Set user login shell and directory skeleton globally

Allows to set the SFTP user login shell and directory skeleton globally instead of only per user. The user settings overwrite the global ones. Closes #3
nephosolutions · Sep 18, 2020 · 2612d89 · 2612d89
1 parent ef74731
commit 2612d89
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -33,13 +33,14 @@ The following role variables are relevant:
   * `name`: The Unix name of the user that requires SFTP access.
   * `group`: An optional user primary group. If set, it will be used for the user's home permission. Otherwise, the `sftp_group_name` is used.
   * `password`: A password hash for the user to login with - ie `openssl passwd -1 -salt salty passpass`.  Blank passwords can be set with `password: ""`.  NOTE: It appears that `UsePAM yes` and `PermitEmptyPassword yes` need to be set in `sshd_config` in order for blank passwords to work properly.  Making those changes currently falls outside the scope of this role and will need to be done externally.
-  * `shell`: Boolean indicating if the user should have a shell access (default to `True`).
+  * `shell`: Boolean indicating if the user should have a shell access (default to `False`).
   * `authorized`: An optional list of files placed in `files/` which contain valid public keys for the SFTP user.
   * `sftp_directories`: A list of directories that need to be individually created for an SFTP user. Defaults to a blank list (i.e. "[]").
   * `append`: Boolean to add `sftp_group_name` to the user groups (if any) instead of setting it (default to `False`).
   * `mode`: The users home directory mode (defaults to `0750`).
   * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults.
   * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`.
+* `sftp_login_shell`: Boolean indicating if the users should have a shell access (default to `False`).
 * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.)
 * `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults.
 * `sftp_configure_sshd`: Boolean indicating if sshd configuration should be altered. Defaults to `true`. 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -68,9 +68,9 @@
     groups: "{{ sftp_group_name }}"
     append: "{{ item.append | default(False) }}"
     home: "{{ item.home }}"
-    # `None` means default value -> default is to have a shell
-    shell: "{{ None if (item.shell | default(True)) else sftp_nologin_shell }}"
-    skeleton: "{{ item.skeleton | default(omit) }}"
+    # `None` means default value -> default is to have no login shell
+    shell: "{{ None if (item.shell | default(sftp_login_shell) | default(False)) else sftp_nologin_shell }}"
+    skeleton: "{{ item.skeleton | default(sftp_home_skeleton) | default(omit) }}"
     state: present
   with_items: "{{ _sftp_users }}"