45 lines
1.0 KiB
YAML
45 lines
1.0 KiB
YAML
---
|
|
- name: Disable legacy ssh algorithms
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#(HostKey {{ item }})$"
|
|
line: '\1'
|
|
backrefs: yes
|
|
validate: '/usr/sbin/sshd -f %s -t'
|
|
loop:
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
notify:
|
|
- restart sshd
|
|
tags:
|
|
- pkg
|
|
|
|
- name: Activate specifics SSH ports
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?(Port {{ item }})$"
|
|
insertafter: "^Port [0-9]+$"
|
|
line: "Port {{ item }}"
|
|
validate: '/usr/sbin/sshd -f %s -t'
|
|
loop:
|
|
- 22
|
|
- 622
|
|
notify:
|
|
- restart sshd
|
|
tags:
|
|
- pkg
|
|
|
|
- name: Disable ssh password authentification
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#? *{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
validate: '/usr/sbin/sshd -f %s -t'
|
|
loop:
|
|
- { regexp: "ChallengeResponseAuthentication", line: "ChallengeResponseAuthentication no" }
|
|
- { regexp: "PasswordAuthentication", line: "PasswordAuthentication no" }
|
|
notify:
|
|
- restart sshd
|
|
tags:
|
|
- pkg
|