From 337228c2446fd1427a084a9e05fdd0cca43e487b Mon Sep 17 00:00:00 2001 From: Austen Adler Date: Thu, 12 Apr 2018 14:03:25 -0400 Subject: [PATCH] Allow enabling and disabling password auth --- main.yml | 2 ++ roles/secure/tasks/main.yml | 50 ++++++++++++++++++++----------------- sync.sh | 6 ++++- 3 files changed, 34 insertions(+), 24 deletions(-) diff --git a/main.yml b/main.yml index 33d492e..1c11ad3 100644 --- a/main.yml +++ b/main.yml @@ -2,6 +2,8 @@ - hosts: all vars: local_path: '/tmp/eee' + disable_passwordauth: false + enable_passwordauth: false roles: - {role: core, tags: [default]} - {role: vim, tags: [vim]} diff --git a/roles/secure/tasks/main.yml b/roles/secure/tasks/main.yml index e3c7ab0..649ec82 100644 --- a/roles/secure/tasks/main.yml +++ b/roles/secure/tasks/main.yml @@ -1,37 +1,41 @@ -- name: Protocol 2 +- name: Secure SSH lineinfile: path: /etc/ssh/sshd_config - regexp: '^\s*Protocol\s+2' + regexp: "{{ item.regexp }}" # insertbefore: '^\s*Match' insertbefore: BOF state: 'present' - line: 'Protocol 2' + line: "{{ item.line }}" notify: restart_sshd -- name: UseDNS no + loop: + - { regexp: '^\s*Protocol\s+2', line: 'Protocol 2' } + - { regexp: '^\s*UseDNS\s+no', line: 'UseDNS no' } + - { regexp: '^\s*PermitEmptyPasswords\s+no', line: 'PermitEmptyPasswords no' } + - { regexp: '^\s*PermitRootLogin\s+without-password', line: 'PermitRootLogin without-password' } +- name: Disable passwordauth lineinfile: path: /etc/ssh/sshd_config - regexp: '^\s*UseDNS\s+no' - # insertbefore: '^\s*Match' - insertbefore: BOF + regexp: "{{ item.regexp }}" + insertbefore: '^\s*Match' state: 'present' - line: 'UseDNS no' + line: "{{ item.line }}" notify: restart_sshd -- name: PermitEmptyPasswords no + loop: + - { regexp: '^\s*ChallengeResponseAuthentication\s+no', line: 'ChallengeResponseAuthentication no' } + - { regexp: '^\s*PasswordAuthentication\s+no', line: 'PasswordAuthentication no' } + - { regexp: '^\s*AuthenticationMethods\s+publickey', line: 'AuthenticationMethods publickey' } + when: "disable_passwordauth" +- name: Enable passwordauth lineinfile: path: /etc/ssh/sshd_config - regexp: '^\s*PermitEmptyPasswords\s+no' - # insertbefore: '^\s*Match' - insertbefore: BOF + regexp: "{{ item.regexp }}" + insertbefore: '^\s*Match' state: 'present' - line: 'PermitEmptyPasswords no' + line: "{{ item.line }}" notify: restart_sshd -- name: PermitRootLogin without-password - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^\s*PermitRootLogin\s+without-password' - # insertbefore: '^\s*Match' - insertbefore: BOF - state: 'present' - line: 'PermitRootLogin without-password' - notify: restart_sshd -- meta: flush_handlers + loop: + - { regexp: '^\s*ChallengeResponseAuthentication\s+yes', line: 'ChallengeResponseAuthentication yes' } + - { regexp: '^\s*PasswordAuthentication\s+yes', line: 'PasswordAuthentication yes' } + - { regexp: '^\s*AuthenticationMethods\s+publickey\s+keyboard-interactive', line: 'AuthenticationMethods publickey keyboard-interactive' } + when: "enable_passwordauth" +- meta: "flush_handlers" diff --git a/sync.sh b/sync.sh index 396ec9a..7f4697d 100755 --- a/sync.sh +++ b/sync.sh @@ -1,6 +1,10 @@ #!/bin/bash -ansible-playbook -i hosts main.yml --tags default +ansible-playbook -i 'localhost,' main.yml --tags default # Could also sync vim: # ansible-playbook -i hosts main.yml --tags default,vim # Could also secure system # ansible-playbook -i hosts --ask-become-pass main.yml --tags default,vim,secure +# Disable password authentication +# ansible-playbook -i 'localhost,' --tags secure --extra-vars 'disable_passwordauth=true' main.yml --ask-become-pass +# Use 1.1.1.1 dns +# ansible-playbook -i 'localhost,' --tags dns main.yml --ask-become-pass