Switching user management solution

README.md

@@ -10,30 +10,6 @@ If the "base_core_hostname" variable is defined, it is recommended to set the an
 | ----------------------- | ------------------------------------------------------------- |
 | ansible_ssh_common_args | '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' |
 
-## Role Variables
-
-### Core Variables
-
-|                   Variable                   |    Default    |   Choices   |                                    Comments                                     |
-| -------------------------------------------- | ------------- | ----------- | ------------------------------------------------------------------------------- |
-| base_core_cert_common_name                   | nodename      |             | Common name for created self-signed cert                                        |
-| base_core_firewall_configure                 | True          | True, False | Allows the firewall to be configured                                            |
-| base_core_hostname                           | ""            |             | Defines the computer hostname                                                   |
-| base_core_install_updates                    | True          | True, False | Install all available updates for the distro at runtime                         |
-| base_core_management_user                    | ansible_user  |             | Defines the account that ansible will use for management in the future          |
-| base_core_management_user_disable_password   | False         | True, False | When enabled the password for the management user account will be disabled      |
-| base_core_motd_banner                        | ""            |             | Banner to be added to MOTD if desired                                           |
-| base_core_motd_configure                     | True          | True, False | Allows the MOTD to be configured                                                |
-| base_core_root_ca_basename                   | ""            |             | Basename of the cert for local system reference                                 |
-| base_core_root_ca_convert                    | False         | True, False | Converts the defined certificate from DER to PEM type                           |
-| base_core_root_ca_url                        | ""            |             | URL of a Root CA to install                                                     |
-| base_core_secondary_user                     | ""            |             | Defines a secondary account that ansible configure for management in the future |
-| base_core_secondary_user_disable_password    | False         | True, False | When enabled the password for the secondary user account will be disabled       |
-| base_core_ssh_permit_password_authentication | False         | True, False | Permits the use of passwords for ssh                                            |
-| base_core_ssh_permit_root_login              | False         | True, False | Permits the use of root logins for ssh                                          |
-| base_core_timezone                           | America/Boise |             | Defines the timezone to apply to the client                                     |
-| base_core_web_management                     | False         | True, False | Enables installation of the Cockpit web management package(s)                   |
-
 ## Example
 
 Execute playbook with needed variables

roles/base/defaults/main.yml

@@ -8,17 +8,13 @@
 # General
 # =======
 
-# User that should be configured for future management
-base_core_management_user: "{{ ansible_user }}"
-
-# Secondary user that may be configured for future management
-base_core_secondary_user: ""
-
-# If enabled, the password for the management user account will be disabled
-base_core_management_user_disable_password: false
-
-# If enabled, the password for the secondary user account will be disabled
-base_core_secondary_user_disable_password: false
+# Users that should be configured for future management
+base_users: []
+#- username: "{{ ansible_user }}"
+#  password: ""
+#  disable_password: false
+#  ssh_keys: []
+#  ssh_keys_force: false # setting ssh_keys_force to true will overwrite the authorized_keys file to only be the ssh keys provided
 
 # Install all available updates at runtime
 base_core_install_updates: true

roles/base/public_keys/ansible_awx

@@ -1 +0,0 @@
-ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACzgUaiXanC7LIMR2JHlNjqHdscstjUQ4ZMJOG9ndZY2Ml81g+KPSUQHsmEAO+24TBVc/EpmeU3iMX4BO6XhUEhRACIAfyxW0zZWBZlO46TWf+oMcH6CQNQHubEpxqGvZd8A0tNxI2npzOEW6b3mKDGd1Z60yBPjNr5KZWVcJePPMwjaw== ansible_awx

roles/base/public_keys/as-awx-workstation

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAccPXNMwyNb4UW2P3MyxRGH2xDrOHKOkW0/2DGuNJq as-awx-workstation

roles/base/public_keys/thale-bw-curve25519

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJoxKs7UgLr/6zVzZLSbqMUfHtrAtg93qRwEEXFAMqfR thale-bw-curve25519

