From: nicoo Date: Fri, 17 Nov 2017 13:22:41 +0000 (+0100) Subject: ansible/role/base: Fixup the sshd_allowusers mess X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=c6e1016c9a263ee5b156400fb12ff88ba565d3c2;p=noc.git ansible/role/base: Fixup the sshd_allowusers mess --- diff --git a/ansible/group_vars/all b/ansible/group_vars/all new file mode 100644 index 0000000..3037b7e --- /dev/null +++ b/ansible/group_vars/all @@ -0,0 +1,27 @@ +user_groups: + noc: + - equinox + - gebi + - nicoo + - bernhard + +users: + equinox: + email: equinox@realraum.at + gpg: 0xD74907C9E64E6CED8FE3 + + gebi: + email: michael@mgeb.org + gpg: 0x6E302CF4D98B9702 + + nicoo: + email: nicolas@braud-santoni.eu + gpg: 0x3F41B0739AAD91B7CDC0 + + bernhard: + email: xro@realraum.at + gpg: 0xE3468B9CE81EB4F91486 + +noc_groups: + - adm + - sudo diff --git a/ansible/host_vars/ctf b/ansible/host_vars/ctf index bbd7e60..15b2514 100644 --- a/ansible/host_vars/ctf +++ b/ansible/host_vars/ctf @@ -1,3 +1,3 @@ -sshd_allowusers_set: +sshd_allowusers_host: - f0rki - verr diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml index c62d223..df3b075 100644 --- a/ansible/roles/base/tasks/main.yaml +++ b/ansible/roles/base/tasks/main.yaml @@ -1,7 +1,8 @@ --- - set_fact: sshd_allowusers: >- - {{ [ 'root' ] | union(sshd_allowusers_group | default([])) + {{ [ 'root' ] | union(user_groups.noc) + | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([])) }} - name: only allow pubkey auth for root @@ -11,28 +12,30 @@ line: "PermitRootLogin without-password" notify: restart ssh -- name: limit allowed users (1/3) +- name: limit allowed users (1/2) lineinfile: dest: /etc/ssh/sshd_config regexp: "^#?AllowUsers" line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" - when: sshd_allowusers_set is defined and sshd_allowgroup is not defined + when: sshd_allowgroup is not defined notify: restart ssh - block: - - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config" + - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config" lineinfile: dest: /etc/ssh/sshd_config regexp: "^AllowUsers" state: absent + notify: restart ssh - - name: "limit allowed users (2/3): Set AllowGroups in sshd_config" + - name: "limit allowed users (2/2): Set AllowGroups in sshd_config" lineinfile: dest: /etc/ssh/sshd_config regexp: "^#?AllowGroups" line: AllowGroups {{ sshd_allowgroup }} + notify: restart ssh - - name: "limit allowed users (2/3): Add allowed users to ssh group" + - name: "limit allowed users (2/2): Add allowed users to ssh group" user: name: "{{ item }}" groups: "{{ sshd_allowgroup }}" @@ -41,14 +44,6 @@ when: sshd_allowgroup is defined -- name: limit allowed users (3/3) - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^Allow(Users|Groups)" - state: absent - when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined - notify: restart ssh - - name: Set authorized keys for root user authorized_key: user: root