From 87973dfb6ea74de4ebd1040b0b91d542c2c0899f Mon Sep 17 00:00:00 2001
From: DarkFeather <ircs://aninix.net:6697/DarkFeather>
Date: Mon, 1 Apr 2024 00:49:02 -0500
Subject: [PATCH] Simplifying group management

---
 roles/Password/package/ldap-adduser |  4 +++-
 roles/SSH/files/sshd_config         | 18 ++++++++++--------
 roles/SSH/tasks/main.yml            | 11 +++++------
 3 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/roles/Password/package/ldap-adduser b/roles/Password/package/ldap-adduser
index 9751cd0..9847b4f 100755
--- a/roles/Password/package/ldap-adduser
+++ b/roles/Password/package/ldap-adduser
@@ -46,12 +46,14 @@ if [ "$?" -eq 0 ]; then
         cp /opt/aninix/Password/sample-user.ldif "$file"
         line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
         line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
-        line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
+        line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /$username/#" "$file"
         line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
         line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
         line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
         ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
         ldap-resetpass "$username"
+        # Create default home
+        cp -r /etc/skel "/home/$username"; chmod 0027 "/home/$username"; chown -R "$username": "/home/$username"
     fi
     rmdir "$lockfile"
     exit 0;
diff --git a/roles/SSH/files/sshd_config b/roles/SSH/files/sshd_config
index 463760a..5cb496f 100644
--- a/roles/SSH/files/sshd_config
+++ b/roles/SSH/files/sshd_config
@@ -41,21 +41,23 @@ ChallengeResponseAuthentication no
 HostbasedAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
-DenyGroups [^ssh-allow]
-AllowGroups ssh-allow
 PermitRootLogin no
 PermitEmptyPasswords no
 
-## Access Controls
-Match Group ssh-forward
+## By default, only ssh-allow or ldapusers are allowed to sftp
+AllowGroups ssh sftp ldapuser
+Match Group ldapuser,sftp
+    ForceCommand internal-sftp
+    ChrootDirectory /home
+
+## Special groups are allowed shell
+Match Group wheel,ssh-allow
     AllowTcpForwarding yes
     PermitTunnel yes
     AllowAgentForwarding yes
     X11Forwarding yes
-
-Match Group sftp-home-jail
-    ForceCommand internal-sftp
-    ChrootDirectory /home
+    ForceCommand none
+    ChrootDirectory none
 
 # Allow other packages to ship snippets
 Include /etc/ssh/includes/*
diff --git a/roles/SSH/tasks/main.yml b/roles/SSH/tasks/main.yml
index 15ee518..3068a1c 100644
--- a/roles/SSH/tasks/main.yml
+++ b/roles/SSH/tasks/main.yml
@@ -34,15 +34,14 @@
        name: "{{ item }}"
        state: present
    loop:
-       - ssh-allow
-       - ssh-forward
-       - sftp-home-jail
+       - ssh
+       - sftp
 
- - name: Add SSH user to ssh-allow
+ - name: Add SSH user to ssh group
    become: yes
    user:
        name: "{{ ansible_user_id }}"
-       groups: ssh-allow
+       groups: ssh
        append: yes
 
  - name: Copy the SSH key
@@ -75,7 +74,7 @@
    file:
      path: /etc/ssh/includes
      state: directory
-     user: root
+     owner: root
      group: root
      mode: 0755