From 840c8b780fb8a2e86f26248b7a761a918d3c77b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Wed, 26 Jun 2024 14:11:50 +0200 Subject: [PATCH] ssh: Fix ssh access for srht services The AuthorizedKeysCommand got overwritten by the 20-systemd-userdb.conf file. To restore access and simplify the configuration, everything srht specific will be set in 10-srht.conf now. sshd will use the first obtained value for a setting. In theory the sshd configuration could be moved out of this role into the srht role now as well. --- roles/ssh/tasks/server.yml | 11 +++++++++++ roles/ssh/templates/10-srht.conf.j2 | 4 ++++ roles/ssh/templates/sshd_config.j2 | 7 ------- 3 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 roles/ssh/templates/10-srht.conf.j2 diff --git a/roles/ssh/tasks/server.yml b/roles/ssh/tasks/server.yml index f46b2f2..853fad9 100644 --- a/roles/ssh/tasks/server.yml +++ b/roles/ssh/tasks/server.yml @@ -9,6 +9,17 @@ validate: /usr/sbin/sshd -t -f %s notify: Restart sshd +- name: Configure sshd for srht + ansible.builtin.template: + src: 10-srht.conf.j2 + dest: /etc/ssh/sshd_config.d/10-srht.conf + owner: root + group: root + mode: "0644" + validate: /usr/sbin/sshd -t -f %s + notify: Restart sshd + when: srht is defined and srht + - name: Start and enable sshd ansible.builtin.systemd: name: sshd diff --git a/roles/ssh/templates/10-srht.conf.j2 b/roles/ssh/templates/10-srht.conf.j2 new file mode 100644 index 0000000..0ca72f2 --- /dev/null +++ b/roles/ssh/templates/10-srht.conf.j2 @@ -0,0 +1,4 @@ +AllowUsers {{ primary_user }} git builds deploy +AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" +AuthorizedKeysCommandUser=root +PermitUserEnvironment SRHT_* diff --git a/roles/ssh/templates/sshd_config.j2 b/roles/ssh/templates/sshd_config.j2 index 1072b74..4f4b742 100644 --- a/roles/ssh/templates/sshd_config.j2 +++ b/roles/ssh/templates/sshd_config.j2 @@ -129,11 +129,4 @@ StreamLocalBindUnlink yes # PermitTTY no # ForceCommand cvs server -{% if srht is sameas true %} -AllowUsers {{ primary_user }} git builds deploy -AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" -AuthorizedKeysCommandUser=root -PermitUserEnvironment SRHT_* -{% else %} AllowUsers {{ primary_user }} -{% endif %} -- 2.47.1