From 95b73daa36b23565a8566f71f9b202d3459b685f Mon Sep 17 00:00:00 2001
From: Sam Chudnick <sam@chudnick.com>
Date: Sun, 25 Jun 2023 09:52:36 -0400
Subject: Initial Commit

---
 roles/services/ssh/tasks/main.yml | 46 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 roles/services/ssh/tasks/main.yml

(limited to 'roles/services/ssh')

diff --git a/roles/services/ssh/tasks/main.yml b/roles/services/ssh/tasks/main.yml
new file mode 100644
index 0000000..d2cabab
--- /dev/null
+++ b/roles/services/ssh/tasks/main.yml
@@ -0,0 +1,46 @@
+- name: explicitly only allow pubkey auth
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?AuthenticationMethods.*"
+    line: "AuthenticationMethods publickey"
+
+- name: disable root ssh login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin"
+    line: "PermitRootLogin no"
+
+- name: enable publickey authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PubkeyAuthentication.*"
+    line: "PubkeyAuthentication yes"
+
+- name: disable password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication.*"
+    line: "PasswordAuthentication no"
+
+- name: disable challenge response
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?ChallengeResponseAuthentication.*"
+    line: "ChallengeResponseAuthentication no"
+
+- name: disable pam
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?UsePAM.*"
+    line: "UsePAM no"
+
+- name: ensure sshd is enabled
+  systemd:
+    name: sshd
+    enabled: yes
+    masked: no
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
-- 
cgit v1.2.3