diff options
author | Christian Pointner <equinox@spreadspace.org> | 2017-11-21 22:28:39 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2017-11-21 22:28:39 +0100 |
commit | 91cd5480b5a1ca1103d5e239af3d331477c41c2c (patch) | |
tree | b495bf31e2d5da50b045838a1e8d0455db09ee65 /roles/sshserver/tasks/main.yaml |
initial commit as copy from helsinki ansible repo
Diffstat (limited to 'roles/sshserver/tasks/main.yaml')
-rw-r--r-- | roles/sshserver/tasks/main.yaml | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/roles/sshserver/tasks/main.yaml b/roles/sshserver/tasks/main.yaml new file mode 100644 index 00000000..68505ede --- /dev/null +++ b/roles/sshserver/tasks/main.yaml @@ -0,0 +1,34 @@ +--- +- name: install ssh-server + apt: name=openssh-server state=present + +- name: hardening ssh-server config + lineinfile: + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + dest: /etc/ssh/sshd_config + mode: 0644 + with_items: + - { "regexp": "^#?\\s*IgnoreRhosts", "line": "IgnoreRhosts yes" } + - { "regexp": "^#?\\s*PermitRootLogin", "line": "PermitRootLogin without-password" } + - { "regexp": "^#?\\s*PubkeyAuthentication", "line": "PubkeyAuthentication yes" } + - { "regexp": "^#?\\s*HostbasedAuthentication", "line": "HostbasedAuthentication no" } + - { "regexp": "^#?\\s*PermitEmptyPasswords", "line": "PermitEmptyPasswords no" } + - { "regexp": "^#?\\s*UseDNS", "line": "UseDNS no" } + notify: restart ssh + +- name: limit allowed users + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: "AllowUsers {{ ' '.join([ 'root', 'rhadmin' ] | union(sshserver_allowusers_group | default([])) | union(sshserver_allowusers_host | default([]))) }}" + when: sshserver_allowusers_set | default(true) + notify: restart ssh + +- name: allow any user to login via ssh + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + state: absent + when: not (sshserver_allowusers_set | default(true)) + notify: restart ssh |