diff options
| author | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2022-10-20 19:03:19 +0000 |
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2022-10-22 17:58:21 +0200 |
| commit | 37c1ff77fb2afdaecd01148df57a0cb21ac9e495 (patch) | |
| tree | 32aee1d411c3caee0021b14bc8221469c2fe5534 | |
| parent | 80c6cf0de448f8fdf10c1e4be82cc7e0ef42abc5 (diff) | |
| download | labitat-ansible-37c1ff77fb2afdaecd01148df57a0cb21ac9e495.tar.gz labitat-ansible-37c1ff77fb2afdaecd01148df57a0cb21ac9e495.tar.xz labitat-ansible-37c1ff77fb2afdaecd01148df57a0cb21ac9e495.zip | |
fedora: sshd: only allow publickey authentication
"PasswordAuthentication no" only prevents password logins
from ever being successful, but it still entertain clients
with the possiblity of password logins.
This reduces the offered authentication methods from:
debug1: Authentications that can continue: publickey,password
to just publickey:
debug1: Authentications that can continue: publickey
After which most bots just disconnects.
Esmil: simplified so we only need one lineinfile stanza
| -rw-r--r-- | roles/fedora/tasks/sshd.yml | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/roles/fedora/tasks/sshd.yml b/roles/fedora/tasks/sshd.yml index fc46c07..163a6af 100644 --- a/roles/fedora/tasks/sshd.yml +++ b/roles/fedora/tasks/sshd.yml @@ -28,11 +28,15 @@ path: '/etc/ssh/sshd_config' regexp: '{{ item.regexp }}' line: '{{ item.line }}' + insertafter: '{{ (item.insertafter is string)|ternary(item.insertafter,omit) }}' with_items: - regexp: '^#*PermitRootLogin' line: 'PermitRootLogin no' - regexp: '^#*PasswordAuthentication' line: 'PasswordAuthentication no' + - regexp: '^#*AuthenticationMethods' + line: 'AuthenticationMethods publickey' + insertafter: '^#*PasswordAuthentication' - regexp: '^#*GSSAPIAuthentication' line: 'GSSAPIAuthentication no' notify: restart sshd |