From f31dc3c93c0dd2a777909ae3f6d04a7e1624cded Mon Sep 17 00:00:00 2001
From: Chris Hines <chris.hines@monash.edu>
Date: Mon, 11 Feb 2019 10:49:03 +1100
Subject: [PATCH] add a role that disables both password and challenge response

---
 roles/ssh-nopassword-login/handlers/main.yml |  9 ++++++++
 roles/ssh-nopassword-login/tasks/main.yml    | 24 ++++++++++++++++++++
 roles/ssh-nopassword-login/tasks/main.yml~   | 24 ++++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 100644 roles/ssh-nopassword-login/handlers/main.yml
 create mode 100644 roles/ssh-nopassword-login/tasks/main.yml
 create mode 100644 roles/ssh-nopassword-login/tasks/main.yml~

diff --git a/roles/ssh-nopassword-login/handlers/main.yml b/roles/ssh-nopassword-login/handlers/main.yml
new file mode 100644
index 00000000..df0d3dee
--- /dev/null
+++ b/roles/ssh-nopassword-login/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: "restart sshd"
+  service: name=sshd state=restarted
+  sudo: true
+  when: ansible_os_family == "RedHat"
+
+- name: "restart ssh"
+  service: name=ssh state=restarted
+  sudo: true
+  when: ansible_os_family == "Debian"
diff --git a/roles/ssh-nopassword-login/tasks/main.yml b/roles/ssh-nopassword-login/tasks/main.yml
new file mode 100644
index 00000000..f8594e19
--- /dev/null
+++ b/roles/ssh-nopassword-login/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: "Disable Challenge Response"
+  lineinfile:
+  args:
+    dest: /etc/ssh/sshd_config
+    regexp: "ChallengeResponseAuthentication yes"
+    line: "ChallengeResponseAuthentication no" 
+    backrefs: yes
+  sudo: true
+  notify: 
+  - restart sshd
+  - restart ssh
+
+- name: "Disable Password"
+  lineinfile:
+  args:
+    dest: /etc/ssh/sshd_config
+    regexp: "PasswordAuthentication yes"
+    line: "PasswordAuthentication no"
+    backrefs: yes
+  sudo: true
+  notify: 
+  - restart sshd
+  - restart ssh
+
diff --git a/roles/ssh-nopassword-login/tasks/main.yml~ b/roles/ssh-nopassword-login/tasks/main.yml~
new file mode 100644
index 00000000..f8594e19
--- /dev/null
+++ b/roles/ssh-nopassword-login/tasks/main.yml~
@@ -0,0 +1,24 @@
+- name: "Disable Challenge Response"
+  lineinfile:
+  args:
+    dest: /etc/ssh/sshd_config
+    regexp: "ChallengeResponseAuthentication yes"
+    line: "ChallengeResponseAuthentication no" 
+    backrefs: yes
+  sudo: true
+  notify: 
+  - restart sshd
+  - restart ssh
+
+- name: "Disable Password"
+  lineinfile:
+  args:
+    dest: /etc/ssh/sshd_config
+    regexp: "PasswordAuthentication yes"
+    line: "PasswordAuthentication no"
+    backrefs: yes
+  sudo: true
+  notify: 
+  - restart sshd
+  - restart ssh
+
-- 
GitLab