Skip to content
Snippets Groups Projects
Unverified Commit a11a0d39 authored by Jeff Geerling's avatar Jeff Geerling Committed by GitHub
Browse files

Merge pull request #84 from NiftyMist/issue-79 

Issue 79 - Adds AllowUsers and AllowGroups to SSH Config
parents 2e50a778 8de47a1e
Branches main
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
README.md
+ 13
0
View file @ a11a0d39
...@@ -44,6 +44,19 @@ The port through which you'd like SSH to be accessible. The default is port 22, ...@@ -44,6 +44,19 @@ The port through which you'd like SSH to be accessible. The default is port 22,
Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`. **NOTE: It is _very_ important that you quote the 'yes' or 'no' values. Failure to do so may lock you out of your server.** Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`. **NOTE: It is _very_ important that you quote the 'yes' or 'no' values. Failure to do so may lock you out of your server.**
security_ssh_allowed_users: []
# - alice
# - bob
# - charlie
A list of users allowed to connect to the host over SSH. If no user is defined in the list, the task will be skipped.
security_ssh_allowed_groups: []
# - admins
# - devs
A list of groups allowed to connect to the host over SSH. If no group is defined in the list, the task will be skipped.
security_sshd_state: started security_sshd_state: started
The state of the SSH daemon. Typically this should remain `started`. The state of the SSH daemon. Typically this should remain `started`.
......
defaults/main.yml
+ 2
0
View file @ a11a0d39
...@@ -9,6 +9,8 @@ security_ssh_gss_api_authentication: "no" ...@@ -9,6 +9,8 @@ security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no" security_ssh_x11_forwarding: "no"
security_sshd_state: started security_sshd_state: started
security_ssh_restart_handler_state: restarted security_ssh_restart_handler_state: restarted
security_ssh_allowed_users: []
security_ssh_allowed_groups: []
security_sudoers_passwordless: [] security_sudoers_passwordless: []
security_sudoers_passworded: [] security_sudoers_passworded: []
......
tasks/ssh.yml
+ 24
0
View file @ a11a0d39
...@@ -31,6 +31,30 @@ ...@@ -31,6 +31,30 @@
line: "X11Forwarding {{ security_ssh_x11_forwarding }}" line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
notify: restart ssh notify: restart ssh
- name: Add configured users allowed to connect over ssh
lineinfile:
dest: "{{ security_ssh_config_path }}"
regexp: '^AllowUsers'
line: "AllowUsers {{ security_ssh_allowed_users | join(' ') }}"
state: present
create: true
validate: 'sshd -T -f %s'
mode: 0644
when: security_ssh_allowed_users | length > 0
notify: restart ssh
- name: Add configured groups allowed to connect over ssh
lineinfile:
dest: "{{ security_ssh_config_path }}"
regexp: '^AllowGroups'
line: "AllowGroups {{ security_ssh_allowed_groups | join(' ') }}"
state: present
create: true
validate: 'sshd -T -f %s'
mode: 0644
when: security_ssh_allowed_groups | length > 0
notify: restart ssh
- name: Add configured user accounts to passwordless sudoers. - name: Add configured user accounts to passwordless sudoers.
lineinfile: lineinfile:
dest: /etc/sudoers dest: /etc/sudoers
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment