Skip to content

Commit

Permalink
remove ssh password option via cloudinit
Browse files Browse the repository at this point in the history
  • Loading branch information
dtork committed Nov 22, 2023
1 parent 6aa2e16 commit b3866d5
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
9 changes: 9 additions & 0 deletions tasks/ssh.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,15 @@
line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
notify: restart ssh

- name: Ensure cloud-init conf does not still allow passwords anyway. # https://askubuntu.com/a/1488143
lineinfile:
dest: "{{ security_ssh_cloudinit_config_path }}"
regexp: "^PasswordAuthentication"
state: absent
validate: 'sshd -T -f %s'
mode: 0600
notify: restart ssh

- name: Add configured users allowed to connect over ssh
lineinfile:
dest: "{{ security_ssh_config_path }}"
Expand Down
1 change: 1 addition & 0 deletions vars/Debian.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
security_ssh_config_path: /etc/ssh/sshd_config
security_ssh_cloudinit_config_path: /etc/ssh/sshd_config.d/50-cloud-init.conf
security_sshd_name: ssh

0 comments on commit b3866d5

Please sign in to comment.