Initial CommitHEAD master

author: Sam Chudnick <sam@chudnick.com> 2023-06-25 09:52:36 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-06-25 09:52:36 -0400
commit: 95b73daa36b23565a8566f71f9b202d3459b685f (patch)
tree: cb17b021be70e7868d0ec235a761f0ecdc80f3f2 /roles/services/ssh
1 files changed, 46 insertions, 0 deletions
diff --git a/roles/services/ssh/tasks/main.yml b/roles/services/ssh/tasks/main.yml
new file mode 100644
index 0000000..d2cabab
--- /dev/null
+++ b/roles/services/ssh/tasks/main.yml
@@ -0,0 +1,46 @@
+- name: explicitly only allow pubkey auth
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?AuthenticationMethods.*"
+    line: "AuthenticationMethods publickey"
+- name: disable root ssh login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin"
+    line: "PermitRootLogin no"
+- name: enable publickey authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PubkeyAuthentication.*"
+    line: "PubkeyAuthentication yes"
+- name: disable password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication.*"
+    line: "PasswordAuthentication no"
+- name: disable challenge response
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?ChallengeResponseAuthentication.*"
+    line: "ChallengeResponseAuthentication no"
+- name: disable pam
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?UsePAM.*"
+    line: "UsePAM no"
+- name: ensure sshd is enabled
+  systemd:
+    name: sshd
+    enabled: yes
+    masked: no
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
author	Sam Chudnick <sam@chudnick.com>	2023-06-25 09:52:36 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-06-25 09:52:36 -0400
commit	95b73daa36b23565a8566f71f9b202d3459b685f (patch)
tree	cb17b021be70e7868d0ec235a761f0ecdc80f3f2 /roles/services/ssh

diff --git a/roles/services/ssh/tasks/main.yml b/roles/services/ssh/tasks/main.yml new file mode 100644 index 0000000..d2cabab --- /dev/null +++ b/roles/services/ssh/tasks/main.yml
@@ -0,0 +1,46 @@
	1	- name: explicitly only allow pubkey auth
	2	lineinfile:
	3	path: /etc/ssh/sshd_config
	4	regexp: "^#?AuthenticationMethods.*"
	5	line: "AuthenticationMethods publickey"
	6
	7	- name: disable root ssh login
	8	lineinfile:
	9	path: /etc/ssh/sshd_config
	10	regexp: "^#?PermitRootLogin"
	11	line: "PermitRootLogin no"
	12
	13	- name: enable publickey authentication
	14	lineinfile:
	15	path: /etc/ssh/sshd_config
	16	regexp: "^#?PubkeyAuthentication.*"
	17	line: "PubkeyAuthentication yes"
	18
	19	- name: disable password authentication
	20	lineinfile:
	21	path: /etc/ssh/sshd_config
	22	regexp: "^#?PasswordAuthentication.*"
	23	line: "PasswordAuthentication no"
	24
	25	- name: disable challenge response
	26	lineinfile:
	27	path: /etc/ssh/sshd_config
	28	regexp: "^#?ChallengeResponseAuthentication.*"
	29	line: "ChallengeResponseAuthentication no"
	30
	31	- name: disable pam
	32	lineinfile:
	33	path: /etc/ssh/sshd_config
	34	regexp: "^#?UsePAM.*"
	35	line: "UsePAM no"
	36
	37	- name: ensure sshd is enabled
	38	systemd:
	39	name: sshd
	40	enabled: yes
	41	masked: no
	42
	43	- name: restart sshd
	44	service:
	45	name: sshd
	46	state: restarted