vm-ansible/roles/common/tasks/ssh-security-settings.yaml

47 lines
1.2 KiB
YAML

---
- name: Disable password authentication
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: 'PasswordAuthentication yes'
replace: 'PasswordAuthentication no'
- name: Disable root authentication
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '#PermitRootLogin prohibit-password'
replace: 'PermitRootLogin no'
- name: Disable X11 forwarding
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: 'X11Forwarding yes'
replace: 'X11Forwarding no'
- name: Explicitly only listen on ipv4
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '#AddressFamily any'
replace: 'AddressFamily inet'
- name: Check if AllowUsers is defined
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
regexp: "^AllowUsers"
check_mode: true
changed_when: false
register: checkallowusers
- name: Define AllowUsers if undefined
ansible.builtin.lineinfile:
state: present
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible service-user"
when: checkallowusers.found == 0
- name: "Restart sshd"
ansible.builtin.service:
name: sshd
state: restarted
...