1 files changed, 26 insertions, 1 deletions

diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml
index e5c9f6a7..cf5862fa 100644
--- a/roles/core/sshd/base/tasks/main.yml
+++ b/roles/core/sshd/base/tasks/main.yml
@@ -14,6 +14,7 @@
       PermitRootLogin: "without-password"
       PubkeyAuthentication: "yes"
       HostbasedAuthentication: "no"
+      PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}"
       PermitEmptyPasswords: "no"
       UseDNS: "no"
   loop: "{{ sshd_options | dict2items }}"
@@ -21,7 +22,7 @@
     label: "{{ item.key }} = {{ item.value }}"
   lineinfile:
     dest: /etc/ssh/sshd_config
-    regexp: "^#?\\s*{{ item.key }}\\s"
+    regexp: "^(#\\s*)?{{ item.key }}\\s"
     line: "{{ item.key }} {{ item.value }}"
     insertbefore: '^### ansible core/sshd/base config barrier ###'
   notify: restart ssh
@@ -43,6 +44,30 @@
     state: absent
   notify: restart ssh
 
+- name: limit allowed groups
+  when: not sshd_allow_any_group | bool
+  block:
+  - name: verify sshd allow-groups are configured
+    assert:
+      that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0
+      msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host
+
+  - name: set AllowGroups option
+    lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: "^AllowGroups\\s"
+      line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host)) }}"
+      insertbefore: '^### ansible core/sshd/base config barrier ###'
+    notify: restart ssh
+
+- name: allow any group
+  when: sshd_allow_any_group | bool
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^AllowGroups\\s"
+    state: absent
+  notify: restart ssh
+
 - name: install config barriers for other roles to use
   loop:
   - line: "### ansible core/sshd/base config barrier ###"