From b3866d51b2d172dbfb32b8e087a441b56f52e07f Mon Sep 17 00:00:00 2001
From: dtork <dtork@dolores>
Date: Wed, 22 Nov 2023 10:16:08 -0500
Subject: [PATCH] remove ssh password option via cloudinit

---
 tasks/ssh.yml   | 9 +++++++++
 vars/Debian.yml | 1 +
 2 files changed, 10 insertions(+)

diff --git a/tasks/ssh.yml b/tasks/ssh.yml
index 75d1f4e..e86dbe2 100644
--- a/tasks/ssh.yml
+++ b/tasks/ssh.yml
@@ -31,6 +31,15 @@
       line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
   notify: restart ssh
 
+- name: Ensure cloud-init conf does not still allow passwords anyway.  # https://askubuntu.com/a/1488143
+  lineinfile:
+    dest: "{{ security_ssh_cloudinit_config_path }}"
+    regexp: "^PasswordAuthentication"
+    state: absent
+    validate: 'sshd -T -f %s'
+    mode: 0600
+  notify: restart ssh
+
 - name: Add configured users allowed to connect over ssh
   lineinfile:
     dest: "{{ security_ssh_config_path }}"
diff --git a/vars/Debian.yml b/vars/Debian.yml
index c66e186..80ca5c7 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -1,3 +1,4 @@
 ---
 security_ssh_config_path: /etc/ssh/sshd_config
+security_ssh_cloudinit_config_path: /etc/ssh/sshd_config.d/50-cloud-init.conf
 security_sshd_name: ssh