Fix ssh.yml to handle the case of camelot

playbooks/ssh.yml

@@ -1,6 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
-- hosts: services-*.pve.auro.re
+- hosts: all,!unifi
   vars:
     openssh_users_ca_public_key:
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
@@ -9,6 +9,10 @@
     openssh_authorized_principals:
       - any
       - "{{ inventory_hostname }}"
+    openssh_whitelist_groups: "{{ ['adherent']
+                                  if inventory_hostname == 'camelot.adm.auro.re'
+                                  else [] }}"
+    openssh_allow_passwords: "{{ inventory_hostname == 'camelot.adm.auro.re' }}"
   roles:
     - openssh_server
 ...

roles/openssh_server/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
 openssh_authorized_principals:
   - any
+openssh_allow_passwords: false
+openssh_whitelist_users: []
+openssh_whitelist_groups: []
 ...

roles/openssh_server/templates/sshd_config.j2

@@ -20,14 +20,19 @@ KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
+{% if openssh_allow_passwords %}
+AuthenticationMethods password publickey
+UsePAM yes
+{% else %}
 AuthenticationMethods publickey
+UsePAM no
+{% endif %}
 
 TrustedUserCAKeys /etc/ssh/users_ca.pub
 AuthorizedPrincipalsFile /etc/ssh/authorized_principals
 
 StrictModes yes
-UsePAM no
+PermitRootLogin without-password
-PermitRootLogin yes
 PermitUserRC no
 PermitUserEnvironment no
 AllowAgentForwarding no
@@ -43,3 +48,10 @@ UseDNS no
 AcceptEnv LANG LC_*
 
 Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
+
+{% for group in openssh_whitelist_groups %}
+Match group {{ group }}
+	AllowUsers *
+{% endfor %}