agaric-coop/box/provisioning/roles/geerlingguy.security/tasks/ssh.yml

46 lines
1.6 KiB
YAML
Raw Permalink Normal View History

---
- name: Update SSH configuration to be more secure.
lineinfile:
dest: "{{ security_ssh_config_path }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
- regexp: "^Port"
line: "Port {{ security_ssh_port }}"
- regexp: "^UseDNS"
line: "UseDNS {{ security_ssh_usedns }}"
- regexp: "^PermitEmptyPasswords"
line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
- regexp: "^ChallengeResponseAuthentication"
line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
- regexp: "^GSSAPIAuthentication"
line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
- regexp: "^X11Forwarding"
line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
notify: restart ssh
- name: Add configured user accounts to passwordless sudoers.
lineinfile:
dest: /etc/sudoers
regexp: '^{{ item }}'
line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
state: present
validate: 'visudo -cf %s'
with_items: "{{ security_sudoers_passwordless }}"
when: security_sudoers_passwordless | length > 0
- name: Add configured user accounts to passworded sudoers.
lineinfile:
dest: /etc/sudoers
regexp: '^{{ item }}'
line: '{{ item }} ALL=(ALL) ALL'
state: present
validate: 'visudo -cf %s'
with_items: "{{ security_sudoers_passworded }}"
when: security_sudoers_passworded | length > 0