update--

2024-01-25 11:19:15 +01:00 · 2024-01-25 11:19:15 +01:00 · 0aff5e1e90
commit 0aff5e1e90
parent b009cf5787
4 changed files with 66 additions and 23 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -114,7 +114,7 @@ sshd_host_keys:

 sshd_max_startups: !!str "10:30:100"

-sshd_max_auth_tries: 3
+sshd_max_auth_tries: 6

 sshd_max_sessions: 10

@ -1472,6 +1472,7 @@ remove_samba_users: []
 #      group_write_list: mbr-finanzen
 #      vfs_object_recycle: true
 #      recycle_path: '@Recycle.Bin'
+#      vfs_object_recycle_is_visible: false
 #
 samba_shares: []

--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@ -67,7 +67,7 @@
 # This can be either the interface name or an IP address/netmask;
 # interface names are normally preferred
 ;   interfaces = 127.0.0.0/8 eth0
-   interfaces =   {{ samba_server_ip }}/{{ samba_server_cidr_prefix }} 127.0.0.1/8
+   interfaces =  {{ samba_server_ip }}/{{ samba_server_cidr_prefix }}  127.0.0.1/8

 # Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf 
   hosts deny = 0.0.0.0/0
@ -337,7 +337,7 @@
 {%  else %}
   read only = no
 {%  endif %}
-{%  if item.writeable is defined and item.writeable |length > 0 %}
+{%  if item.writeable is defined and item.writeable|length > 0 %}
   writeable = {{ item.writeable }}
 {%  else %}
   writeable = yes
@ -399,14 +399,18 @@
   # - included in the entry. '*' and '?' can be used to  specify multiple files or
   # - directories as in DOS wildcards.
   # -
+{%         if item.vfs_object_recycle_is_visible is defined and item.vfs_object_recycle_is_visible|bool %}
+   veto files = /.DS_Store/
+{%         else %}
   veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
+{%         endif %}
   delete veto files = yes
-{%       else %}
+{%      else %}

-{%       endif %}
-{%    else %}
+{%      endif %}
+{%   else %}

-{%    endif %}
+{%   endif %}

 {% endfor %}

--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -144,9 +144,15 @@ PasswordAuthentication {{ sshd_password_authentication }}
 # The default is “no”.
 PermitEmptyPasswords no

+{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+{% else %}
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
 # The default is “yes”.
 ChallengeResponseAuthentication no
+{% endif %}

 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
@ -389,10 +395,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Subsystem sftp /usr/lib/openssh/sftp-server
 {% endif %}

-# Specifies whether sshd(8) should look up the remote host name and check 
-# that the resolved host name for the remote IP address maps back to the 
+# Specifies whether sshd(8) should look up the remote host name and check
+# that the resolved host name for the remote IP address maps back to the
 # very same IP address.
-# The default is “yes”.
+# The default is 'yes'.
 UseDNS {{ sshd_use_dns }}

 # Specifies whether X11 forwarding is permitted. The argument must be 
@ -405,12 +411,12 @@ UseDNS {{ sshd_use_dns }}
 # The default is 10.
 X11DisplayOffset 10

-# Specifies whether the system should send TCP keepalive messages to the 
-# other side. If they are sent, death of the connection or crash of one 
+# Specifies whether the system should send TCP keepalive messages to the
+# other side. If they are sent, death of the connection or crash of one
 # of the machines will be properly noticed.  However, this means
-# that connections will die if the route is down temporarily, and some 
-# people find it annoying. On the other hand, if TCP keepalives are not 
-# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# that connections will die if the route is down temporarily, and some
+# people find it annoying. On the other hand, if TCP keepalives are not
+# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
 # The default is “yes” (to send TCP keepalive messages), and the server 
@ -463,4 +469,36 @@ Match group sftp_users
  ChrootDirectory %h
  ForceCommand internal-sftp

+Match all
+
 {% endif -%}
+
+{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %}
+
+#-----------------------------
+# Match User for PasswordAuthentication
+#-----------------------------
+{% for item in sshd_pasword_auth_user %}
+
+Match User {{ item }}
+  PasswordAuthentication yes
+
+Match all
+
+{% endfor %}
+{% endif %}
+
+{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %}
+
+#-----------------------------
+# Match IP Address for PasswordAuthentication
+#-----------------------------
+{% for item in sshd_pasword_auth_ip %}
+
+Match Address {{ item }}
+  PasswordAuthentication yes
+
+Match all
+
+{% endfor %}
+{% endif %}
--- a/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.ubuntu.j2
@ -252,10 +252,10 @@ AcceptEnv LANG LC_*
 # By default no subsystems are defined.
 Subsystem sftp /usr/lib/openssh/sftp-server

-# Specifies whether sshd(8) should look up the remote host name and check 
-# that the resolved host name for the remote IP address maps back to the 
+# Specifies whether sshd(8) should look up the remote host name and check
+# that the resolved host name for the remote IP address maps back to the
 # very same IP address.
-# The default is “yes”.
+# The default is 'yes'.
 UseDNS {{ sshd_use_dns }}

 # Specifies whether X11 forwarding is permitted. The argument must be 
@ -268,12 +268,12 @@ UseDNS {{ sshd_use_dns }}
 # The default is 10.
 X11DisplayOffset 10

-# Specifies whether the system should send TCP keepalive messages to the 
-# other side. If they are sent, death of the connection or crash of one 
+# Specifies whether the system should send TCP keepalive messages to the
+# other side. If they are sent, death of the connection or crash of one
 # of the machines will be properly noticed.  However, this means
-# that connections will die if the route is down temporarily, and some 
-# people find it annoying. On the other hand, if TCP keepalives are not 
-# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# that connections will die if the route is down temporarily, and some
+# people find it annoying. On the other hand, if TCP keepalives are not
+# sent, sessions may hang indefinitely on the server, leaving 'ghost' users
 # and consuming server resources.
 #
 # The default is “yes” (to send TCP keepalive messages), and the server