diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2021-04-13 01:26:11 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2021-04-13 01:26:11 +0200 |
| commit | 8accaf3930a4c009b22c9c040580e54e1eb096e8 (patch) | |
| tree | eb375733718f5ade9bf3b8b54ab997e8fdf31698 /roles/core | |
| parent | upgrade collabora and nextcloud (diff) | |
sshd: disable password auth by default
Diffstat (limited to 'roles/core')
| -rw-r--r-- | roles/core/sshd/base/defaults/main.yml | 8 | ||||
| -rw-r--r-- | roles/core/sshd/base/tasks/main.yml | 27 |
2 files changed, 34 insertions, 1 deletions
diff --git a/roles/core/sshd/base/defaults/main.yml b/roles/core/sshd/base/defaults/main.yml index 50cc0f15..235f3962 100644 --- a/roles/core/sshd/base/defaults/main.yml +++ b/roles/core/sshd/base/defaults/main.yml @@ -1,2 +1,10 @@ --- +sshd_allowusers_host: [] +sshd_allowusers_group: [] sshd_allow_any_user: false + +sshd_allowgroups_host: [] +sshd_allowgroups_group: [] +sshd_allow_any_group: true + +sshd_password_auth: false diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml index e5c9f6a7..cf5862fa 100644 --- a/roles/core/sshd/base/tasks/main.yml +++ b/roles/core/sshd/base/tasks/main.yml @@ -14,6 +14,7 @@ PermitRootLogin: "without-password" PubkeyAuthentication: "yes" HostbasedAuthentication: "no" + PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}" PermitEmptyPasswords: "no" UseDNS: "no" loop: "{{ sshd_options | dict2items }}" @@ -21,7 +22,7 @@ label: "{{ item.key }} = {{ item.value }}" lineinfile: dest: /etc/ssh/sshd_config - regexp: "^#?\\s*{{ item.key }}\\s" + regexp: "^(#\\s*)?{{ item.key }}\\s" line: "{{ item.key }} {{ item.value }}" insertbefore: '^### ansible core/sshd/base config barrier ###' notify: restart ssh @@ -43,6 +44,30 @@ state: absent notify: restart ssh +- name: limit allowed groups + when: not sshd_allow_any_group | bool + block: + - name: verify sshd allow-groups are configured + assert: + that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0 + msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host + + - name: set AllowGroups option + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups\\s" + line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host)) }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: allow any group + when: sshd_allow_any_group | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups\\s" + state: absent + notify: restart ssh + - name: install config barriers for other roles to use loop: - line: "### ansible core/sshd/base config barrier ###" |