45 lines
1.6 KiB
YAML
45 lines
1.6 KiB
YAML
---
|
|
- name: Update SSH configuration to be more secure.
|
|
lineinfile:
|
|
dest: "{{ security_ssh_config_path }}"
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
with_items:
|
|
- regexp: "^PasswordAuthentication"
|
|
line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
|
|
- regexp: "^PermitRootLogin"
|
|
line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
|
|
- regexp: "^Port"
|
|
line: "Port {{ security_ssh_port }}"
|
|
- regexp: "^UseDNS"
|
|
line: "UseDNS {{ security_ssh_usedns }}"
|
|
- regexp: "^PermitEmptyPasswords"
|
|
line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
|
|
- regexp: "^ChallengeResponseAuthentication"
|
|
line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
|
|
- regexp: "^GSSAPIAuthentication"
|
|
line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
|
|
- regexp: "^X11Forwarding"
|
|
line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
|
|
notify: restart ssh
|
|
|
|
- name: Add configured user accounts to passwordless sudoers.
|
|
lineinfile:
|
|
dest: /etc/sudoers
|
|
regexp: '^{{ item }}'
|
|
line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
|
|
state: present
|
|
validate: 'visudo -cf %s'
|
|
with_items: "{{ security_sudoers_passwordless }}"
|
|
when: security_sudoers_passwordless | length > 0
|
|
|
|
- name: Add configured user accounts to passworded sudoers.
|
|
lineinfile:
|
|
dest: /etc/sudoers
|
|
regexp: '^{{ item }}'
|
|
line: '{{ item }} ALL=(ALL) ALL'
|
|
state: present
|
|
validate: 'visudo -cf %s'
|
|
with_items: "{{ security_sudoers_passworded }}"
|
|
when: security_sudoers_passworded | length > 0
|