Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add validate option to lineinfile module to edit the sshd config file in chapter 10 #273

Closed
geerlingguy opened this issue May 20, 2020 · 3 comments

Comments

@geerlingguy
Copy link
Owner

geerlingguy commented May 20, 2020

To prevent users from blowing up their SSH server configuration and locking them out from their servers, we can add a validate to the lineinfile example modifying the sshd_config file in Chapter 10. For example, we created the following task in the May 20 Ansible 101 livestream (see #269):

    - name: Make sure SSH is more secure.
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        validate: 'sshd -t -f %s'
      with_items:
        - regexp: "^PasswordAuthentication"
          line: "PasswordAuthentication no"
        - regexp: "^PermitRootLogin"
          line: "PermitRootLogin no"
        - regexp: "^Port"
          line: "Port 2849"
      notify: restart ssh
@FinalDes
Copy link

FinalDes commented May 21, 2020

Need to check sshd service is started first before run the command, ortherwise will have error,
my molecule test fail because sshd service is not started

- name: start sshd service
  become: true
  systemd:
    name: sshd
    state: started

@FinalDes
Copy link

FinalDes commented May 21, 2020

planning to add https://github.com/jtesta/ssh-audit the check ssh is secure or not.
PasswordAuthentication no require additional checks. Need to check public key is install first, otherwise cannot access to ssh server

@geerlingguy
Copy link
Owner Author

Fixed in the book's manuscript. Will be in the next book version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants