2018-04-12 14:03:25 -04:00
|
|
|
- name: Secure SSH
|
2018-04-07 21:47:15 +00:00
|
|
|
lineinfile:
|
|
|
|
path: /etc/ssh/sshd_config
|
2018-04-12 14:03:25 -04:00
|
|
|
regexp: "{{ item.regexp }}"
|
2018-04-07 21:47:15 +00:00
|
|
|
# insertbefore: '^\s*Match'
|
|
|
|
insertbefore: BOF
|
|
|
|
state: 'present'
|
2018-04-12 14:03:25 -04:00
|
|
|
line: "{{ item.line }}"
|
2018-04-12 12:39:55 -04:00
|
|
|
notify: restart_sshd
|
2018-04-12 14:03:25 -04:00
|
|
|
loop:
|
|
|
|
- { regexp: '^\s*Protocol\s+2', line: 'Protocol 2' }
|
|
|
|
- { regexp: '^\s*UseDNS\s+no', line: 'UseDNS no' }
|
|
|
|
- { regexp: '^\s*PermitEmptyPasswords\s+no', line: 'PermitEmptyPasswords no' }
|
|
|
|
- { regexp: '^\s*PermitRootLogin\s+without-password', line: 'PermitRootLogin without-password' }
|
|
|
|
- name: Disable passwordauth
|
2018-04-07 21:47:15 +00:00
|
|
|
lineinfile:
|
|
|
|
path: /etc/ssh/sshd_config
|
2018-04-12 14:03:25 -04:00
|
|
|
regexp: "{{ item.regexp }}"
|
|
|
|
insertbefore: '^\s*Match'
|
2018-04-07 21:47:15 +00:00
|
|
|
state: 'present'
|
2018-04-12 14:03:25 -04:00
|
|
|
line: "{{ item.line }}"
|
2018-04-12 12:39:55 -04:00
|
|
|
notify: restart_sshd
|
2018-04-12 14:03:25 -04:00
|
|
|
loop:
|
|
|
|
- { regexp: '^\s*ChallengeResponseAuthentication\s+no', line: 'ChallengeResponseAuthentication no' }
|
|
|
|
- { regexp: '^\s*PasswordAuthentication\s+no', line: 'PasswordAuthentication no' }
|
|
|
|
- { regexp: '^\s*AuthenticationMethods\s+publickey', line: 'AuthenticationMethods publickey' }
|
|
|
|
when: "disable_passwordauth"
|
|
|
|
- name: Enable passwordauth
|
2018-04-07 21:47:15 +00:00
|
|
|
lineinfile:
|
|
|
|
path: /etc/ssh/sshd_config
|
2018-04-12 14:03:25 -04:00
|
|
|
regexp: "{{ item.regexp }}"
|
|
|
|
insertbefore: '^\s*Match'
|
2018-04-07 21:47:15 +00:00
|
|
|
state: 'present'
|
2018-04-12 14:03:25 -04:00
|
|
|
line: "{{ item.line }}"
|
2018-04-12 12:39:55 -04:00
|
|
|
notify: restart_sshd
|
2018-04-12 14:03:25 -04:00
|
|
|
loop:
|
|
|
|
- { regexp: '^\s*ChallengeResponseAuthentication\s+yes', line: 'ChallengeResponseAuthentication yes' }
|
|
|
|
- { regexp: '^\s*PasswordAuthentication\s+yes', line: 'PasswordAuthentication yes' }
|
|
|
|
- { regexp: '^\s*AuthenticationMethods\s+publickey\s+keyboard-interactive', line: 'AuthenticationMethods publickey keyboard-interactive' }
|
|
|
|
when: "enable_passwordauth"
|
|
|
|
- meta: "flush_handlers"
|