summaryrefslogtreecommitdiff
path: root/roles/core/sshd/tasks/main.yml
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2020-05-31 23:12:36 +0200
committerChristian Pointner <equinox@spreadspace.org>2020-05-31 23:12:36 +0200
commit3a2319c9c58886a7938deabafc66ad4bc128c9f8 (patch)
tree222b41b5b49633b9156c070df830d5c73617edd7 /roles/core/sshd/tasks/main.yml
parentchaos-at-home: deploy apt-repo/base to some more hosts (diff)
move core roles to subdir
Diffstat (limited to 'roles/core/sshd/tasks/main.yml')
-rw-r--r--roles/core/sshd/tasks/main.yml55
1 files changed, 55 insertions, 0 deletions
diff --git a/roles/core/sshd/tasks/main.yml b/roles/core/sshd/tasks/main.yml
new file mode 100644
index 00000000..5eb15081
--- /dev/null
+++ b/roles/core/sshd/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+- name: load os/distrubtion/version specific variables
+ include_vars: "{{ item }}"
+ with_first_found:
+ - files:
+ - "{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}.yml"
+ - "{{ ansible_os_family }}.yml"
+
+- name: hardening ssh-server config
+ vars:
+ sshd_options:
+ IgnoreRhosts: "yes"
+ PermitRootLogin: "without-password"
+ PubkeyAuthentication: "yes"
+ HostbasedAuthentication: "no"
+ PermitEmptyPasswords: "no"
+ UseDNS: "no"
+ loop: "{{ sshd_options | dict2items }}"
+ loop_control:
+ label: "{{ item.key }} = {{ item.value }}"
+ lineinfile:
+ regexp: "^#?\\s*{{ item.key }}\\s"
+ line: "{{ item.key }} {{ item.value }}"
+ dest: /etc/ssh/sshd_config
+ mode: 0644
+ notify: restart ssh
+
+- name: limit allowed users
+ when: not ssh_allow_any_user
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers\\s"
+ line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}"
+ notify: restart ssh
+
+- name: allow any user
+ when: ssh_allow_any_user
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers\\s"
+ state: absent
+ notify: restart ssh
+
+- name: install ssh keys for root
+ authorized_key:
+ user: root
+ key: "{{ ssh_keys_root | join('\n') }}"
+ exclusive: yes
+
+- name: delete root password
+ when: sshd_disabled_password is defined
+ user:
+ name: root
+ password: "{{ sshd_disabled_password }}"