roles/base/public_keys/thale-bw-rsa

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCt6oTKMmZBQB9tS4ucEHZsDEZnBvcQiFeqfW31UjSbMRzKMqQwhOxqM6ezBvIJwlbAsR8p6tpGtl7lVOoOpQtUYBN8sPHHIr4hsOgaUhG3J5YeUHkg9u6GJ+QYyve6TXxXQdQozkov4OhCwMqtruMZCKZXxAxu5qzUO5uexz9l6EiMXyonggtiaWFKBtyyRkr7pgUeYjGE+xeNTzhlMWqM6jX10EhHwjbYZ8KXZCm0+eue/b3gNqgfP155S9o+a+6bCECPmYQQy8mkTjVFefiEROS7F7t+ZOgI/KhmebWEHIeGPs5BRKwsu21jHVvfIrZKlb2byItIhyawHesQcOpUhGWfWsXkqZ/4IPqpguxo2zsdyVhkOkuHCztpDUAd6TZawejskgdpgacwWG9kamsXJwSS9+ukv/nQwZVkc8xrGvwS1ftUDj6oWE50PIfGU4GxxiIG3pe1eFiiqAG2GFkc783bo6sXBfHpZQnfNoJnYxhSy2o0STACwQ4poCte0HVipb1RQHGf3jKpyKjtdtaHtZYyu05A6iZ/1gLlousrk3dn/l0f1Bq25cfevwqqpeN/kT/xz8JgIJZgU8i5MFm3KyUBXxhaSGi4xCf5zhIviLV5ysPJgKZiECgVxCDYm6GJP35dDKTCGsmz59it7D9jJUh76JLiq+/pWs6RQyanAQ== thale-bw-rsa

roles/base/public_keys/thale-desktop-curve25519

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXJshwwSz1rf7wJw5trBwBkNdWrLWffAxUlbW1JSkdt thale-desktop-curve25519

roles/base/public_keys/thale-desktop-rsa

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTdOj42XVn1DPRGsUEVyEoMGKG7dn3DbwqMokzj8SrPpD5EirOmPGTGY6ePGu4keKnBpKPGpW7rYw76CD+7g8fg9/I3rBuVcNOexarlMFfDzGhns+DUFq2ruNTyRfdLWUSHNzSV+8u7Z5g23d54gWsgqagPYtK07gg7aPN/QsnEEJnJZUykc3Zy5NUI9+sDhG3gH5JEgJPcnO1Z1Gxm3mkXHyn32Rx7tydNn2Y+zRnga1//6INtf06FuIBjjrENMDThw3x82Knbugt7m2fs6J0Ktk0+LQQmLyAT7+RqCeetjFcsBYXemPs8chxCC6U8QSaUZVH0cDwFWdBFpyLAfy2Ux9ym0D4dyktui3C9ImRtGtor2dzVFR3gWDSd73L8oQ4kHU0mjJSWtQlH7PVNRIZUm2Z9eOXd59HDtE/rLhF2jCGeVEBenogLt69Neeo/0GV7GCxNwL19GUzFjw3pgowuQPXmqVczKS8Na1AUNZI850GM6GxKemR/SxRmEM2vgmm6qbamazOnsMmQfxh35VT+vjCxtx2o3Lr60+mqHNWvcnAF0hP8NH8FIySI7y1ZkPPFy4kUtbPAtPimgCRma2uXXhB6YpSF9oaHLiD1KbcTRrlFZFS4yfSVsNo302PvpoZ4E8bXAUHo8CBwLANSusTL3wnotOeaZ2H/4jX1sl55Q== thale-desktop-rsa

roles/base/public_keys/thale-laptop-curve25519

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVLEQhiLGQa72Byq8MApoyvltFodOF/lCen7TBNsdAc thale-laptop-curve25519

