diff options
author | Christian Pointner <equinox@spreadspace.org> | 2018-12-09 14:03:05 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-09 14:03:05 +0100 |
commit | a02e756446b9b23beba6dcaa60845d1fa70488cb (patch) | |
tree | 3bade44762e3f85b4795b659a6c44ac363e92783 /roles/sshd/tasks/main.yml | |
parent | refactoring sshserver role (diff) |
renamed sshserver role to sshd
Diffstat (limited to 'roles/sshd/tasks/main.yml')
-rw-r--r-- | roles/sshd/tasks/main.yml | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 00000000..e638905b --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: install ssh-server + apt: + name: openssh-server + state: present + +- name: hardening ssh-server config + lineinfile: + regexp: "^#?\\s*{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + dest: /etc/ssh/sshd_config + mode: 0644 + with_dict: + IgnoreRhosts: "yes" + PermitRootLogin: "without-password" + PubkeyAuthentication: "yes" + HostbasedAuthentication: "no" + PermitEmptyPasswords: "no" + UseDNS: "no" + loop_control: + label: "{{ item.key }}" + notify: restart ssh + +- name: limit allowed users + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}" + notify: restart ssh + +- name: install ssh keys for root + authorized_key: + user: root + key: "{{ ssh_keys_root | join('\n') }}" + exclusive: yes + +- name: delete root password + user: + name: root + password: "!" |