From 8106d0a4dac88217292b10e93bbb452a45de4fe8 Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Mon, 15 Apr 2024 13:04:08 +0200
Subject: [PATCH] Improve login as root

+ fixed bug in sshd handler
+ allowed login as root better
+ ssh pubkeys for root
---
 README.md                           |  5 ++++-
 roles/sshd/handlers/main.yml        |  2 +-
 roles/sshd/templates/sshd_config.j2 | 12 +++++++++++-
 roles/sshd/vars/main.yml            |  2 +-
 roles/user/README.md                |  5 ++++-
 roles/user/defaults/main.yml        |  2 ++
 roles/user/tasks/main.yml           |  5 +++++
 roles/user/tasks/root_ssh.yml       | 23 +++++++++++++++++++++++
 roles/user/vars/main.yml            |  2 +-
 9 files changed, 52 insertions(+), 6 deletions(-)
 create mode 100644 roles/user/tasks/root_ssh.yml

diff --git a/README.md b/README.md
index bb618a2..5eba184 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,7 @@ The Option of these directory-variables are the following.
 | ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
 | ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
 | ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
+| ``admin_root_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__set_root_ssh_keys: true`` your ssh keys will be added to root |
 | ``pubkeys`` | string or lookup | - | see examples |
 | ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
 | ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
@@ -83,7 +84,9 @@ There is also the ``l3d_users__ssh_login`` variable which only supports ``name``
 | ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
 | ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
 | ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | *see [roles/user/defaults/main.yml](roles/user/defaults/main.yml)* | SSH public Keys for ansible user. One per line or as lookup |
+| ``l3d_users__set_root_ssh_keys`` | ``false`` | Set SSH Keys for root User |
+| ``l3d_users__root_ssh_keys`` | | Additional SSH Keys for root User |
 | ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
 | ``l3d_users__ansible_user_command`` | ``ALL`` | Commans with superpower for ansible user |
 | ``l3d_users__ansible_user_nopassword`` | ``true`` | Allow superpowers without password for ansible user |
diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml
index 9c3acd9..d4db2cb 100644
--- a/roles/sshd/handlers/main.yml
+++ b/roles/sshd/handlers/main.yml
@@ -5,4 +5,4 @@
   ansible.builtin.systemd:
     name: "{{ l3d_users__sshd_service }}"
     state: restarted
-  when: sshd__service is defined and ansible_service_mgr == 'systemd'
+  when: l3d_users__sshd__service is defined and ansible_service_mgr == 'systemd'
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index d41d6c4..048a69c 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -112,11 +112,21 @@ UsePAM yes
 {% endfor %}
 
 # User Authentication
-{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' %}
+{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and not l3d_users__sshd_permitrootlogin | bool %}
 AllowUsers ansible {{ _sshd_accounts | join(' ') }}
 
 # Group Authentication
 AllowGroups ansible {{ _sshd_accounts | join(' ') }}
+{% elif l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and l3d_users__sshd_permitrootlogin | bool %}
+AllowUsers root ansible {{ _sshd_accounts | join(' ') }}
+
+# Group Authentication
+AllowGroups root ansible {{ _sshd_accounts | join(' ') }}
+{% elif not l3d_users__create_ansible | bool and l3d_users__sshd_permitrootlogin | bool %}
+AllowUsers root {{ _sshd_accounts | join(' ') }}
+
+# Group Authentication
+AllowGroups root {{ _sshd_accounts | join(' ') }}
 {% else %}
 AllowUsers {{ _sshd_accounts | join(' ') }}
 
diff --git a/roles/sshd/vars/main.yml b/roles/sshd/vars/main.yml
index 2628230..e74b22d 100644
--- a/roles/sshd/vars/main.yml
+++ b/roles/sshd/vars/main.yml
@@ -1,5 +1,5 @@
 ---
-playbook_version_number: 6
+playbook_version_number: 7
 playbook_version_path: 'l3d.users.sshd.version'
 
 l3d_users_sshd__service_var_path:
diff --git a/roles/user/README.md b/roles/user/README.md
index 354685d..3ae1f95 100644
--- a/roles/user/README.md
+++ b/roles/user/README.md
@@ -26,6 +26,7 @@ The Option of these directory-variables are the following.
 | ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
 | ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
 | ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
+| ``admin_root_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__set_root_ssh_keys: true`` your ssh keys will be added to root |
 | ``pubkeys`` | string or lookup | - | see examples |
 | ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
 | ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
@@ -39,8 +40,10 @@ The Option of these directory-variables are the following.
 | ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
 | ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
 | ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | *see [defaults/main.yml](defaults/main.yml)* | SSH public Keys for ansible user. One per line or as lookup |
 | ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``l3d_users__set_root_ssh_keys`` | ``false`` | Set SSH Keys for root User |
+| ``l3d_users__root_ssh_keys`` |  | Additional SSH Keys for root User |
 | ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
 
  Example Playbook
diff --git a/roles/user/defaults/main.yml b/roles/user/defaults/main.yml
index 2022b5e..0c22d28 100644
--- a/roles/user/defaults/main.yml
+++ b/roles/user/defaults/main.yml
@@ -35,6 +35,8 @@ l3d_users__ansible_user_state: 'present'
 l3d_users__set_ansible_ssh_keys: false
 l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
 l3d_users__ansible_user_password: ''
+l3d_users__set_root_ssh_keys: false
+l3d_users__root_ssh_keys: ''
 
 # run simple versionscheck
 submodules_versioncheck: false
diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml
index 83e5a07..470eb93 100644
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@@ -20,3 +20,8 @@
 - name: Manage SSH public keys
   ansible.builtin.include_tasks:
     file: 'pubkeys.yml'
+
+- name: Set SSH public Keys for root
+  ansible.builtin.include_tasks:
+    file: 'root_ssh.yml'
+  when: l3d_users__set_root_ssh_keys | bool
diff --git a/roles/user/tasks/root_ssh.yml b/roles/user/tasks/root_ssh.yml
new file mode 100644
index 0000000..115d400
--- /dev/null
+++ b/roles/user/tasks/root_ssh.yml
@@ -0,0 +1,23 @@
+---
+- name: Set dedicated SSH keys root and drop all other keys
+  become: true
+  ansible.posix.authorized_key:
+    user: 'ansible'
+    state: 'present'
+    key: "{{ l3d_users__root_ssh_keys }}"
+    exclusive: true
+
+- name: Add admin keys to user ansible
+  become: true
+  ansible.posix.authorized_key:
+    user: 'ansible'
+    state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
+    key: "{{ user.pubkeys | default() }}"
+    exclusive: false
+  loop: "{{ _l3d_users__merged_users }}"
+  when: user.admin | default(false) | bool and user.admin_root_login | default(true) | bool
+  loop_control:
+    label: "user={{ user.name }}"
+    loop_var: user
+
+
diff --git a/roles/user/vars/main.yml b/roles/user/vars/main.yml
index 018dfdd..69d442b 100644
--- a/roles/user/vars/main.yml
+++ b/roles/user/vars/main.yml
@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 12
+playbook_version_number: 13
 playbook_version_path: 'l3d.users.user.version'