From 85839d23855b553506c826b49941e6fadb1ab39b Mon Sep 17 00:00:00 2001
From: Bertrand Benjamin <benjamin.bertrand@opytex.org>
Date: Fri, 24 Aug 2018 11:00:52 +0200
Subject: [PATCH] editing sshd and add public keys

---
 Choux.yml                      |  3 +++
 files/id_ed25519_embrevade.pub |  1 +
 files/id_ed25519_home.pub      |  1 +
 files/sshd_config              |  5 +----
 tasks/ssh.yml                  | 25 +++++++++++++++++++++++++
 vars/common.yml                |  2 ++
 6 files changed, 33 insertions(+), 4 deletions(-)
 create mode 100644 files/id_ed25519_embrevade.pub
 create mode 100644 files/id_ed25519_home.pub

diff --git a/Choux.yml b/Choux.yml
index 7b041bd..c32fbec 100644
--- a/Choux.yml
+++ b/Choux.yml
@@ -5,6 +5,9 @@
   vars_files:
     - vars/common.yml
 
+  vars:
+    - deploy_public_key: files/id_ed25519_home.pub
+
   tasks:
     - include: tasks/arch_CLI_packages.yml
     - include: tasks/zsh.yml
diff --git a/files/id_ed25519_embrevade.pub b/files/id_ed25519_embrevade.pub
new file mode 100644
index 0000000..caa785a
--- /dev/null
+++ b/files/id_ed25519_embrevade.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUqG2jXhu8S4LIeaMCzXhR27TU85OJZzQF1Qmi21VL2 lafrite@Poivre
diff --git a/files/id_ed25519_home.pub b/files/id_ed25519_home.pub
new file mode 100644
index 0000000..44ffc7f
--- /dev/null
+++ b/files/id_ed25519_home.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDO8452/DpTR8taSKa/i+rgAvrYP9Fv9hYLMuphHQ+ lafrite@Poivre
diff --git a/files/sshd_config b/files/sshd_config
index 90a07b4..fd930d4 100644
--- a/files/sshd_config
+++ b/files/sshd_config
@@ -30,7 +30,6 @@
 
 #LoginGraceTime 2m
 #PermitRootLogin prohibit-password
-PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -55,7 +54,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication no
+#PasswordAuthentication yes
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -116,5 +115,3 @@ Subsystem	sftp	/usr/lib/ssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-
-AllowUser {% for user in me %}{{ user.username }}{% endfor %}
diff --git a/tasks/ssh.yml b/tasks/ssh.yml
index ef08d4c..30297bc 100644
--- a/tasks/ssh.yml
+++ b/tasks/ssh.yml
@@ -3,6 +3,31 @@
   template:
     src: files/sshd_config
     dest: /etc/ssh/sshd_config
+
+- name: Disable empty password login
+  lineinfile: 
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?PermitEmptyPasswords"
+    line: "PermitEmptyPasswords no"
+
+- name: Disable remote root login
+  lineinfile: 
+    dest: /etc/ssh/sshd_config 
+    regexp: "^#?PermitRootLogin" 
+    line: "PermitRootLogin no"
+
+- name: Add public key for deploy user
+  authorized_key: 
+    user: "{{ deploy_user.username }}" 
+    key: "{{ deploy_public_key }}"
+  register: add_identity_key
+
+- name: Disable password login
+  lineinfile: 
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication" 
+    line: "PasswordAuthentication no"
+  when: add_identity_key|success and not add_identity_key|skipped
   notify: restart sshd
 
 - name: Enable SSH daemon
diff --git a/vars/common.yml b/vars/common.yml
index 97a4caf..c65ec63 100644
--- a/vars/common.yml
+++ b/vars/common.yml
@@ -7,3 +7,5 @@ deploy_users:
   - { username: 'waha', password: '$6$tQLlZ3lI/NDcT3.C$VCBzrpNxDgOK7b2que2/BnAYWl.zKVugZrQEPxtsq3iWcskEzQ1NvytZRXkB4GCDa/xEohxiodyCaZyFnhxby1', uid: '999'}
 
 minimal: false
+deploy_public_key: files/id_ed25519_embrevade.pub
+