summaryrefslogtreecommitdiff
path: root/roles/core
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2021-04-13 01:26:11 +0200
committerChristian Pointner <equinox@spreadspace.org>2021-04-13 01:26:11 +0200
commit8accaf3930a4c009b22c9c040580e54e1eb096e8 (patch)
treeeb375733718f5ade9bf3b8b54ab997e8fdf31698 /roles/core
parentupgrade collabora and nextcloud (diff)
sshd: disable password auth by default
Diffstat (limited to 'roles/core')
-rw-r--r--roles/core/sshd/base/defaults/main.yml8
-rw-r--r--roles/core/sshd/base/tasks/main.yml27
2 files changed, 34 insertions, 1 deletions
diff --git a/roles/core/sshd/base/defaults/main.yml b/roles/core/sshd/base/defaults/main.yml
index 50cc0f15..235f3962 100644
--- a/roles/core/sshd/base/defaults/main.yml
+++ b/roles/core/sshd/base/defaults/main.yml
@@ -1,2 +1,10 @@
---
+sshd_allowusers_host: []
+sshd_allowusers_group: []
sshd_allow_any_user: false
+
+sshd_allowgroups_host: []
+sshd_allowgroups_group: []
+sshd_allow_any_group: true
+
+sshd_password_auth: false
diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml
index e5c9f6a7..cf5862fa 100644
--- a/roles/core/sshd/base/tasks/main.yml
+++ b/roles/core/sshd/base/tasks/main.yml
@@ -14,6 +14,7 @@
PermitRootLogin: "without-password"
PubkeyAuthentication: "yes"
HostbasedAuthentication: "no"
+ PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}"
PermitEmptyPasswords: "no"
UseDNS: "no"
loop: "{{ sshd_options | dict2items }}"
@@ -21,7 +22,7 @@
label: "{{ item.key }} = {{ item.value }}"
lineinfile:
dest: /etc/ssh/sshd_config
- regexp: "^#?\\s*{{ item.key }}\\s"
+ regexp: "^(#\\s*)?{{ item.key }}\\s"
line: "{{ item.key }} {{ item.value }}"
insertbefore: '^### ansible core/sshd/base config barrier ###'
notify: restart ssh
@@ -43,6 +44,30 @@
state: absent
notify: restart ssh
+- name: limit allowed groups
+ when: not sshd_allow_any_group | bool
+ block:
+ - name: verify sshd allow-groups are configured
+ assert:
+ that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0
+ msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host
+
+ - name: set AllowGroups option
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowGroups\\s"
+ line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host)) }}"
+ insertbefore: '^### ansible core/sshd/base config barrier ###'
+ notify: restart ssh
+
+- name: allow any group
+ when: sshd_allow_any_group | bool
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowGroups\\s"
+ state: absent
+ notify: restart ssh
+
- name: install config barriers for other roles to use
loop:
- line: "### ansible core/sshd/base config barrier ###"