Hi all,
Trying to add a line (or modify if existing) to “sshd_config” to lock down who can SSH to the target server. On RHEL, there is no “AllowGroups” (or “AllowUsers”) line present in the as-shipped sshd_config file. In any case, here is the play I wrote:
- name: RHELFAM | Restrict SSH on Docker hosts to specific group members
lineinfile:
- dest=/etc/ssh/sshd_config
- state=present
- regexp='^AllowGroups ’
- line=‘AllowGroups {{ ssh_allow_groups }}’
- validate=‘/usr/sbin/sshd -t %s’
when: ssh_allow_groups is defined
notify:
- reload sshd
tags: limitsshusers
Then in roles//vars/main.yml:
You are passing a list to lineinfile, and you should either pass in a string or a dictionary:
lineinfile: arg1=val1 foo=bar
Or (IMHO better, as it has less problems with escaping):
lineinfile:
arg1: 'val1'
foo='bar'
Willard Dennis <willard.dennis@gmail.com> napisał:
Argh, the second example should say “foo: bar” instead of foo=bar 
Tomasz Kontusz tomasz.kontusz@gmail.com napisał:
Thanks, Tomasz, for the explanation – wasn’t aware that the ‘lineinfile’ module couldn’t accept list input.
Now, my question is: how to take a YAML list (such as the groups list in my vars file), form a string of the format of “group1 group2”, and use that in lineinfile?
OK, I found the answer (yay RTFM!) in http://docs.ansible.com/playbooks_variables.html#other-useful-filters
Working play is:
`
- name: RHELFAM | Restrict SSH on Docker hosts to specific group members
lineinfile: dest=/etc/ssh/sshd_config
state=present
regexp=‘^AllowGroups’
line=‘AllowGroups {{ ssh_allowed_groups | join(" ") }}’
backup=yes
validate=‘sshd -t -f %s’
when: ssh_allowed_groups is defined
notify:
- restart sshd
tags: limitsshusers
`
Variable filters FTW!
Thanks all,
W.