[couchdb-infra-cm] branch main updated: Harden SSH settings on CI nodes

[da...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

davisp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb-infra-cm.git


The following commit(s) were added to refs/heads/main by this push:
     new dc63a8c  Harden SSH settings on CI nodes
dc63a8c is described below

commit dc63a8cd29401edb0b79761fcf88ac32fe3797d2
Author: Paul J. Davis <pa...@gmail.com>
AuthorDate: Mon Dec 14 14:41:59 2020 -0600

    Harden SSH settings on CI nodes
---
 roles/common/handlers/main.yml |  4 ++++
 roles/common/tasks/main.yml    | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
new file mode 100644
index 0000000..660b2b7
--- /dev/null
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
\ No newline at end of file
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a449f36..814e1e8 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -9,6 +9,28 @@
     - https://github.com/nickva.keys
     - https://github.com/wohali.keys
 
+- name: Disable password authentication
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#\s*)?PasswordAuthentication'
+    line: "PasswordAuthentication no"
+    state: present
+  notify: restart sshd
+
+- name: Disable empty password login
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#\s*)?PermitEmptyPasswords'
+    line: 'PermitEmptyPasswords no'
+  notify: restart sshd
+
+- name: Disable challenge response authentication
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#\s*)?ChallengeResponseAuthentication'
+    line: 'ChallengeResponseAuthentication no'
+  notify: restart sshd
+
 - name: Install basic ubiquitous packages
   apt:
     name: "{{ packages }}"