You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

56 lines
1.2 KiB

---
- name: setup ssh with signed keys only or password with 2nd factor
become: yes
become_method: sudo
block:
- name: delete sshd_config file
file:
state: absent
path: /etc/ssh/sshd_config
- name: create empty sshd_config
lineinfile:
path: /etc/ssh/sshd_config
line: '# mini ssh config'
create: yes
- name: copy trusted user ca key to server
copy:
src: id_ecdsa_sk.pub
dest: "/etc/ssh/id_ecdsa_sk.pub"
mode: 0600
- name: create new sshd_config
blockinfile:
path: /etc/ssh/sshd_config
block: |
PermitRootLogin no
PasswordAuthentication no
TrustedUserCAKeys /etc/ssh/id_ecdsa_sk.pub
PubkeyAuthentication yes
RhostsRSAAuthentication no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AllowUsers m
- name: limit ssh access
ufw:
rule: limit
port: ssh
proto: tcp
- name: restart sshd
systemd:
state: restarted
daemon_reload: yes
name: sshd
- name: enable UFW
ufw:
state: enabled
...