evolix-users: disable root ssh login by default
This commit is contained in:
parent
8435ac192d
commit
ae4b9675c2
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
evolinux_users: {}
|
||||
evolinux_sudo_group: "evolinux-sudo"
|
||||
evolinux_root_disable_ssh: True
|
||||
|
|
|
@ -15,3 +15,6 @@
|
|||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
||||
|
||||
- include: root_disable_ssh.yml
|
||||
when: evolinux_root_disable_ssh
|
||||
|
|
16
evolinux-users/tasks/root_disable_ssh.yml
Normal file
16
evolinux-users/tasks/root_disable_ssh.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
|
||||
- name: disable root login
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
|
||||
- name: remove root from AllowUsers directive
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
||||
replace: '\1\4'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
Loading…
Reference in a new issue