roles/base/public_keys/thale-laptop-rsa

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCQArz4zOe9fGbIfvCdkMFr3W34r1dJFWcpgojGUGVRrlKkFPqvSvtEJEZHtha5EO4TVeoQRE+HiRs582eV9XROYaZTHGVvmzXVOH/l8nCZwEfMsmfRMa0xEd8Uk+7OCWWd0T9e6HrTMve46V2h1iuYs1OZTNV3N0yupCadX1pR6mFqa2wy9MqZlBXa5+3c4HYVe0s3ZomKhg4384oCQ7Vhke4wxxYopgUP1kMJSNtuQ9tS695Z26QnSAtvaO6caO/RUN2bpeWU+utAu2I54p536il8webo/nTugh3PM769ZXLp6zBf9BsNNC5fSMpjA7O2coX9muphQSWRf9QmD+wY/0ymbIb1n/dTnLtwm0tzmBToCABfJF6lyczgL679D750PHnEbwFmjjyGDI1zCZNSqajPJ7tbTW+dRe20TV55DqshOqM2AnlyIn+7RrG84/ovuKdNXOKzuNnnEvhmy048gEWHi3RQP6kzSZevhhECRYhY6rabx8kQyvYx3AoQGFWY9yAvkMi95x7OyhT8aaGdhgydbAEVjJJEA+iiG8sXkDBslJ9/GE0fBKdgW9SR1XwT/IPUUiS/nf5w9SqQeCoWCdOIY4r54h8UBGPG3kWndMIoWS0ptSxBixFu3kkE44H8c6wjo7uHMFVNyRaBb80NpZf89lgavnT2cXbKSqKEw== thale-laptop-rsa

roles/base/public_keys/thale-phone-curve25519

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgqeosFeqdDoLZ2rRaFrtXlhS3qLC6/1z2lqrtlFk27 thale-phone-curve25519

roles/base/public_keys/thale-phone-rsa

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmtVMgc09oGNwExmhUDf5Qf49LVR5x3ynaWqVETnn5SYIvLkY/Uo1OSA/wxR7afn+dnUwEEp4QT1LCO08enINLa/+SFxkceESxuRWcWqUrlZNLsocF2uWDqWAUQUVlB/o3iO8z8v8bHPTt0XjEyfQz1EFzGmRF7iUMEKKnSSyX7yiP7EAsQgs8pb8mvVtQCj+0zDjbfjmiE8pF9P4nNzsSi2rVduXLLDvH9AvNmW/EiIxDyb8LzMxCMdIK/OYugXFRYfExQbWpYEORFRMphRq8MPgCon7kW2DmyIMNBiHXSyapDFy0m3U3+iqy0d1A6bKQxNKKQP2FG91sTCwtcuhYxZ3Ak6Ee3PE1kRKAmVI3FCGcfQUp8Y8wYqMwHHuXnJQGBsqppCCtuQjCiszyburXE5mvps++61PdMtWfgSCrZOTx+yJCaabIzwBCwKuzZUGiZwfkYbSniPRq/j//SEQxOOd3pjWHSnimg+maTrzXOWEt+D4CzYZzS2izBxECPPxgnuaOP14/GIDHOhqJvD0mR6bfidBVpsYGELRbUs9HG2SDFmmNZij3l3dt4b3nW++V5aUypc94PIB3utDgUbhXOLePf9l3p+ShWe0OWw5aEen8ow18F9pVx/Lfru3vr8YUWJp6zqZO09pUWiinC9xEXwwz0olzRfqZ5e4Eec+CjQ== thale-phone-rsa

roles/base/public_keys/thale-work-curve25519

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACL4TqzQo8qFu5V5LB+PxQG2MHFAGXJrquf2SpuZpzA thale-work-curve25519

