I'm trying to make ansible task that handles sshd_config properly. I've found similar regexp from other questions but they do nothing. name: Disable SSH password authentication become: true lineinfile: dest: /etc/ssh/sshd_config regexp: '^#?\s*PasswordAuthentication\s' line: 'PasswordAuthentication no' state: present Problem is it should handle duplicate lanes as well as comments. For example: There could be: PasswordAuthentication no PasswordAuthentication yes or PasswordAuthentication no PasswordAuthentication no or PasswordAuthentication yes PasswordAuthentication yes or PasswordAuthentication no #PasswordAuthentication no or PasswordAuthentication no # PasswordAuthentication no or # PasswordAuthentication no # PasswordAuthentication no etc so many combinations. But I just want to have single uncommented line PasswordAuthentication no Is this possible?

Reputation: 5170

Ansible - disable ssh password authentication

I'm trying to make ansible task that handles sshd_config properly. I've found similar regexp from other questions but they do nothing.

name: Disable SSH password authentication
      become: true
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^#?\s*PasswordAuthentication\s'
        line: 'PasswordAuthentication no'
        state: present

Problem is it should handle duplicate lanes as well as comments. For example:

There could be:

PasswordAuthentication no
PasswordAuthentication yes

PasswordAuthentication no
PasswordAuthentication no

PasswordAuthentication yes
PasswordAuthentication yes

PasswordAuthentication no
#PasswordAuthentication no

PasswordAuthentication no
# PasswordAuthentication no

# PasswordAuthentication no
# PasswordAuthentication no

etc so many combinations. But I just want to have single uncommented line PasswordAuthentication no

Is this possible?

Upvotes: 5

Answers (5)

Andrii

Reputation: 21

  ##-----------------------
  - name: Disallow SSH password authentication
    become: true
    block:
      - name: collect sshd configs
        ansible.builtin.find:
          paths: /etc/ssh/sshd_config.d
          patterns: '*.conf'
          file_type: file
        register: collected_info

      - name: update sshd conf
        copy:
          dest: "{{ item.path }}"
          content: "PasswordAuthentication no\n"
        with_items: "{{ collected_info.files }}"
        register: update_result
      
      - name: restart sshd
        service:
          name: sshd
          state: restarted
        when: update_result.changed is true

Upvotes: 1

Bob

Reputation: 5618

If your distribution has a /etc/ssh/ssh_config.d/ folder, you can just copy a file there:

- name: Disallow SSH password authentication
  template: src=disablePasswordAuth.conf dest=/etc/ssh/sshd_config.d/disablePasswordAuth.conf
  notify:
    - restart sshd

Then also add disablePasswordAuth.conf:

PasswordAuthentication no

Upvotes: 2

Farshid Ashouri

Reputation: 17681

Do the following:

eval "$(ssh-agent -s)"
ssh-add

And it won't ask for a password any more.

Upvotes: -5

j3ffyang

Reputation: 2460

Try this with ansible

  - name: Disallow SSH password authentication
    lineinfile:
      dest=/etc/ssh/sshd_config
      regexp="^PasswordAuthentication"
      line="PasswordAuthentication no"
      state=present
      validate: sshd -t -f %s
    notify:
      - restart sshd

Upvotes: 3

Vladimir Botka

Reputation: 67984

Q: "handle duplicate lines as well as comments ... have single uncommented line PasswordAuthentication no"

A: Given the list of the files

    my_files:
      - sshd_config.0
      - sshd_config.1
      - sshd_config.2
      - sshd_config.3
      - sshd_config.4
      - sshd_config.5

and the content

shell> for f in files-17/*; do printf "\n%s\n" $f; cat $f; done

files-17/sshd_config.0
PasswordAuthentication no
PasswordAuthentication yes

files-17/sshd_config.1
PasswordAuthentication no
PasswordAuthentication no

files-17/sshd_config.2
PasswordAuthentication yes
PasswordAuthentication yes

files-17/sshd_config.3
PasswordAuthentication no
#PasswordAuthentication no

files-17/sshd_config.4
PasswordAuthentication no
# PasswordAuthentication no

files-17/sshd_config.5
# PasswordAuthentication no
# PasswordAuthentication no

The task below removes all but the first line which includes PasswordAuthentication

    - replace:
        path: 'files-17/{{ item }}'
        after: 'PasswordAuthentication'
        regexp: '^(.*)PasswordAuthentication(.*)$'
        replace: ''
      loop: "{{ my_files }}"

gives

shell> for f in files-17/*; do printf "\n%s\n" $f; cat $f; done

files-17/sshd_config.0
PasswordAuthentication no


files-17/sshd_config.1
PasswordAuthentication no


files-17/sshd_config.2
PasswordAuthentication yes


files-17/sshd_config.3
PasswordAuthentication no


files-17/sshd_config.4
PasswordAuthentication no


files-17/sshd_config.5
# PasswordAuthentication no

The next task replaces the lines with PasswordAuthentication no

    - lineinfile:
        path: 'files-17/{{ item }}'
        regexp: '^(.*)PasswordAuthentication(.*)$'
        line: 'PasswordAuthentication no'
      loop: "{{ my_files }}"

gives

shell> for f in files-17/*; do printf "\n%s\n" $f; cat $f; done

files-17/sshd_config.0
PasswordAuthentication no


files-17/sshd_config.1
PasswordAuthentication no


files-17/sshd_config.2
PasswordAuthentication no


files-17/sshd_config.3
PasswordAuthentication no


files-17/sshd_config.4
PasswordAuthentication no


files-17/sshd_config.5
PasswordAuthentication no

The sequence of the tasks is idempotent.

Upvotes: 2

Ansible - disable ssh password authentication

Answers (5)

Related Questions