From b4ab97be5ad9d1de93ab5b4215c7ef0cf04dbc21 Mon Sep 17 00:00:00 2001
From: Isabelle K <hi@f2k1.de>
Date: Sat, 21 Mar 2020 09:24:55 +0100
Subject: [PATCH] Disallow Password Auth for SSH

---
 tasks/main.yml |  2 ++
 tasks/sshd.yml | 14 ++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 tasks/sshd.yml

diff --git a/tasks/main.yml b/tasks/main.yml
index e69aaa6..f971192 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -14,3 +14,5 @@
       group: root
       mode: 0644
     when: motd_path is defined
+
+  - include: sshd.yml
diff --git a/tasks/sshd.yml b/tasks/sshd.yml
new file mode 100644
index 0000000..a8377a3
--- /dev/null
+++ b/tasks/sshd.yml
@@ -0,0 +1,14 @@
+---
+- name: Restrict SSH to public key authentication
+    lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: '^#?AuthenticationMethods '
+      line: 'AuthenticationMethods publickey'
+    service: name=sshd state=restarted
+  
+  - name: Disable SSH password authentication
+    lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: '^#?PasswordAuthentication '
+      line: 'PasswordAuthentication no'
+    service: name=sshd state=restarted