evolix-users: disable root ssh login by default
This commit is contained in:
parent
8435ac192d
commit
ae4b9675c2
|
@ -1,3 +1,4 @@
|
||||||
---
|
---
|
||||||
evolinux_users: {}
|
evolinux_users: {}
|
||||||
evolinux_sudo_group: "evolinux-sudo"
|
evolinux_sudo_group: "evolinux-sudo"
|
||||||
|
evolinux_root_disable_ssh: True
|
||||||
|
|
|
@ -15,3 +15,6 @@
|
||||||
user: "{{ item.value }}"
|
user: "{{ item.value }}"
|
||||||
with_dict: "{{ evolinux_users }}"
|
with_dict: "{{ evolinux_users }}"
|
||||||
when: evolinux_users != {}
|
when: evolinux_users != {}
|
||||||
|
|
||||||
|
- include: root_disable_ssh.yml
|
||||||
|
when: evolinux_root_disable_ssh
|
||||||
|
|
16
evolinux-users/tasks/root_disable_ssh.yml
Normal file
16
evolinux-users/tasks/root_disable_ssh.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: disable root login
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^PermitRootLogin (yes|without-password)'
|
||||||
|
replace: "PermitRootLogin no"
|
||||||
|
notify: reload sshd
|
||||||
|
|
||||||
|
- name: remove root from AllowUsers directive
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
||||||
|
replace: '\1\4'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
Loading…
Reference in a new issue