From 758e7a81454ded42301e416dcada940ee25a5c6d Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Sun, 13 Aug 2023 18:02:45 +0200
Subject: [PATCH] Relaxed permissions

---
 roles/system/tasks/ssh.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/roles/system/tasks/ssh.yml b/roles/system/tasks/ssh.yml
index 6cc6f44..6cd1052 100644
--- a/roles/system/tasks/ssh.yml
+++ b/roles/system/tasks/ssh.yml
@@ -2,12 +2,21 @@
 - name: Disable SSH password auth
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: ^#PasswordAuthentication yes
+    regexp: ^#?PasswordAuthentication yes
     line: PasswordAuthentication no
     validate: sshd -T -f %s
     mode: "0644"
   notify: Restart sshd
 
+- name:
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: ^#?PermitRootLogin (yes|no)
+    line: PermitRootLogin prohibit-password
+    validate: sshd -T -f %s
+    mode: "0644"
+  notify: Restart sshd
+
 - name: Enable ssh on boot
   ansible.builtin.service:
     name: sshd
-- 
2.38.5