2

I'm writing an Ansible play to automate new user creation in 100+ Unix servers. I've got the part right where it creates an user and assigns password. But our organization hardening policy demands, whenever a new user is added, username must be updated in "AllowUsers" parameter of sshd_config file. I'm new to Ansible and have no clue how to get this done.

Here's "AllowUsers" section of sshd_config file.

AllowUsers root user1 user2 user2

This is how it should be after adding a new user "testuser"

AllowUsers root user1 user2 testuser
Gautham Shervegar
  • 31
  • 1
  • 3

2 Answers2

7

I searched for solution that doesn't do anything if the user already is on the list. This is how it should work in Ansible. My solution at first searches for the user and only if the user is not on the list it will be added.

tasks:
- name: Check if bamboo user already is in SSHD AllowUsers list
  command: grep -P '^[ \t]*AllowUsers[ \t]+([-\w ]+[ \t]+)*bamboo([ \t]+.+)*$' /etc/ssh/sshd_config
  register: allow_users_exists
  changed_when: no
  ignore_errors: yes

- name: Allow bamboo user SSH login
  lineinfile:
    regexp: ^[ \t]*AllowUsers([ \t]+.*)$
    line: AllowUsers bamboo\1
    dest: /etc/ssh/sshd_config
    backrefs: yes
    validate: sshd -t -f %s
  when: allow_users_exists.rc != 0
  notify:
    - reload sshd

handlers:
- name: reload sshd
  service:
    name: sshd
    state: reloaded

In this special case I'm searching for static user "bamboo". You could use a variable instead like this:

command: grep -P '^[ \t]*AllowUsers[ \t]+([-\w ]+[ \t]+)*{{ username | regex_escape() }}([ \t]+.+)*$' /etc/ssh/sshd_config

and

line: AllowUsers {{ username }}\1

Results

In:

AllowUsers ubuntu #sdfd

Out:

AllowUsers bamboo ubuntu #sdfd

In:

AllowUsers ubuntu

Out:

AllowUsers bamboo ubuntu

In:

AllowUsers ubuntu bamboo

Out:

AllowUsers ubuntu bamboo
Michael
  • 2,528
  • 3
  • 21
  • 54
0

with lineinfile module match regexp of the line say "^AllowUsers .+" and construct the line with new user name. some sample example

- command: grep "^AllowUsers " /etc/ssh/sshd_config
  register: old_user_list
- lineinfile:
     regexp: "^AllowUsers .+"
     line: "{{ old_user_list.stdout }} {{new-user-name}}"
  when: old_user_list.rc == 0
v_sukt
  • 1,384
  • 1
  • 10
  • 21
  • Thanks for the prompt response. I'll test this out and let you know. I just wanted to know why the line "when: old_user_list.rc = 0" used? – Gautham Shervegar Jun 01 '18 at 13:30
  • Its used so that files is only updated if grep finds old configuration to allow specific users in ssh in the sshd_config file. So that task just does as intended, and doesn't place code in file if not already enabled for ssh server. lemme know if this method worked for you by accepting this answer. – v_sukt Jun 04 '18 at 13:21
  • Throws me the error `The conditional check 'old_user_list.rc= 0' failed. The error was: template error while templating string: expected token 'end of statement block', got '='` – Gautham Shervegar Jun 06 '18 at 08:22
  • have updated the code. seems it required == for comparison rather than = – v_sukt Jun 08 '18 at 06:27
  • Hi thanks. I came up with this play and seems to work fine. – Gautham Shervegar Jun 12 '18 at 09:00
  • 2
    `- name: Collect AllowUsers list from sshd config file command: bash -c "grep '^AllowUsers' /etc/ssh/sshd_config" ignore_errors: yes changed_when: no register: old_user_list - name: Append new username in the AllowUsers list lineinfile: regexp: "^AllowUsers" line: "{{ old_user_list.stdout }} {{newusername}}" dest: /etc/ssh/sshd_config when: - old_user_list is succeeded notify: - restart sshd handlers: - name: restart sshd service: name: sshd state: restarted` – Gautham Shervegar Jun 12 '18 at 09:02