From 2a52041ab3b15d4639411e9775734998122c9874 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Thu, 2 Mar 2023 15:45:22 +0100
Subject: [PATCH] feat: prohibit SSH login with anything other than publickey
 and for certain users

---
 tasks/configure_ssh_hardening.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/configure_ssh_hardening.yml b/tasks/configure_ssh_hardening.yml
index cbc8cdc..f96eff9 100644
--- a/tasks/configure_ssh_hardening.yml
+++ b/tasks/configure_ssh_hardening.yml
@@ -34,11 +34,11 @@
       PermitRootLogin no
       # PermitRootLogin forced-commands-only
       # AllowUsers root lza import
-      # DenyUsers slub
+      DenyUsers dps
       # DenyUsers import
       # AllowGroups example1 example2
       # DenyGroups example1 example2
-      # AuthenticationMethods any
+      AuthenticationMethods publickey
       LoginGraceTime 2m
       PermitEmptyPasswords no
       PrintLastLog yes
@@ -47,7 +47,7 @@
       ClientAliveCountMax 2
       MaxAuthTries 3
       TCPKeepAlive no
-      {{ "PasswordAuthentication no" if ansible_os_family == "Debian" else "PasswordAuthentication yes" }}
+      PasswordAuthentication no
       # disable weak host key algorithm ssh-dss (Digital Signature Algorithm (DSA) / Digital Signature Standard (DSS))
       # NVT OID: 1.3.6.1.4.1.25623.1.0.117687
       HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
-- 
GitLab