From c77bc14e95d7bc283ff71ce49b54cccbea47562d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 11 Oct 2017 17:58:42 +0200
Subject: [PATCH] Evolinux: don't remove root from AllowUsers list

---
 evolinux-base/tasks/root.yml              | 18 ++++++++++--------
 evolinux-users/tasks/root_disable_ssh.yml | 15 ++++++++-------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index 7e79b657..8fb2d113 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -85,16 +85,18 @@
     dest: /etc/ssh/sshd_config
     regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
-  notify: reload sshd
-  when: evolinux_root_disable_ssh
-
-- name: remove root from AllowUsers directive
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
-    replace: '\1\4'
     validate: '/usr/sbin/sshd -T -f %s'
   notify: reload sshd
   when: evolinux_root_disable_ssh
 
+### Disabled : it seems useless and too dangerous for now
+# - name: remove root from AllowUsers directive
+#   replace:
+#     dest: /etc/ssh/sshd_config
+#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
+#     replace: '\1\4'
+#     validate: '/usr/sbin/sshd -T -f %s'
+#   notify: reload sshd
+#   when: evolinux_root_disable_ssh
+
 - meta: flush_handlers
diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml
index f7cd727b..b9fc5708 100644
--- a/evolinux-users/tasks/root_disable_ssh.yml
+++ b/evolinux-users/tasks/root_disable_ssh.yml
@@ -7,10 +7,11 @@
     replace: "PermitRootLogin no"
   notify: reload sshd
 
-- name: remove root from AllowUsers directive
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
-    replace: '\1\4'
-    validate: '/usr/sbin/sshd -T -f %s'
-  notify: reload sshd
+### Disabled : it seems useless and too dangerous for now
+# - name: remove root from AllowUsers directive
+#   replace:
+#     dest: /etc/ssh/sshd_config
+#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
+#     replace: '\1\4'
+#     validate: '/usr/sbin/sshd -T -f %s'
+#   notify: reload sshd