line: "PermitRootLogin without-password"
notify: restart ssh
-- name: limit allowed users (1/2)
+- name: limit allowed users (1/3)
lineinfile:
dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
+ regexp: "^#?AllowUsers"
line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}"
- when: sshd_allowusers_set | default(true)
+ when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
notify: restart ssh
-- name: limit allowed users (2/2)
+- block:
+ - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+
+ - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowGroups"
+ line: AllowGroups {{ sshd_allowgroup }}
+
+ - name: "limit allowed users (2/3): Add allowed users to ssh group"
+ user:
+ name: "{{ item }}"
+ groups: "{{ sshd_allowgroup }}"
+ append: True
+ with_items: "{{ [ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([])) }}"
+
+ when: sshd_allowgroup is defined
+
+- name: limit allowed users (3/3)
lineinfile:
dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
+ regexp: "^Allow(Users|Groups)"
state: absent
- when: not sshd_allowusers_set | default(true)
+ when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
notify: restart ssh
- name: Set authorized keys for root user
projects / noc.git / commitdiff