Enforce the ssh keys.
This commit is contained in:
parent
dbcc203822
commit
e919807bd7
GPG Key ID:
147ABE6CEB9E20FF
|
|
@ -54,6 +54,7 @@
|
|||
password: "{{ item.password | default('*') }}"
|
||||
update_password: "{{ item.update_password | default('on_create') }}"
|
||||
state: "{{ item.state | default('present') }}"
|
||||
force: true
|
||||
loop: '{{ users_system_users }}'
|
||||
no_log: true
|
||||
|
||||
|
|
@ -61,6 +62,7 @@
|
|||
ansible.posix.authorized_key:
|
||||
user: "{{ item.login }}"
|
||||
key: "{{ item.ssh_key }}"
|
||||
exclusive: true
|
||||
state: present
|
||||
loop: '{{ users_system_users }}'
|
||||
when: item.ssh_key is defined
|
||||
|
|
@ -74,28 +76,6 @@
|
|||
when:
|
||||
- item.admin
|
||||
|
||||
- name: Ensure that the users can login with their ssh keys as root when needed
|
||||
ansible.posix.authorized_key:
|
||||
user: root
|
||||
key: "{{ item.ssh_key }}"
|
||||
state: present
|
||||
loop: '{{ users_system_users }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- item.log_as_root is defined
|
||||
- item.log_as_root
|
||||
|
||||
- name: Ensure that the users can not login with their ssh keys as root
|
||||
ansible.posix.authorized_key:
|
||||
user: root
|
||||
key: "{{ item.ssh_key }}"
|
||||
state: absent
|
||||
loop: '{{ users_system_users }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- item.log_as_root is defined
|
||||
- not item.log_as_root
|
||||
|
||||
- name: Manage additional users
|
||||
tags: users
|
||||
block:
|
||||
|
|
@ -112,6 +92,7 @@
|
|||
password: "{{ item.password | default('*') }}"
|
||||
update_password: "{{ item.update_password | default('on_create') }}"
|
||||
state: "{{ item.state | default('present') }}"
|
||||
force: true
|
||||
loop: '{{ users_system_users_adjunct }}'
|
||||
no_log: true
|
||||
|
||||
|
|
@ -119,6 +100,7 @@
|
|||
ansible.posix.authorized_key:
|
||||
user: "{{ item.login }}"
|
||||
key: "{{ item.ssh_key }}"
|
||||
exclusive: true
|
||||
state: present
|
||||
loop: '{{ users_system_users_adjunct }}'
|
||||
when: item.ssh_key is defined
|
||||
|
|
@ -132,28 +114,6 @@
|
|||
when:
|
||||
- item.admin
|
||||
|
||||
- name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access
|
||||
ansible.posix.authorized_key:
|
||||
user: root
|
||||
key: "{{ item.ssh_key }}"
|
||||
state: present
|
||||
loop: '{{ users_system_users_adjunct }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- item.log_as_root is defined
|
||||
- item.log_as_root
|
||||
|
||||
- name: Ensure that the additional users cannot login with their ssh keys as root
|
||||
ansible.posix.authorized_key:
|
||||
user: root
|
||||
key: "{{ item.ssh_key }}"
|
||||
state: absent
|
||||
loop: '{{ users_system_users_adjunct }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- item.log_as_root is defined
|
||||
- not item.log_as_root
|
||||
|
||||
- name: Configure passwordless sudo
|
||||
tags: ['users', 'sudo_wheel']
|
||||
block:
|
||||
|
|
|
|||
Loading…
Reference in New Issue