Sfoglia il codice sorgente

In preparation for using any 2FA solution, it will most likely need to modify sshd_config, so let's change the file in place instead of overwriting it completely.

Justin Plock 10 anni fa
parent
commit
89f018bd23
Nessun account collegato all'indirizzo email del committer

+ 2
- 3
roles/common/tasks/security.yml Vedi File

@@ -13,7 +13,6 @@
13 13
   copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
14 14
   notify: restart fail2ban
15 15
 
16
-- name: Copy sshd_config into place
17
-  template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
16
+- name: Update sshd config to disallow root logins
17
+  lineinfile: dest=/etc/ssh/sshd_config regexp=^PermitRootLogin line="PermitRootLogin no" state=present
18 18
   notify: restart ssh
19
-

+ 0
- 87
roles/common/templates/etc_ssh_sshd_config.j2 Vedi File

@@ -1,87 +0,0 @@
1
-# Package generated configuration file
2
-# See the sshd_config(5) manpage for details
3
-
4
-# What ports, IPs and protocols we listen for
5
-Port 22
6
-# Use these options to restrict which interfaces/protocols sshd will bind to
7
-#ListenAddress ::
8
-#ListenAddress 0.0.0.0
9
-Protocol 2
10
-# HostKeys for protocol version 2
11
-HostKey /etc/ssh/ssh_host_rsa_key
12
-HostKey /etc/ssh/ssh_host_dsa_key
13
-HostKey /etc/ssh/ssh_host_ecdsa_key
14
-#Privilege Separation is turned on for security
15
-UsePrivilegeSeparation yes
16
-
17
-# Lifetime and size of ephemeral version 1 server key
18
-KeyRegenerationInterval 3600
19
-ServerKeyBits 768
20
-
21
-# Logging
22
-SyslogFacility AUTH
23
-LogLevel INFO
24
-
25
-# Authentication:
26
-LoginGraceTime 120
27
-PermitRootLogin no
28
-StrictModes yes
29
-
30
-RSAAuthentication yes
31
-PubkeyAuthentication yes
32
-#AuthorizedKeysFile	%h/.ssh/authorized_keys
33
-
34
-# Don't read the user's ~/.rhosts and ~/.shosts files
35
-IgnoreRhosts yes
36
-# For this to work you will also need host keys in /etc/ssh_known_hosts
37
-RhostsRSAAuthentication no
38
-# similar for protocol version 2
39
-HostbasedAuthentication no
40
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
41
-#IgnoreUserKnownHosts yes
42
-
43
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
44
-PermitEmptyPasswords no
45
-
46
-# Change to yes to enable challenge-response passwords (beware issues with
47
-# some PAM modules and threads)
48
-ChallengeResponseAuthentication no
49
-
50
-# Change to no to disable tunnelled clear text passwords
51
-PasswordAuthentication no
52
-
53
-# Kerberos options
54
-#KerberosAuthentication no
55
-#KerberosGetAFSToken no
56
-#KerberosOrLocalPasswd yes
57
-#KerberosTicketCleanup yes
58
-
59
-# GSSAPI options
60
-#GSSAPIAuthentication no
61
-#GSSAPICleanupCredentials yes
62
-
63
-X11Forwarding yes
64
-X11DisplayOffset 10
65
-PrintMotd no
66
-PrintLastLog yes
67
-TCPKeepAlive yes
68
-#UseLogin no
69
-
70
-#MaxStartups 10:30:60
71
-#Banner /etc/issue.net
72
-
73
-# Allow client to pass locale environment variables
74
-AcceptEnv LANG LC_*
75
-
76
-Subsystem sftp /usr/lib/openssh/sftp-server
77
-
78
-# Set this to 'yes' to enable PAM authentication, account processing,
79
-# and session processing. If this is enabled, PAM authentication will
80
-# be allowed through the ChallengeResponseAuthentication and
81
-# PasswordAuthentication.  Depending on your PAM configuration,
82
-# PAM authentication via ChallengeResponseAuthentication may bypass
83
-# the setting of "PermitRootLogin without-password".
84
-# If you just want the PAM account and session checks to run without
85
-# PAM authentication, then enable this but set PasswordAuthentication
86
-# and ChallengeResponseAuthentication to 'no'.
87
-UsePAM yes

Loading…
Annulla
Salva