ENH: prepare PLC for pmpsdb_client

[ZLLentz]

Description

Adds in four ansible tasks intended for making PLCs ready for use by the pmpsdb_client.
The tasks are as follows:

• Create the non-admin "ecs-user" user
• Configure sshd for password access
• Reload the sshd service to pick up the new config
• Verify that ssh still works

Creating this user can be disabled (and is disabled by default for vms), and it can also be customized to create a different user. The user can be removed later.

Even if the user is created, there must be a manual step to set its password, which ansible does not let you set via file-based plaintext. So, in no cases is a usable automatic extra login created.

This is related to:
pcdshub/lcls-twincat-motion#215
pcdshub/pmpsdb_client#25

Motivation and Context

• The non-admin user will be used for PLC configuration tasks that do not need elevated permissions.
• Reading and writing the PMPS database file does not need elevated permissions, allowing non-experts to be able to do it without needing access to the admin password and through application software.
• Python's ssh libraries (fabric/paramiko/intake) behave much better with "password" auth enabled (as opposed to only "KeyboardInteractive" (password) auth, which is what is enabled by default). Functionally, the two of these are the same from the user perspective as implement by the TcBSD OS.

How Has This Been Tested?

Interactively with my test PLC

Where Has This Been Documented?

https://confluence.slac.stanford.edu/display/PCDS/TcBSD+Ansible+Workflows#TcBSDAnsibleWorkflows-Playbook.1

Pre-merge checklist

• Code works interactively
• Code works interactively in dry_run mode
• Code contains descriptive docstrings, including context and API
• Pre-commit passes on GitHub Actions
• Documentation under https://confluence.slac.stanford.edu/display/PCDS/TcBSD has been updated appropriately

[ZLLentz]

This also is ready for review, will ask for reviewers on Monday

[nrwslac]

I guess the carrot here in on purpose? @ZLLentz

[ZLLentz]

This field is actually a regex, and the ^ indicates the start of a line.
So, ansible reads this as "find a line that starts with #PasswordAuthentication, then put PasswordAuthentication yes on the next line if it isn't already there."

The context is that the sshd config file looks like this, with all default values included as comments, and I wanted to put this new config line in a reasonable/known place instead of just at the end of the file.

<snip>
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
<snip>

And then, after ansible runs here:

<snip>
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
<snip>

When doing this interactively you'd usually uncomment the line and and change "no" to "yes" but doing it like I've done here is simpler for the script and is easier to revert.

[nrwslac]

Left one comment. If that's normal lgtm.