Move PermitRootLogin to another file
Debian >= 12.
This commit is contained in:
parent
5265119912
commit
ec34d8afe1
|
@ -97,7 +97,21 @@
|
||||||
replace: "PermitRootLogin no"
|
replace: "PermitRootLogin no"
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: evolinux_root_disable_ssh | bool
|
when:
|
||||||
|
- evolinux_root_disable_ssh | bool
|
||||||
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
|
||||||
|
- name: disable SSH access for root (Debian <= 12)
|
||||||
|
replace:
|
||||||
|
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||||
|
line: "PermitRootLogin no"
|
||||||
|
create: yes
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- evolinux_root_disable_ssh | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
|
||||||
### Disabled : it seems useless and too dangerous for now
|
### Disabled : it seems useless and too dangerous for now
|
||||||
# - name: remove root from AllowUsers directive
|
# - name: remove root from AllowUsers directive
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
- name: verify AllowGroups directive
|
- name: verify AllowGroups directive
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
- name: verify AllowUsers directive
|
- name: verify AllowUsers directive
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
cmd: "grep -Er '^AllowUsers' /etc/ssh"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
@ -62,6 +62,19 @@
|
||||||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
replace: "PermitRootLogin no"
|
replace: "PermitRootLogin no"
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: evolinux_root_disable_ssh | bool
|
when:
|
||||||
|
- evolinux_root_disable_ssh | bool
|
||||||
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
|
||||||
|
- name: disable root login (Debian <= 12)
|
||||||
|
replace:
|
||||||
|
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||||
|
line: "PermitRootLogin no"
|
||||||
|
create: yes
|
||||||
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when:
|
||||||
|
- evolinux_root_disable_ssh | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
- ansible.builtin.meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
Loading…
Reference in a new issue