32 lines
936 B
YAML
32 lines
936 B
YAML
|
---
|
||
|
- name: SSH configuration
|
||
|
hosts: all
|
||
|
tasks:
|
||
|
- name: SSH hardening - Deny password authentication
|
||
|
ansible.builtin.copy:
|
||
|
dest: /etc/ssh/sshd_config.d/90-deny-password.conf
|
||
|
owner: root
|
||
|
mode: '0600'
|
||
|
content: 'PasswordAuthentication no'
|
||
|
|
||
|
- name: SSH hardening - Deny weak Message Authentication Code Algorithms
|
||
|
ansible.builtin.copy:
|
||
|
dest: /etc/ssh/sshd_config.d/80-deny-insecure-mac.conf
|
||
|
owner: root
|
||
|
mode: '0600'
|
||
|
content: 'MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1'
|
||
|
|
||
|
- name: Install authorized keys
|
||
|
ansible.builtin.copy:
|
||
|
src: authorized_keys
|
||
|
dest: /root/.ssh/
|
||
|
owner: root
|
||
|
mode: '0600'
|
||
|
directory_mode: '0700'
|
||
|
|
||
|
- name: Restart sshd to apply changes
|
||
|
ansible.builtin.systemd:
|
||
|
name: ssh.service
|
||
|
state: restarted
|
||
|
enabled: true
|