diff --git a/README.md b/README.md index 15f5fcb..4b5480d 100644 --- a/README.md +++ b/README.md @@ -28,19 +28,24 @@ The following role variables are relevant: * `sftp_start_directory`: A directory that need to be part of sftp_directories values and that is the start directory of new sftp connection. Disable by default with an empty string value. * `sftp_allow_passwords`: Whether or not to allow password authentication for SFTP. Defaults to False. * `sftp_enable_selinux_support`: Whether or not to explicitly enable SELinux support. Defaults to False. -* `sftp_enable_logging`: Enable logging. Auth logs will be written to `/var/log/sftp/auth.log`, and SFTP activity logs will be written to `/var/log/sftp/verbose.log`. Defaults to False. +* `sftp_enable_logging`: Enable logging; defaults to `False`. +* `sftp_logging_destination`: Rsyslogd destination for SFTP activity logs; defaults to `-/var/log/sftp/verbose.log`. * `sftp_users`: A list of users, in map form, containing the following elements: * `name`: The Unix name of the user that requires SFTP access. * `group`: An optional user primary group. If set, it will be used for the user's home permission. Otherwise, the `sftp_group_name` is used. * `password`: A password hash for the user to login with - ie `openssl passwd -1 -salt salty passpass`. Blank passwords can be set with `password: ""`. NOTE: It appears that `UsePAM yes` and `PermitEmptyPassword yes` need to be set in `sshd_config` in order for blank passwords to work properly. Making those changes currently falls outside the scope of this role and will need to be done externally. - * `shell`: Boolean indicating if the user should have a shell access (default to `True`). + * `shell`: Boolean indicating if the user should have a shell access (default to `False`). * `authorized`: An optional list of files placed in `files/` which contain valid public keys for the SFTP user. * `sftp_directories`: A list of directories that need to be individually created for an SFTP user. Defaults to a blank list (i.e. "[]"). * `append`: Boolean to add `sftp_group_name` to the user groups (if any) instead of setting it (default to `False`). * `mode`: The users home directory mode (defaults to `0750`). * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`. + * `uid`: An optional UID of the sftp user. +* `sftp_login_shell`: Boolean indicating if the users should have a shell access (default to `False`). * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.) +* `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. +* `sftp_configure_sshd`: Boolean indicating if sshd configuration should be altered. Defaults to `true`. Notes: diff --git a/defaults/main.yml b/defaults/main.yml index ef6e45d..8da4815 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,3 +7,5 @@ sftp_allow_passwords: False sftp_enable_selinux_support: False sftp_enable_logging: False sftp_nologin_shell: /sbin/nologin +sftp_logging_destination: -/var/log/sftp/verbose.log +sftp_configure_sshd: true diff --git a/tasks/main.yml b/tasks/main.yml index a59c928..2f928ce 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,6 +21,7 @@ line: "Subsystem sftp internal-sftp -f AUTH -l VERBOSE" state: present notify: SFTP-Server | Restart sshd + when: sftp_configure_sshd - name: SFTP-Server | Ensure SELinux management package is present package: @@ -51,6 +52,7 @@ ForceCommand internal-sftp {{ sftp_enable_logging | ternary('-l VERBOSE', '') }} {{ (sftp_start_directory in sftp_directories or sftp_start_directory in sftp_directories | selectattr("name", "defined") | map(attribute='name') | list) | ternary('-d /' + sftp_start_directory, '') }} PasswordAuthentication {{ sftp_allow_passwords | ternary('yes', 'no') }} notify: SFTP-Server | Restart sshd + when: sftp_configure_sshd - name: SFTP-Server | Create sftp user's group group: @@ -62,14 +64,16 @@ - name: SFTP-Server | Create sftp users user: name: "{{ item.name }}" + password: "{{ item.password | default(omit) }}" group: "{{ item.group | default(omit) }}" groups: "{{ sftp_group_name }}" append: "{{ item.append | default(False) }}" home: "{{ item.home }}" - # `None` means default value -> default is to have a shell - shell: "{{ None if (item.shell | default(True)) else sftp_nologin_shell }}" - skeleton: "{{ item.skeleton | default(omit) }}" + # `None` means default value -> default is to have no login shell + shell: "{{ None if (item.shell | default(sftp_login_shell) | default(False)) else sftp_nologin_shell }}" + skeleton: "{{ item.skeleton | default(sftp_home_skeleton) | default(omit) }}" state: present + uid: "{{ item.uid | default(omit) }}" with_items: "{{ _sftp_users }}" # A working chrooted SFTP setup requires root:sftgroup ownership of a user's home directory. @@ -77,7 +81,7 @@ file: path: "{{ sftp_home_partition }}" state: directory - mode: 0750 + mode: 0755 group: "{{ sftp_group_name }}" owner: root @@ -85,7 +89,7 @@ file: path: "{{ item.home }}" owner: root - group: "{{ item.group | default(sftp_group_name) }}" + group: "{{ item.group | default(item.name) }}" mode: "{{ item.mode | default(0750) }}" with_items: "{{ _sftp_users }}" @@ -100,14 +104,6 @@ - flags: skip_missing: True -# Update user passwords, if they were specified. -- name: SFTP-Server | Update user passwords - user: - name: "{{ item.name }}" - password: "{{ item.password }}" - with_items: "{{ _sftp_users }}" - when: item.password is defined - # Create directories for all SFTP users. Optional, but recommended. - name: SFTP-Server | Create directories file: @@ -155,11 +151,8 @@ {% endfor %} # Log internal-sftp in a separate file - :programname, isequal, "internal-sftp" -/var/log/sftp/verbose.log + :programname, isequal, "internal-sftp" {{ sftp_logging_destination }} :programname, isequal, "internal-sftp" ~ - - # additionally write an auth log - auth,authpriv.* /var/log/sftp/auth.log when: sftp_enable_logging notify: SFTP-Server | Restart rsyslog