Racke, I'm not sure how that helps? Ansible will still add the 'no' setting at the bottom of the sshd_config file and the 'yes' setting earlier in the sshd_config file is still active.
Thanks, Jon On Wednesday, September 4, 2019 at 10:10:24 AM UTC-4, Stefan Hornburg (Racke) wrote: > > On 9/4/19 3:55 PM, Jon Adcock wrote: > > I think its common practice to "harden" SSH by running the following in > one of your playbooks: > > | > > - name: Disallow root SSH access > > lineinfile: > > dest: /etc/ssh/sshd_config > > regexp: "^PermitRootLogin no" > > line: "PermitRootLogin no" > > state: present > > notify: > > - restart sshd > > > > | > > > > The way I understand this, if "PermitRootLogin no" does not appear in > the sshd_config file, it'll append that to the > > bottom of the file. > > > > So in the scenario where Ansible finds "PermitRootLogin yes" in the > file, it will append "PermitRootLogin no" at the end > > of the config file. > > > > The problem is that when SSH reads "PermitRootLogin yes" earlier in the > file THAT configuration setting it what it > > uses. So the 'no' setting > > at the end of the file is ignored, and Ansible is not doing anything for > me. (http://man.openbsd.org/sshd_config.5) > > Hello Jon, > > you need to adjust the regexp so it covers both "yes" and "no" as > configuration values. Or just drop "no" from the > end of the regexp. > > Regards > Racke > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to > > ansible...@googlegroups.com <javascript:> <mailto: > ansible-project+unsubscr...@googlegroups.com <javascript:>>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/642cd53b-95e2-4c03-b6a0-9fa807b97768%40googlegroups.com > > > < > https://groups.google.com/d/msgid/ansible-project/642cd53b-95e2-4c03-b6a0-9fa807b97768%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > > > -- > Ecommerce and Linux consulting + Perl and web application programming. > Debian and Sympa administration. Provisioning with Ansible. > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/789a5ac4-4340-43c3-9dc9-112554e7cf19%40googlegroups.com.
