Simplifying group management

2024-04-01 00:49:02 -05:00 · 2024-04-01 00:49:02 -05:00 · 87973dfb6e
parent 85286b5412
commit 87973dfb6e
3 changed files with 18 additions and 15 deletions
--- a/roles/Password/package/ldap-adduser
+++ b/roles/Password/package/ldap-adduser
@ -46,12 +46,14 @@ if [ "$?" -eq 0 ]; then
        cp /opt/aninix/Password/sample-user.ldif "$file"
        line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
        line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
-        line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
+        line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /$username/#" "$file"
        line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
        line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
        line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
        ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
        ldap-resetpass "$username"
+        # Create default home
+        cp -r /etc/skel "/home/$username"; chmod 0027 "/home/$username"; chown -R "$username": "/home/$username"
    fi
    rmdir "$lockfile"
    exit 0;
--- a/roles/SSH/files/sshd_config
+++ b/roles/SSH/files/sshd_config
@ -41,21 +41,23 @@ ChallengeResponseAuthentication no
 HostbasedAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
-DenyGroups [^ssh-allow]
-AllowGroups ssh-allow
 PermitRootLogin no
 PermitEmptyPasswords no

-## Access Controls
-Match Group ssh-forward
+## By default, only ssh-allow or ldapusers are allowed to sftp
+AllowGroups ssh sftp ldapuser
+Match Group ldapuser,sftp
+    ForceCommand internal-sftp
+    ChrootDirectory /home
+
+## Special groups are allowed shell
+Match Group wheel,ssh-allow
    AllowTcpForwarding yes
    PermitTunnel yes
    AllowAgentForwarding yes
    X11Forwarding yes
-
-Match Group sftp-home-jail
-    ForceCommand internal-sftp
-    ChrootDirectory /home
+    ForceCommand none
+    ChrootDirectory none

 # Allow other packages to ship snippets
 Include /etc/ssh/includes/*
--- a/roles/SSH/tasks/main.yml
+++ b/roles/SSH/tasks/main.yml
@ -34,15 +34,14 @@
       name: "{{ item }}"
       state: present
   loop:
-       - ssh-allow
-       - ssh-forward
-       - sftp-home-jail
+       - ssh
+       - sftp

- - name: Add SSH user to ssh-allow
+ - name: Add SSH user to ssh group
   become: yes
   user:
       name: "{{ ansible_user_id }}"
-       groups: ssh-allow
+       groups: ssh
       append: yes

 - name: Copy the SSH key
@ -75,7 +74,7 @@
   file:
     path: /etc/ssh/includes
     state: directory
-     user: root
+     owner: root
     group: root
     mode: 0755