fix(std.yml): don't allow SSH logins as root using password authn

There's not point in allowing it, forbid it instead. Sponsored-by: author
author: Lars Wirzenius <liw@liw.fi> 2022-09-04 14:42:08 +0300
committer: Lars Wirzenius <liw@liw.fi> 2022-09-04 16:04:45 +0300
commit: 7c250ddce0fa3b136eb3d8baec6c4ab513d0fbe8 (patch)
tree: 57489a09bf72006a0cc82732a10c32b7be5c57a3 /std.yml
parent: 1653e31dcce6388f8760a0b4775bf32b4df5fb56 (diff)
download: v-i-7c250ddce0fa3b136eb3d8baec6c4ab513d0fbe8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/std.yml b/std.yml
index 9a46c1c..fdb56f8 100644
--- a/std.yml
+++ b/std.yml
@@ -41,6 +41,12 @@
           {{ user_ca_pubkey }}
         dest: /etc/ssh/user_ca_keys
 
+    - name: "restrict root logins over ssh to require a key"
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regex: "#* *PasswordAuthentication"
+        line: "PasswordAuthentication no"
+
     - name: "configure sshd to accept CA for users"
       when: user_ca_pubkey is defined
       copy:
author	Lars Wirzenius <liw@liw.fi>	2022-09-04 14:42:08 +0300
committer	Lars Wirzenius <liw@liw.fi>	2022-09-04 16:04:45 +0300
commit	7c250ddce0fa3b136eb3d8baec6c4ab513d0fbe8 (patch)
tree	57489a09bf72006a0cc82732a10c32b7be5c57a3 /std.yml
parent	1653e31dcce6388f8760a0b4775bf32b4df5fb56 (diff)
download	v-i-7c250ddce0fa3b136eb3d8baec6c4ab513d0fbe8.tar.gz