From 8accaf3930a4c009b22c9c040580e54e1eb096e8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 13 Apr 2021 01:26:11 +0200
Subject: sshd: disable password auth by default

---
 roles/core/sshd/base/defaults/main.yml |  8 ++++++++
 roles/core/sshd/base/tasks/main.yml    | 27 ++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

(limited to 'roles/core')

diff --git a/roles/core/sshd/base/defaults/main.yml b/roles/core/sshd/base/defaults/main.yml
index 50cc0f15..235f3962 100644
--- a/roles/core/sshd/base/defaults/main.yml
+++ b/roles/core/sshd/base/defaults/main.yml
@@ -1,2 +1,10 @@
 ---
+sshd_allowusers_host: []
+sshd_allowusers_group: []
 sshd_allow_any_user: false
+
+sshd_allowgroups_host: []
+sshd_allowgroups_group: []
+sshd_allow_any_group: true
+
+sshd_password_auth: false
diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml
index e5c9f6a7..cf5862fa 100644
--- a/roles/core/sshd/base/tasks/main.yml
+++ b/roles/core/sshd/base/tasks/main.yml
@@ -14,6 +14,7 @@
       PermitRootLogin: "without-password"
       PubkeyAuthentication: "yes"
       HostbasedAuthentication: "no"
+      PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}"
       PermitEmptyPasswords: "no"
       UseDNS: "no"
   loop: "{{ sshd_options | dict2items }}"
@@ -21,7 +22,7 @@
     label: "{{ item.key }} = {{ item.value }}"
   lineinfile:
     dest: /etc/ssh/sshd_config
-    regexp: "^#?\\s*{{ item.key }}\\s"
+    regexp: "^(#\\s*)?{{ item.key }}\\s"
     line: "{{ item.key }} {{ item.value }}"
     insertbefore: '^### ansible core/sshd/base config barrier ###'
   notify: restart ssh
@@ -43,6 +44,30 @@
     state: absent
   notify: restart ssh
 
+- name: limit allowed groups
+  when: not sshd_allow_any_group | bool
+  block:
+  - name: verify sshd allow-groups are configured
+    assert:
+      that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0
+      msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host
+
+  - name: set AllowGroups option
+    lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: "^AllowGroups\\s"
+      line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host)) }}"
+      insertbefore: '^### ansible core/sshd/base config barrier ###'
+    notify: restart ssh
+
+- name: allow any group
+  when: sshd_allow_any_group | bool
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^AllowGroups\\s"
+    state: absent
+  notify: restart ssh
+
 - name: install config barriers for other roles to use
   loop:
   - line: "### ansible core/sshd/base config barrier ###"
-- 
cgit v1.2.3