Move PermitRootLogin to another file
Debian >= 12.
This commit is contained in:
parent
5265119912
commit
ec34d8afe1
|
@ -97,7 +97,21 @@
|
|||
replace: "PermitRootLogin no"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: disable SSH access for root (Debian <= 12)
|
||||
replace:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
line: "PermitRootLogin no"
|
||||
create: yes
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
|
||||
### Disabled : it seems useless and too dangerous for now
|
||||
# - name: remove root from AllowUsers directive
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -14,7 +14,7 @@
|
|||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowUsers' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -62,6 +62,19 @@
|
|||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: disable root login (Debian <= 12)
|
||||
replace:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
line: "PermitRootLogin no"
|
||||
create: yes
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
Loading…
Reference in a new issue