Jose/ansible-role-debian_common
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix 🐛: Remove unprivileged key management

Browse Source 
This commit addresses a security concern by removing unnecessary and potentially risky tasks related to authorized key management for unprivileged users. This simplifies the system and reduces the attack surface. The changes align with best practices for user access control.
This commit is contained in:
Jose
2025-12-14 06:19:09 +01:00
parent 3dec85c5a8
commit 1551565825
1 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
tasks/unpriv-user.yml
View File

@@ -10,28 +10,28 @@
skeleton: /etc/skel skeleton: /etc/skel
append: true append: true
- name: Check the primary key for the unprivileged user # - name: Check the primary key for the unprivileged user
ansible.posix.authorized_key: # ansible.posix.authorized_key:
user: "{{ interactive_user }}" # user: "{{ interactive_user }}"
key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}" # key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
state: present # state: present
exclusive: false # exclusive: false
register: setkey # register: setkey
- name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler # - name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler
when: setkey.changed # when: setkey.changed
ansible.posix.authorized_key: # ansible.posix.authorized_key:
user: "{{ interactive_user }}" # user: "{{ interactive_user }}"
key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}" # key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
state: present # state: present
exclusive: true # exclusive: true
- name: Set the secondary key for the unprivileged user # - name: Set the secondary key for the unprivileged user
ansible.posix.authorized_key: # ansible.posix.authorized_key:
user: "{{ interactive_user }}" # user: "{{ interactive_user }}"
key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}" # key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}"
state: present # state: present
exclusive: false # exclusive: false
- name: Install required package to become unprivileged users - name: Install required package to become unprivileged users
ansible.builtin.apt: ansible.builtin.apt: