Allow enabling and disabling password auth
This commit is contained in:
parent
8bf03bbed6
commit
337228c244
2
main.yml
2
main.yml
@ -2,6 +2,8 @@
|
|||||||
- hosts: all
|
- hosts: all
|
||||||
vars:
|
vars:
|
||||||
local_path: '/tmp/eee'
|
local_path: '/tmp/eee'
|
||||||
|
disable_passwordauth: false
|
||||||
|
enable_passwordauth: false
|
||||||
roles:
|
roles:
|
||||||
- {role: core, tags: [default]}
|
- {role: core, tags: [default]}
|
||||||
- {role: vim, tags: [vim]}
|
- {role: vim, tags: [vim]}
|
||||||
|
@ -1,37 +1,41 @@
|
|||||||
- name: Protocol 2
|
- name: Secure SSH
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
regexp: '^\s*Protocol\s+2'
|
regexp: "{{ item.regexp }}"
|
||||||
# insertbefore: '^\s*Match'
|
# insertbefore: '^\s*Match'
|
||||||
insertbefore: BOF
|
insertbefore: BOF
|
||||||
state: 'present'
|
state: 'present'
|
||||||
line: 'Protocol 2'
|
line: "{{ item.line }}"
|
||||||
notify: restart_sshd
|
notify: restart_sshd
|
||||||
- name: UseDNS no
|
loop:
|
||||||
|
- { regexp: '^\s*Protocol\s+2', line: 'Protocol 2' }
|
||||||
|
- { regexp: '^\s*UseDNS\s+no', line: 'UseDNS no' }
|
||||||
|
- { regexp: '^\s*PermitEmptyPasswords\s+no', line: 'PermitEmptyPasswords no' }
|
||||||
|
- { regexp: '^\s*PermitRootLogin\s+without-password', line: 'PermitRootLogin without-password' }
|
||||||
|
- name: Disable passwordauth
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
regexp: '^\s*UseDNS\s+no'
|
regexp: "{{ item.regexp }}"
|
||||||
# insertbefore: '^\s*Match'
|
insertbefore: '^\s*Match'
|
||||||
insertbefore: BOF
|
|
||||||
state: 'present'
|
state: 'present'
|
||||||
line: 'UseDNS no'
|
line: "{{ item.line }}"
|
||||||
notify: restart_sshd
|
notify: restart_sshd
|
||||||
- name: PermitEmptyPasswords no
|
loop:
|
||||||
|
- { regexp: '^\s*ChallengeResponseAuthentication\s+no', line: 'ChallengeResponseAuthentication no' }
|
||||||
|
- { regexp: '^\s*PasswordAuthentication\s+no', line: 'PasswordAuthentication no' }
|
||||||
|
- { regexp: '^\s*AuthenticationMethods\s+publickey', line: 'AuthenticationMethods publickey' }
|
||||||
|
when: "disable_passwordauth"
|
||||||
|
- name: Enable passwordauth
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
regexp: '^\s*PermitEmptyPasswords\s+no'
|
regexp: "{{ item.regexp }}"
|
||||||
# insertbefore: '^\s*Match'
|
insertbefore: '^\s*Match'
|
||||||
insertbefore: BOF
|
|
||||||
state: 'present'
|
state: 'present'
|
||||||
line: 'PermitEmptyPasswords no'
|
line: "{{ item.line }}"
|
||||||
notify: restart_sshd
|
notify: restart_sshd
|
||||||
- name: PermitRootLogin without-password
|
loop:
|
||||||
lineinfile:
|
- { regexp: '^\s*ChallengeResponseAuthentication\s+yes', line: 'ChallengeResponseAuthentication yes' }
|
||||||
path: /etc/ssh/sshd_config
|
- { regexp: '^\s*PasswordAuthentication\s+yes', line: 'PasswordAuthentication yes' }
|
||||||
regexp: '^\s*PermitRootLogin\s+without-password'
|
- { regexp: '^\s*AuthenticationMethods\s+publickey\s+keyboard-interactive', line: 'AuthenticationMethods publickey keyboard-interactive' }
|
||||||
# insertbefore: '^\s*Match'
|
when: "enable_passwordauth"
|
||||||
insertbefore: BOF
|
- meta: "flush_handlers"
|
||||||
state: 'present'
|
|
||||||
line: 'PermitRootLogin without-password'
|
|
||||||
notify: restart_sshd
|
|
||||||
- meta: flush_handlers
|
|
||||||
|
6
sync.sh
6
sync.sh
@ -1,6 +1,10 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
ansible-playbook -i hosts main.yml --tags default
|
ansible-playbook -i 'localhost,' main.yml --tags default
|
||||||
# Could also sync vim:
|
# Could also sync vim:
|
||||||
# ansible-playbook -i hosts main.yml --tags default,vim
|
# ansible-playbook -i hosts main.yml --tags default,vim
|
||||||
# Could also secure system
|
# Could also secure system
|
||||||
# ansible-playbook -i hosts --ask-become-pass main.yml --tags default,vim,secure
|
# ansible-playbook -i hosts --ask-become-pass main.yml --tags default,vim,secure
|
||||||
|
# Disable password authentication
|
||||||
|
# ansible-playbook -i 'localhost,' --tags secure --extra-vars 'disable_passwordauth=true' main.yml --ask-become-pass
|
||||||
|
# Use 1.1.1.1 dns
|
||||||
|
# ansible-playbook -i 'localhost,' --tags dns main.yml --ask-become-pass
|
||||||
|
Loading…
Reference in New Issue
Block a user