Disables SSH access for root on demand

2023-12-11 18:36:27 +01:00 · 2023-12-11 18:36:27 +01:00 · 177ba579e9
commit 177ba579e9
parent a550c49dec
3 changed files with 44 additions and 3 deletions
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -72,6 +72,38 @@
        files:
          - /etc/sudoers
          - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Disable SSH for root'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin No'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == false
+    
+    - name: 'Enable SSH for root through password or key'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin Yes'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == false
+    
+    - name: 'Enable SSH for root through key only'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == true
  when:
    - enable_sudo
    - enable_passwordless_sudo
@ -83,4 +115,4 @@
    mode: 0644
    owner: "{{ item }}"
    group: "{{ item }}"
-  with_items: "{{ users }}"
+  with_items: "{{ users }}"