roles/base/public_keys/thale-work-rsa

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCVb3OxjvY9QAPUgrxc9X6h1KpCyyefh8SgBSARJZRwKTHL/HkzL05/5iCX0eeDe7cTsvU9O3lKTKKDh+6ZbJTEuiKlp7XPIGuXL6VCNTkz6yMHy0zQhKW/0VnvIZjHt7Y+evh8wa5SHpZz2ka80pohG9zea4ylqMjfWnxAwbNBwen/o/Owss94tQH1aJIpA8BNwPSqTCDqgcVX8w4d9D3ERMrmp1DaZVU6NlFJ5Pk4acZ9piIOI42Dwb9pqAiOVzQceIEG2RRKyAahNB1iRX9q+jHxAnhh1hv/tKs/i3J5gzlN83WVJLNL70RpMyMI2Tp8Gr3mJkU56/RJkN6OHPOIO066I9psTzTBHMFDjUAvl30STPdsHsX1Ejel3KWVbpkzxiFvVbQfI3/f5g008PvGgRX0/x4UOrNSp8hPCxd//GmoAuxFcJqCN9vrJxL9xiG6JWNe7LDokTeQu+F/M8eXj6wcBs9Jnu4Fmpmx5UROmU/T2+manQnySC34a7AnzzXueH/ysA7iteE6abIMnUJ9zmRZZk624MJzerrbFIf1qHrQWZ8fJ3BPZ9UXNJL945suny0aHnHIMJT/ojPfdJDc62rKxYP7WFeDRM5kOjdnOIZpAaBEcWeykWL5gV8pl+7m3EEDHHbUizrthFlOMgdScPMrkm+jGjDsvzEKKEttw== thale-work-rsa

roles/base/tasks/core.yml

@@ -27,6 +27,17 @@
     pool: '^(Red Hat Enterprise Server|Red Hat Virtualization)$'
   when: ansible_distribution == 'RedHat' and (base_redhat_subscription_org_id != "" and base_redhat_subscription_activationkey != "")
 
+- name: "*** Users Configuration ***"
+  include_tasks:
+    file: core_users.yml
+    apply:
+      tags: users
+  loop: "{{ base_users }}"
+  loop_control:
+    loop_var: user
+  tags:
+  - users
+
 - name: "*** MOTD Configuration ***"
   include_tasks: 
     file: core_motd.yml
@@ -77,15 +88,3 @@
   when: base_core_web_management == true
   tags:
   - web_management
-
-- name: Disable password for management account
-  user:
-    name: "{{ base_core_management_user }}"
-    password_lock: yes
-  when: base_core_management_user_disable_password == true
-
-- name: Disable password for secondary management account
-  user:
-    name: "{{ base_core_secondary_user }}"
-    password_lock: yes
-  when: base_core_secondary_user != "" and base_core_secondary_user_disable_password == true

roles/base/tasks/core_ssh.yml

@@ -18,27 +18,6 @@
   tags:
   - issue
 
-- name: Setup authorized keys
-  authorized_key:
-    user: "{{ base_core_management_user }}"
-    state: present
-    key: '{{ lookup("file", item) }}'
-  with_fileglob:
-    - "public_keys/*"
-  tags:
-  - authorized_key
-
-- name: Setup authorized keys for secondary user
-  authorized_key:
-    user: "{{ base_core_secondary_user }}"
-    state: present
-    key: '{{ lookup("file", item) }}'
-  with_fileglob:
-    - "public_keys/*"
-  when: base_core_secondary_user != ""
-  tags:
-  - authorized_key
-
 - name: Configure SSH root login
   lineinfile:
     path: /etc/ssh/sshd_config

roles/base/tasks/core_users.yml

@@ -0,0 +1,33 @@
+---
+# file: roles/base/tasks/core_users.yml
+
+- name: "{{ user.username }} user setup"
+  user:
+    name: "{{ user.username }}"
+    password_lock: "{{ user.disable_password | default(false) }}"
+
+- name: "Configure {{ user.username }} password"
+  user:
+    name: "{{ user.username }}"
+    password: "{{ user.password | default('*') }}"
+  when: user.password is defined
+
+- name: "Setup {{ user.username }} authorized keys"
+  authorized_key:
+    user: "{{ user.username }}"
+    state: present
+    key: "{{ user.ssh_keys | join('\n') }}"
+    exclusive: "{{ user.ssh_keys_force | default('false') }}"
+  tags:
+  - authorized_key
+  when: ( user.ssh_keys is defined ) and ( user.ssh_keys is not url )
+
+- name: "Setup {{ user.username }} authorized keys from url"
+  authorized_key:
+    user: "{{ user.username }}"
+    state: present
+    key: "{{ user.ssh_keys }}"
+    exclusive: "{{ user.ssh_keys_force | default('false') }}"
+  tags:
+  - authorized_key
+  when: ( user.ssh_keys is defined ) and ( user.ssh_keys is url )