Jose
1551565825
This commit addresses a security concern by removing unnecessary and potentially risky tasks related to authorized key management for unprivileged users. This simplifies the system and reduces the attack surface. The changes align with best practices for user access control.
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
---
|
|
- name: Ensure that unprivileged user is present
|
|
ansible.builtin.user:
|
|
name: "{{ interactive_user }}"
|
|
shell: /bin/bash
|
|
home: "{{ interactive_home }}"
|
|
password: "{{ interactive_password }}"
|
|
groups: sudo
|
|
create_home: true
|
|
skeleton: /etc/skel
|
|
append: true
|
|
|
|
# - name: Check the primary key for the unprivileged user
|
|
# ansible.posix.authorized_key:
|
|
# user: "{{ interactive_user }}"
|
|
# key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
|
|
# state: present
|
|
# exclusive: false
|
|
# register: setkey
|
|
|
|
# - name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler
|
|
# when: setkey.changed
|
|
# ansible.posix.authorized_key:
|
|
# user: "{{ interactive_user }}"
|
|
# key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
|
|
# state: present
|
|
# exclusive: true
|
|
|
|
# - name: Set the secondary key for the unprivileged user
|
|
# ansible.posix.authorized_key:
|
|
# user: "{{ interactive_user }}"
|
|
# key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}"
|
|
# state: present
|
|
# exclusive: false
|
|
|
|
- name: Install required package to become unprivileged users
|
|
ansible.builtin.apt:
|
|
name: acl
|
|
state: present
|