Improve login as root

+ fixed bug in sshd handler + allowed login as root better + ssh pubkeys for root
2024-08-16 10:29:50 +02:00 · 2024-04-15 13:04:08 +02:00 · 2024-04-15 13:04:08 +02:00 · 8106d0a4da
commit 8106d0a4da
parent 406e3cf339
9 changed files with 52 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -68,6 +68,7 @@ The Option of these directory-variables are the following.
 | ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
 | ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
 | ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
+| ``admin_root_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__set_root_ssh_keys: true`` your ssh keys will be added to root |
 | ``pubkeys`` | string or lookup | - | see examples |
 | ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
 | ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
@ -83,7 +84,9 @@ There is also the ``l3d_users__ssh_login`` variable which only supports ``name``
 | ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
 | ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
 | ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | *see [roles/user/defaults/main.yml](roles/user/defaults/main.yml)* | SSH public Keys for ansible user. One per line or as lookup |
+| ``l3d_users__set_root_ssh_keys`` | ``false`` | Set SSH Keys for root User |
+| ``l3d_users__root_ssh_keys`` | | Additional SSH Keys for root User |
 | ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
 | ``l3d_users__ansible_user_command`` | ``ALL`` | Commans with superpower for ansible user |
 | ``l3d_users__ansible_user_nopassword`` | ``true`` | Allow superpowers without password for ansible user |
--- a/roles/sshd/handlers/main.yml
+++ b/roles/sshd/handlers/main.yml
@ -5,4 +5,4 @@
  ansible.builtin.systemd:
    name: "{{ l3d_users__sshd_service }}"
    state: restarted
-  when: sshd__service is defined and ansible_service_mgr == 'systemd'
+  when: l3d_users__sshd__service is defined and ansible_service_mgr == 'systemd'
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@ -112,11 +112,21 @@ UsePAM yes
 {% endfor %}

 # User Authentication
-{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' %}
+{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and not l3d_users__sshd_permitrootlogin | bool %}
 AllowUsers ansible {{ _sshd_accounts | join(' ') }}

 # Group Authentication
 AllowGroups ansible {{ _sshd_accounts | join(' ') }}
+{% elif l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and l3d_users__sshd_permitrootlogin | bool %}
+AllowUsers root ansible {{ _sshd_accounts | join(' ') }}
+
+# Group Authentication
+AllowGroups root ansible {{ _sshd_accounts | join(' ') }}
+{% elif not l3d_users__create_ansible | bool and l3d_users__sshd_permitrootlogin | bool %}
+AllowUsers root {{ _sshd_accounts | join(' ') }}
+
+# Group Authentication
+AllowGroups root {{ _sshd_accounts | join(' ') }}
 {% else %}
 AllowUsers {{ _sshd_accounts | join(' ') }}

--- a/roles/sshd/vars/main.yml
+++ b/roles/sshd/vars/main.yml
@ -1,5 +1,5 @@
 ---
-playbook_version_number: 6
+playbook_version_number: 7
 playbook_version_path: 'l3d.users.sshd.version'

 l3d_users_sshd__service_var_path:
--- a/roles/user/README.md
+++ b/roles/user/README.md
@ -26,6 +26,7 @@ The Option of these directory-variables are the following.
 | ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
 | ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
 | ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
+| ``admin_root_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__set_root_ssh_keys: true`` your ssh keys will be added to root |
 | ``pubkeys`` | string or lookup | - | see examples |
 | ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
 | ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
@ -39,8 +40,10 @@ The Option of these directory-variables are the following.
 | ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
 | ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
 | ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | *see [defaults/main.yml](defaults/main.yml)* | SSH public Keys for ansible user. One per line or as lookup |
 | ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``l3d_users__set_root_ssh_keys`` | ``false`` | Set SSH Keys for root User |
+| ``l3d_users__root_ssh_keys`` |  | Additional SSH Keys for root User |
 | ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |

 Example Playbook
--- a/roles/user/defaults/main.yml
+++ b/roles/user/defaults/main.yml
@ -35,6 +35,8 @@ l3d_users__ansible_user_state: 'present'
 l3d_users__set_ansible_ssh_keys: false
 l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
 l3d_users__ansible_user_password: ''
+l3d_users__set_root_ssh_keys: false
+l3d_users__root_ssh_keys: ''

 # run simple versionscheck
 submodules_versioncheck: false
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@ -20,3 +20,8 @@
 - name: Manage SSH public keys
  ansible.builtin.include_tasks:
    file: 'pubkeys.yml'
+
+- name: Set SSH public Keys for root
+  ansible.builtin.include_tasks:
+    file: 'root_ssh.yml'
+  when: l3d_users__set_root_ssh_keys | bool
--- a/roles/user/tasks/root_ssh.yml
+++ b/roles/user/tasks/root_ssh.yml
@ -0,0 +1,23 @@
+---
+- name: Set dedicated SSH keys root and drop all other keys
+  become: true
+  ansible.posix.authorized_key:
+    user: 'ansible'
+    state: 'present'
+    key: "{{ l3d_users__root_ssh_keys }}"
+    exclusive: true
+
+- name: Add admin keys to user ansible
+  become: true
+  ansible.posix.authorized_key:
+    user: 'ansible'
+    state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
+    key: "{{ user.pubkeys | default() }}"
+    exclusive: false
+  loop: "{{ _l3d_users__merged_users }}"
+  when: user.admin | default(false) | bool and user.admin_root_login | default(true) | bool
+  loop_control:
+    label: "user={{ user.name }}"
+    loop_var: user
+
+
--- a/roles/user/vars/main.yml
+++ b/roles/user/vars/main.yml
@ -1,3 +1,3 @@
 ---
-playbook_version_number: 12
+playbook_version_number: 13
 playbook_version_path: 'l3d.users.user.version'