_allowusers: >-
---
- set_fact:
sshd_allowusers: >-
- {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+ {{ [ 'root' ] | union(user_groups.noc)
+ | union(sshd_allowusers_group | default([]))
| union(sshd_allowusers_host | default([])) }}
- name: only allow pubkey auth for root
| union(sshd_allowusers_host | default([])) }}
- name: only allow pubkey auth for root
@@
-11,28
+12,30
@@
line: "PermitRootLogin without-password"
notify: restart ssh
line: "PermitRootLogin without-password"
notify: restart ssh
-- name: limit allowed users (1/3)
+- name: limit allowed users (1/2)
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowUsers"
line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowUsers"
line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
- when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
+ when: sshd_allowgroup is not defined
notify: restart ssh
- block:
notify: restart ssh
- block:
- - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers"
state: absent
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers"
state: absent
+ notify: restart ssh
- - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowGroups"
line: AllowGroups {{ sshd_allowgroup }}
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowGroups"
line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
- - name: "limit allowed users (2/3): Add allowed users to ssh group"
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
user:
name: "{{ item }}"
groups: "{{ sshd_allowgroup }}"
user:
name: "{{ item }}"
groups: "{{ sshd_allowgroup }}"
@@
-41,14
+44,6
@@
when: sshd_allowgroup is defined
when: sshd_allowgroup is defined
-- name: limit allowed users (3/3)
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^Allow(Users|Groups)"
- state: absent
- when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
- notify: restart ssh
-
- name: Set authorized keys for root user
authorized_key:
user: root
- name: Set authorized keys for root user
authorized_key:
user: root