From 8dbc41d2cae23e4fcf788a45cb1ee3943381b32b Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Tue, 16 Jan 2024 14:39:33 +0200 Subject: [PATCH 1/3] disable root login completely --- infrastructure/server-setup/tasks/users.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml index 25e307700..14a8900a8 100644 --- a/infrastructure/server-setup/tasks/users.yml +++ b/infrastructure/server-setup/tasks/users.yml @@ -122,6 +122,11 @@ state: present when: ansible_user != "root" +- name: Disable root account login completely + ansible.builtin.command: + cmd: passwd -l root + become: yes + - name: Enable KbdInteractiveAuthentication in SSHD Config lineinfile: path: /etc/ssh/sshd_config From 595e1a22f55c798f2e3acf78fb4a03c3f3bd9d26 Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Tue, 16 Jan 2024 15:18:50 +0200 Subject: [PATCH 2/3] stop users from using 'su' --- infrastructure/server-setup/tasks/users.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml index 783e9f4e7..799d4190a 100644 --- a/infrastructure/server-setup/tasks/users.yml +++ b/infrastructure/server-setup/tasks/users.yml @@ -4,10 +4,10 @@ state: '{{ item.state }}' with_items: '{{ users }}' -- name: Grant passwordless sudo to the users +- name: Grant passwordless sudo to the users, but prevent usage of 'su' ansible.builtin.lineinfile: path: /etc/sudoers.d/{{ item.name }} - line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL' + line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL, !/usr/bin/su' validate: 'visudo -cf %s' create: yes become: yes From 2341bd02a9f928bf89b413809e96a4b37aca3c66 Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Mon, 22 Jan 2024 15:53:14 +0200 Subject: [PATCH 3/3] only disable root login if ansible user being used is not root --- infrastructure/server-setup/tasks/users.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml index 799d4190a..6c39f3abb 100644 --- a/infrastructure/server-setup/tasks/users.yml +++ b/infrastructure/server-setup/tasks/users.yml @@ -126,6 +126,7 @@ ansible.builtin.command: cmd: passwd -l root become: yes + when: ansible_user != "root" - name: Enable KbdInteractiveAuthentication in SSHD Config lineinfile: