Updated ansible ssh hardening role

DIAGNijmegen · Sep 23, 2023 · 8bd5fb1 · 8bd5fb1
1 parent 77da689
commit 8bd5fb1
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/ansible.cfg b/ansible.cfg
@@ -7,10 +7,10 @@ host_key_checking = False
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = /var/tmp/ansible_cache
-fact_caching_timeout = 8640
+fact_caching_timeout = 86400
 deprecation_warnings = False
 #vault_password_file = ./config/.vault-pass
-timeout=120
+timeout=60
 stdout_callback = yaml
 bin_ansible_callbacks = True
 local_tmp=/tmp

diff --git a/playbooks/generic/users.yml b/playbooks/generic/users.yml
@@ -2,6 +2,8 @@
 # Create user with password (defined in config/group_vars/all.yml)
 - hosts: all
   become: true
+  collections:
+    - devsec.hardening
   tasks:
 
     - name: Set backward compatible values for ssh-hardening if not defined
@@ -11,6 +13,7 @@
         when: ssh_client_hardening is undefined
       - set_fact:
           ssh_server_password_login: true
+          sshd_authenticationmethods: publickey password
         when: ssh_server_password_login is undefined
       - set_fact:
           ssh_use_pam: true
@@ -21,7 +24,10 @@
 
     - name: Configure SSH to allow login with password
       include_role:
-        name: dev-sec.ssh-hardening
+        name: ssh_hardening
+      vars:
+        ssh_server_password_login: true
+        sshd_authenticationmethods: password publickey
 
     - name: Set user password
       include_role: