dev-sec/ansible-ssh-hardening

Allow SSH Password login for specific users

RogerSik opened this issue · 5 comments

RogerSik commented

Would be nice if specific users / users groups are allowed for SSH password logins. We use this for restricted customer sftp uploads accounts.

Currently we use this code in /etc/sshd_config

Match Group ssh-with-password
    PasswordAuthentication yes
rndmh3ro commented

Hey!

This should already work with something like this:

ssh_server_match_user:
  - user: 'ssh-with-password' 
    rules:
      - 'PasswordAuthentication yes'

See this example:

ansible-ssh-hardening/tests/default_custom.yml

Line 53 in 15dd4d3

ssh_server_match_user:

RogerSik commented

@rndmh3ro cool! Will test it. :)

RogerSik commented

Do I need specific formatting to use it as a variable?

ssh_server_match_group:
  - group: 'ssh-with-password' 
    rules:
      - 'PasswordAuthentication yes'
rndmh3ro commented

You need to set it e.g. like this:

- hosts: localhost
  vars:
    ssh_server_match_group:
      - group: 'ssh-with-password' 
        rules:
          - 'PasswordAuthentication yes'
  roles:
    - ansible-ssh-hardening
rndmh3ro commented

I'll close this for now! Feel free to reopen if the problem persists.