jotbe/ansible-role-common
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Disables SSH access for root on demand #4

Merged
jotbe merged 1 commit from feature/disable-ssh-for-root into master 2023-12-11 18:37:13 +01:00
Conversation 0 Commits 1 Files changed 3 +44 -3
3 changed files with 44 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 177ba579e9 - Show all commits

6
defaults/main.yml
View file

@ -18,6 +18,10 @@ ensure_ansible_version: 2.10.3
enable_sudo: yes enable_sudo: yes
# Allow passwordless sudo (applied to group wheel) # Allow passwordless sudo (applied to group wheel)
enable_passwordless_sudo: yes enable_passwordless_sudo: yes
# Allow root to connect through SSH
enable_ssh_for_root: yes
# Allow root to connect only using public key authentication, no password
enable_ssh_for_root_prohibit_password: no
# Skip provisioning of the firewall # Skip provisioning of the firewall
skip_firewall: no skip_firewall: no
authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target! authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!

7
handlers/main.yml
View file

@ -1,2 +1,7 @@
--- ---
# handlers file for common # handlers file for common
- name: Restart SSH
ansible.builtin.service:
name: ssh
state: restarted
become: true

34
tasks/users.yml
View file

@ -72,6 +72,38 @@
files: files:
- /etc/sudoers - /etc/sudoers
- /usr/local/etc/sudoers # e.g. FreeBSD - /usr/local/etc/sudoers # e.g. FreeBSD
- name: 'Disable SSH for root'
lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
regexp: '^#?\s*PermitRootLogin'
line: 'PermitRootLogin No'
notify: Restart SSH
when:
- enable_ssh_for_root | bool == false
- name: 'Enable SSH for root through password or key'
lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
regexp: '^#?\s*PermitRootLogin'
line: 'PermitRootLogin Yes'
notify: Restart SSH
when:
- enable_ssh_for_root | bool == true
- enable_ssh_for_root_prohibit_password | bool == false
- name: 'Enable SSH for root through key only'
lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
regexp: '^#?\s*PermitRootLogin'
line: 'PermitRootLogin prohibit-password'
notify: Restart SSH
when:
- enable_ssh_for_root | bool == true
- enable_ssh_for_root_prohibit_password | bool == true
when: when:
- enable_sudo - enable_sudo
- enable_passwordless_sudo - enable_passwordless_sudo
@ -83,4 +115,4 @@
mode: 0644 mode: 0644
owner: "{{ item }}" owner: "{{ item }}"
group: "{{ item }}" group: "{{ item }}"
with_items: "{{ users }}" with_items: "{{ users }}"