From 37c1ff77fb2afdaecd01148df57a0cb21ac9e495 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?= <asbjorn@labitat.dk>
Date: Thu, 20 Oct 2022 19:03:19 +0000
Subject: fedora: sshd: only allow publickey authentication

"PasswordAuthentication no" only prevents password logins
from ever being successful, but it still entertain clients
with the possiblity of password logins.

This reduces the offered authentication methods from:

  debug1: Authentications that can continue: publickey,password

to just publickey:

  debug1: Authentications that can continue: publickey

After which most bots just disconnects.

Esmil: simplified so we only need one lineinfile stanza
---
 roles/fedora/tasks/sshd.yml | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'roles/fedora')

diff --git a/roles/fedora/tasks/sshd.yml b/roles/fedora/tasks/sshd.yml
index fc46c07..163a6af 100644
--- a/roles/fedora/tasks/sshd.yml
+++ b/roles/fedora/tasks/sshd.yml
@@ -28,11 +28,15 @@
     path: '/etc/ssh/sshd_config'
     regexp: '{{ item.regexp }}'
     line: '{{ item.line }}'
+    insertafter: '{{ (item.insertafter is string)|ternary(item.insertafter,omit) }}'
   with_items:
   - regexp: '^#*PermitRootLogin'
     line: 'PermitRootLogin no'
   - regexp: '^#*PasswordAuthentication'
     line: 'PasswordAuthentication no'
+  - regexp: '^#*AuthenticationMethods'
+    line: 'AuthenticationMethods publickey'
+    insertafter: '^#*PasswordAuthentication'
   - regexp: '^#*GSSAPIAuthentication'
     line: 'GSSAPIAuthentication no'
   notify: restart sshd
-- 
cgit v1.2.1