From 2612d890061a421fd0acc35b188e21ef3eabeb60 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Fri, 27 Mar 2020 23:28:21 +0100 Subject: [PATCH] Set user login shell and directory skeleton globally Allows to set the SFTP user login shell and directory skeleton globally instead of only per user. The user settings overwrite the global ones. Closes nephosolutions/ansible-role-sftp-server#3 --- README.md | 3 ++- tasks/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4b15438..9487bad 100644 --- a/README.md +++ b/README.md @@ -33,13 +33,14 @@ The following role variables are relevant: * `name`: The Unix name of the user that requires SFTP access. * `group`: An optional user primary group. If set, it will be used for the user's home permission. Otherwise, the `sftp_group_name` is used. * `password`: A password hash for the user to login with - ie `openssl passwd -1 -salt salty passpass`. Blank passwords can be set with `password: ""`. NOTE: It appears that `UsePAM yes` and `PermitEmptyPassword yes` need to be set in `sshd_config` in order for blank passwords to work properly. Making those changes currently falls outside the scope of this role and will need to be done externally. - * `shell`: Boolean indicating if the user should have a shell access (default to `True`). + * `shell`: Boolean indicating if the user should have a shell access (default to `False`). * `authorized`: An optional list of files placed in `files/` which contain valid public keys for the SFTP user. * `sftp_directories`: A list of directories that need to be individually created for an SFTP user. Defaults to a blank list (i.e. "[]"). * `append`: Boolean to add `sftp_group_name` to the user groups (if any) instead of setting it (default to `False`). * `mode`: The users home directory mode (defaults to `0750`). * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`. +* `sftp_login_shell`: Boolean indicating if the users should have a shell access (default to `False`). * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.) * `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `sftp_configure_sshd`: Boolean indicating if sshd configuration should be altered. Defaults to `true`. diff --git a/tasks/main.yml b/tasks/main.yml index 08423e7..0727f56 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,9 +68,9 @@ groups: "{{ sftp_group_name }}" append: "{{ item.append | default(False) }}" home: "{{ item.home }}" - # `None` means default value -> default is to have a shell - shell: "{{ None if (item.shell | default(True)) else sftp_nologin_shell }}" - skeleton: "{{ item.skeleton | default(omit) }}" + # `None` means default value -> default is to have no login shell + shell: "{{ None if (item.shell | default(sftp_login_shell) | default(False)) else sftp_nologin_shell }}" + skeleton: "{{ item.skeleton | default(sftp_home_skeleton) | default(omit) }}" state: present with_items: "{{ _sftp_users }}"