Some enhancements

README.md

@@ -28,19 +28,24 @@ The following role variables are relevant:
 * `sftp_start_directory`: A directory that need to be part of sftp_directories values and that is the start directory of new sftp connection. Disable by default with an empty string value.
 * `sftp_allow_passwords`: Whether or not to allow password authentication for SFTP. Defaults to False.
 * `sftp_enable_selinux_support`: Whether or not to explicitly enable SELinux support. Defaults to False.
-* `sftp_enable_logging`: Enable logging. Auth logs will be written to `/var/log/sftp/auth.log`, and SFTP activity logs will be written to `/var/log/sftp/verbose.log`. Defaults to False.
+* `sftp_enable_logging`: Enable logging; defaults to `False`.
+* `sftp_logging_destination`: Rsyslogd destination for SFTP activity logs; defaults to  `-/var/log/sftp/verbose.log`.
 * `sftp_users`: A list of users, in map form, containing the following elements:
   * `name`: The Unix name of the user that requires SFTP access.
   * `group`: An optional user primary group. If set, it will be used for the user's home permission. Otherwise, the `sftp_group_name` is used.
   * `password`: A password hash for the user to login with - ie `openssl passwd -1 -salt salty passpass`.  Blank passwords can be set with `password: ""`.  NOTE: It appears that `UsePAM yes` and `PermitEmptyPassword yes` need to be set in `sshd_config` in order for blank passwords to work properly.  Making those changes currently falls outside the scope of this role and will need to be done externally.
-  * `shell`: Boolean indicating if the user should have a shell access (default to `True`).
+  * `shell`: Boolean indicating if the user should have a shell access (default to `False`).
   * `authorized`: An optional list of files placed in `files/` which contain valid public keys for the SFTP user.
   * `sftp_directories`: A list of directories that need to be individually created for an SFTP user. Defaults to a blank list (i.e. "[]").
   * `append`: Boolean to add `sftp_group_name` to the user groups (if any) instead of setting it (default to `False`).
   * `mode`: The users home directory mode (defaults to `0750`).
   * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults.
   * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`.
+  * `uid`: An optional UID of the sftp user.
+* `sftp_login_shell`: Boolean indicating if the users should have a shell access (default to `False`).
 * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.)
+* `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults.
+* `sftp_configure_sshd`: Boolean indicating if sshd configuration should be altered. Defaults to `true`. 
 
 Notes:
 

defaults/main.yml

@@ -7,3 +7,5 @@ sftp_allow_passwords: False
 sftp_enable_selinux_support: False
 sftp_enable_logging: False
 sftp_nologin_shell: /sbin/nologin
+sftp_logging_destination: -/var/log/sftp/verbose.log
+sftp_configure_sshd: true

tasks/main.yml

@@ -21,6 +21,7 @@
     line: "Subsystem sftp internal-sftp -f AUTH -l VERBOSE"
     state: present
   notify: SFTP-Server | Restart sshd
+  when: sftp_configure_sshd
 
 - name: SFTP-Server | Ensure SELinux management package is present
   package:
@@ -51,6 +52,7 @@
           ForceCommand internal-sftp {{ sftp_enable_logging | ternary('-l VERBOSE', '') }} {{ (sftp_start_directory in sftp_directories or sftp_start_directory in sftp_directories | selectattr("name", "defined") | map(attribute='name') | list) | ternary('-d /' + sftp_start_directory, '') }}
           PasswordAuthentication {{ sftp_allow_passwords | ternary('yes', 'no') }}
   notify: SFTP-Server | Restart sshd
+  when: sftp_configure_sshd
 
 - name: SFTP-Server | Create sftp user's group
   group:
@@ -62,30 +64,32 @@
 - name: SFTP-Server | Create sftp users
   user:
     name: "{{ item.name }}"
+    password: "{{ item.password | default(omit) }}"
     group: "{{ item.group | default(omit) }}"
     groups: "{{ sftp_group_name }}"
     append: "{{ item.append | default(False) }}"
     home: "{{ item.home }}"
-    # `None` means default value -> default is to have a shell
-    shell: "{{ None if (item.shell | default(True)) else sftp_nologin_shell }}"
-    skeleton: "{{ item.skeleton | default(omit) }}"
+    # `None` means default value -> default is to have no login shell
+    shell: "{{ None if (item.shell | default(sftp_login_shell) | default(False)) else sftp_nologin_shell }}"
+    skeleton: "{{ item.skeleton | default(sftp_home_skeleton) | default(omit) }}"
     state: present
+    uid: "{{ item.uid | default(omit) }}"
   with_items: "{{ _sftp_users }}"
 
 # A working chrooted SFTP setup requires root:sftgroup ownership of a user's home directory.
 - name: SFTP-Server | Root SFTP permissions
   file:
     path: "{{ sftp_home_partition }}"
     state: directory
-    mode: 0750
+    mode: 0755
     group: "{{ sftp_group_name }}"
     owner: root
 
 - name: SFTP-Server | Correct ownership and permission of home directories
   file:
     path: "{{ item.home }}"
     owner: root
-    group: "{{ item.group | default(sftp_group_name) }}"
+    group: "{{ item.group | default(item.name) }}"
     mode: "{{ item.mode | default(0750) }}"
   with_items: "{{ _sftp_users }}"
 
@@ -100,14 +104,6 @@
     - flags:
       skip_missing: True
 
-# Update user passwords, if they were specified.
-- name: SFTP-Server | Update user passwords
-  user:
-    name: "{{ item.name }}"
-    password: "{{ item.password }}"
-  with_items: "{{ _sftp_users }}"
-  when: item.password is defined
-
 # Create directories for all SFTP users. Optional, but recommended.
 - name: SFTP-Server | Create directories
   file:
@@ -155,11 +151,8 @@
       {% endfor %}
 
       # Log internal-sftp in a separate file
-      :programname, isequal, "internal-sftp" -/var/log/sftp/verbose.log
+      :programname, isequal, "internal-sftp" {{ sftp_logging_destination }}
       :programname, isequal, "internal-sftp" ~
-
-      # additionally write an auth log
-      auth,authpriv.*  /var/log/sftp/auth.log
   when: sftp_enable_logging
   notify: SFTP-Server | Restart rsyslog