From c70108a5cb5d1177e186278efccaf35fbf1d82ea Mon Sep 17 00:00:00 2001 From: nazunalika Date: Mon, 1 Feb 2021 23:28:44 -0700 Subject: [PATCH] no passwords --- ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2 | 6 +++++- ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2 | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2 b/ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2 index 54e8fc4..6fb6a57 100644 --- a/ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2 +++ b/ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2 @@ -62,7 +62,6 @@ AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no -PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes @@ -154,3 +153,8 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody ChallengeResponseAuthentication yes +PasswordAuthentication no + +{% if 'gitlabservers' in group_names %} +AllowUsers git@* *@10.* +{% endif %} diff --git a/ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2 b/ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2 index be831c9..f940d24 100644 --- a/ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2 +++ b/ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2 @@ -70,7 +70,6 @@ AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no -PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes @@ -166,3 +165,8 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody ChallengeResponseAuthentication yes +PasswordAuthentication no + +{% if 'gitlabservers' in group_names %} +AllowUsers git@* *@10.* +{% endif %}