Allow enabling and disabling password auth

This commit is contained in:
Austen Adler 2018-04-12 14:03:25 -04:00
parent 8bf03bbed6
commit 337228c244
3 changed files with 34 additions and 24 deletions

View File

@ -2,6 +2,8 @@
- hosts: all - hosts: all
vars: vars:
local_path: '/tmp/eee' local_path: '/tmp/eee'
disable_passwordauth: false
enable_passwordauth: false
roles: roles:
- {role: core, tags: [default]} - {role: core, tags: [default]}
- {role: vim, tags: [vim]} - {role: vim, tags: [vim]}

View File

@ -1,37 +1,41 @@
- name: Protocol 2 - name: Secure SSH
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^\s*Protocol\s+2' regexp: "{{ item.regexp }}"
# insertbefore: '^\s*Match' # insertbefore: '^\s*Match'
insertbefore: BOF insertbefore: BOF
state: 'present' state: 'present'
line: 'Protocol 2' line: "{{ item.line }}"
notify: restart_sshd notify: restart_sshd
- name: UseDNS no loop:
- { regexp: '^\s*Protocol\s+2', line: 'Protocol 2' }
- { regexp: '^\s*UseDNS\s+no', line: 'UseDNS no' }
- { regexp: '^\s*PermitEmptyPasswords\s+no', line: 'PermitEmptyPasswords no' }
- { regexp: '^\s*PermitRootLogin\s+without-password', line: 'PermitRootLogin without-password' }
- name: Disable passwordauth
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^\s*UseDNS\s+no' regexp: "{{ item.regexp }}"
# insertbefore: '^\s*Match' insertbefore: '^\s*Match'
insertbefore: BOF
state: 'present' state: 'present'
line: 'UseDNS no' line: "{{ item.line }}"
notify: restart_sshd notify: restart_sshd
- name: PermitEmptyPasswords no loop:
- { regexp: '^\s*ChallengeResponseAuthentication\s+no', line: 'ChallengeResponseAuthentication no' }
- { regexp: '^\s*PasswordAuthentication\s+no', line: 'PasswordAuthentication no' }
- { regexp: '^\s*AuthenticationMethods\s+publickey', line: 'AuthenticationMethods publickey' }
when: "disable_passwordauth"
- name: Enable passwordauth
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^\s*PermitEmptyPasswords\s+no' regexp: "{{ item.regexp }}"
# insertbefore: '^\s*Match' insertbefore: '^\s*Match'
insertbefore: BOF
state: 'present' state: 'present'
line: 'PermitEmptyPasswords no' line: "{{ item.line }}"
notify: restart_sshd notify: restart_sshd
- name: PermitRootLogin without-password loop:
lineinfile: - { regexp: '^\s*ChallengeResponseAuthentication\s+yes', line: 'ChallengeResponseAuthentication yes' }
path: /etc/ssh/sshd_config - { regexp: '^\s*PasswordAuthentication\s+yes', line: 'PasswordAuthentication yes' }
regexp: '^\s*PermitRootLogin\s+without-password' - { regexp: '^\s*AuthenticationMethods\s+publickey\s+keyboard-interactive', line: 'AuthenticationMethods publickey keyboard-interactive' }
# insertbefore: '^\s*Match' when: "enable_passwordauth"
insertbefore: BOF - meta: "flush_handlers"
state: 'present'
line: 'PermitRootLogin without-password'
notify: restart_sshd
- meta: flush_handlers

View File

@ -1,6 +1,10 @@
#!/bin/bash #!/bin/bash
ansible-playbook -i hosts main.yml --tags default ansible-playbook -i 'localhost,' main.yml --tags default
# Could also sync vim: # Could also sync vim:
# ansible-playbook -i hosts main.yml --tags default,vim # ansible-playbook -i hosts main.yml --tags default,vim
# Could also secure system # Could also secure system
# ansible-playbook -i hosts --ask-become-pass main.yml --tags default,vim,secure # ansible-playbook -i hosts --ask-become-pass main.yml --tags default,vim,secure
# Disable password authentication
# ansible-playbook -i 'localhost,' --tags secure --extra-vars 'disable_passwordauth=true' main.yml --ask-become-pass
# Use 1.1.1.1 dns
# ansible-playbook -i 'localhost,' --tags dns main.yml --ask-become-pass