Default variable details
Some of the debops.pam_access default variables have more extensive
configuration than simple strings or lists, here you can find documentation and
examples for them.
pam_access__rules
The pam_access__*_rules variables define the state of the
/etc/security/access*.conf configuration files and their contents.
The variables are merged in order defined by the
pam_access__combined_rules variable, which allows modification of the
default configuration through the Ansible inventory.
Examples
Include some of the examples from the access.conf(5) manual page in the
global /etc/security/access.conf configuration file. Note that the
configuration is explicitly enabled because the role does not configure the
global access list by default:
pam_access__rules:
- name: 'global'
state: 'present'
options:
- name: 'allow-root-locally'
comment: |
User root should be allowed to get access via cron, X11 terminal :0, tty1-6
permission: 'allow'
users: 'root'
origins: [ 'crond', ':0', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6' ]
- name: 'allow-root-loopback'
permission: '+'
users: 'root'
origins: '127.0.0.1'
- name: 'allow-root-subnet'
comment: |
User root should get access from network 192.0.2. which can also be
specified using a CIDR prefix, 192.0.2.0/24
permission: 'allow'
users: 'root'
origins: [ '192.0.2.', '192.0.2.0/24' ]
- name: 'allow-root-domain'
comment: |
User root should be able to have access from a specific domain
permission: '+'
users: 'root'
origins: '.example.org'
- name: 'deny-root'
comment: |
Deny access to the root account from any other sources
permission: 'deny'
users: 'root'
origins: 'ALL'
- name: 'allow-foo-admins'
comment: |
User 'foo' and members of netgroup 'admins' should be allowed to get
access from all sources. This will only work if netgroup service is
available.
permission: '+'
users: [ '@admins', 'foo' ]
origins: 'ALL'
- name: 'allow-john-ipv6subnet'
comment: |
User 'john' should get access from IPv6 net/mask.
permission: 'allow'
users: 'john'
origins: '2001:db8:0:101::/64'
- name: 'allow-local-wheel'
comment: |
Disallow console logins to all but the 'shutdown', 'sync' and all
other accounts, which are a member of the 'wheel' group.
permission: '-'
groups_except: 'wheel'
users_except: [ 'shutdown', 'sync' ]
origins: 'LOCAL'
- name: 'deny-all'
comment: |
All other users should be denied access from all sources. This rule
will be placed at the end of the configuration, to allow easy
addition of more rules before it.
permission: 'deny'
users: 'ALL'
origins: 'ALL'
weight: 99999
Add some of the examples from the default /etc/security/access.conf
file installed by Debian to the /etc/security/access-sshd.conf
configuration file used by the sshd service.
Note that the configuration has state append which means that even though
the values are defined in the Ansible inventory, they will only be applied when
the debops.pam_access role is used in the context of the
debops.sshd role, via the sshd.yml playbook (the configuration entry
was defined elsewhere and inventory entry is appended to it). Otherwise the
custom access file used by the sshd service would be overwritten during
normal usage of the debops.pam_access role.
The examples are nonsensical in the context of the OpenSSH service, but are provided here to show how to implement specific ACL rules.
pam_access__rules:
- name: 'sshd'
state: 'append'
options:
- name: 'deny-non-root'
comment: 'Disallow non-root logins on tty1'
permission: 'deny'
users_except: 'root'
origins: 'tty1'
- name: 'deny-non-privileged'
comment: 'Disallow non-local logins to privileged accounts'
permission: '-'
groups: 'wheel'
origins_except: [ 'LOCAL', '.sub.example.org' ]
Syntax
The variables contain a list of YAML dictionaries, each dictionary can have specific parameters:
nameRequired. Name of an access control configuration file managed by the debops.pam_access role. The role will create the file in:
/etc/security/access-<name>.conf
Configuration entries with the same
nameparameter will be merged together in order of appearance; this can be used to modify existing entries via the Ansible inventory.filenameOptional. Override the autogenerated file name. You should only specify the filename itself, files are stored in the
/etc/security/directory.stateOptional. If not specified or
present, the configuration file will be generated. Ifabsent, the specified configuration file will be removed. Ifinit, the configuration entry will be initialized, but not active - this can be used to prepare an entry and activate it conditionally later. Ifignore, a given configuration entry will not be evaluated by the role.If
append, the configuration entry will be processed only if a given entry was defined earlier. This should be a preferred method to modify access rules defined by other Ansible roles through the Ansible inventory, otherwise the user roles will override the role rules.divertOptional, boolean. If
True, the role will automatically divert or revert the original access control rule file depending on its state, to preserve it for APT upgrades. This parameter shouldn't be changed if a diverted file is present, otherwise the role will not track the diversion.fieldsepOptional. Specify the character that will be used as the field separator in the generated rule files. If not specified, colon (
:) is used by default. See pam_access(8) for information about the usage of this parameter.listsepOptional. Specify the character that will be used as the list element separator in the generated rule files. If not specified, space is used by default. See pam_access(8) for information about the usage of this parameter.
optionsRequired. List of YAML dictionaries which describe PAM access rules. The lists in the entries with the same
nameparameter are merged together, with the rules that use the samenameaffecting each other in order of appearance. Rules can be defined using specific parameters:nameRequired. Name of a given access rule, not used directly. Entries with the same
nameparameter will be merged together in order of appearance; this allows modification of existing entries via Ansible inventory.permissionRequired. Specify the permission of a given access rule. Possible values:
allow/+/acceptdeny/-/decline
usersString or YAML list of usernames, netgroups or
ALLthat matches everyone. Ifusers_exceptparameter is specified, this parameter is ignored.users_exceptString or YAML list of usernames, netgroups or
ALLthat matches everyone. If this parameter is specified, the list of users or groups will be prefixed withALL EXCEPTwhich allows for negation.groupsString or YAML list of UNIX group names, which will be automatically wrapped in parentheses (
( )) to mark them as groups. Ifgroups_exceptparameter is specified, this parameter is ignored.groups_exceptString or YAML list of UNIX group names, which will be automatically wrapped in parentheses (
( )) to mark them as groups. If this parameter is specified, the list of users or groups will be prefixed withALL EXCEPTwhich allows for negation.originsString or YAML list of "origins" - TTY names, hostnames, domain names (specified with the
.prefix), IP addresses, network addresses (specified with the.suffix or with CIDR netmask), netgroup names,ALLwhich matches everything, orLOCALwhich matches only local TTYs and services. Iforigins_exceptparameter is specified, this parameter is ignored.origins_exceptString or YAML list of "origins" - TTY names, hostnames, domain names (specified with the
.prefix), IP addresses, network addresses (specified with the.suffix or with CIDR netmask), netgroup names,ALLwhich matches everything, orLOCALwhich matches only local TTYs and services. If this parameter is specified, the list of origins will be prefixed withALL EXCEPTwhich allows for negation.commentOptional. String or YAML text block that contains comments about a given access rule.
stateOptional. If not specified or
present, a given access rule will be included in the generated rule file. Ifabsent, the rule will be removed from the generated rule file.weightOptional. Positive or negative number, which can be used to affect the position of the rule within the rule file. Positive numbers will force the rule to be lower than normal (adding weight), negative numbers will move the role higher on the list (subtracting weight).