How about
---
# assuming non-system user ids start at 500
- name: grab existing users for this host
shell: cat /etc/passwd | perl -ne -F: 'print $F[0] if $F[1] > 499'
register: users
- name: lock unknown users
user: name={{ item }} password='!'
when: item not in known_users
with_items: users.stdout_lines
# assuming usernames map simply to home dirs
- name: lock out unknown users
command: rm -rf /home/{{ item }}/.ssh
when: item not in known_users
with_items: users.stdout_lines
More trickery required for the authorized keys bit if home dirs are
less predictable
K
Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd (w) +61 (0) 3 9008 5281
Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia
"All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore,
if you can't get them together again, there must be a reason. By all
means, do not use a hammer." -- IBM maintenance manual, 1925
On 9 December 2013 02:14, James Cammarata <jcammar...@ansibleworks.com> wrote:
> You could always add that information through a local fact.d script
> (http://www.ansibleworks.com/docs/playbooks_variables.html#local-facts-facts-d).
> Enumerating every installed user's information in facts could be a ton of
> information, especially if your system is authenticating through a directory
> service, so that's not something most users would want to be on by default.
>
>
> On Sun, Dec 8, 2013 at 6:33 AM, Jürgen Haas <juer...@paragon-es.de> wrote:
>>
>> Let's assume we have any array of users that should be present on any host
>> with some defined permissions. To do that with ansible, the modules 'user'
>> and 'authorized_key' are perfect tools.
>>
>> What I would like to achieve in addition is to make sure that no other
>> user accounts are available on my hosts. My thinking is to go through the
>> following steps:
>>
>> Get a list of all user accounts on the host.
>> For all users in that list that are not in my list of allowed users, take
>> some action:
>>
>> Lock the user: usermod -L USERNAME
>> Clean the authorized_keys file in $HOMEDIR/.ssh
>>
>> This should make sure that neither login through passwords nor with
>> certificates should be possible for those accounts but we do not delete
>> them, as there are many system accounts that you never really want to
>> delete.
>>
>> I'm sure this could be done with shell scripts but wouldn't it be nicer if
>> the Ansible modules could offer that as well?
>>
>> Also, using the module authorized_key is always adding new public keys to
>> a given user account. What's missing seems to be a reset option, so that all
>> previous public keys get removed and only the ones being added will be valid
>> from then on. A rest isn't that difficult and can be done by deleting the
>> existing $HOMEDIR/.ssh/authorized_keys file, but that required the knowledge
>> of the home dir which isn't available through Ansible either.
>>
>> Maybe extending the facts might help? If we knew all users, their state
>> and their homedir, that would allow us to do much more already with existing
>> modules.
>>
>> Just looking for ideas and how others are approaching this.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
> --
>
> James Cammarata <jcammar...@ansibleworks.com>
> Sr. Software Engineer, AnsibleWorks, Inc.
> http://www.ansibleworks.com/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
