In this example, we’ll look at how to edit Linux configuration files with Ansible using sshd_config as an example. Our Ansible playbook should modify the sshd_config file and change/remove directives with insecure authentication algorithms.
We assume that you have already installed Ansible and created an inventory file. In the previous article, we showed you how to create a user and copy ssh keys using Ansible.
The following is an example of a playbook that uses regular expressions to:
- Edit some directives in sshd_config
- Disable insecure authentication algorithms
- Adds keys, ciphers, and MAC
In this example, we are configuring the anscfg user. Replace it with your username.
--- - hosts: webservers become: true remote_user: anscfg tasks: - name: Add key exchange, ciphers and MAC - lineinfile: dest=/etc/ssh/sshd_config regexp='^KexAlgorithms' line='KexAlgorithms email@example.com,diffie-hellman-group-exchange-sha256' - lineinfile: dest=/etc/ssh/sshd_config regexp='^Ciphers' line='Ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr' - name: Enable the most secure server authentication algorithms and protocol version 2 lineinfile: dest=/etc/ssh/sshd_config regexp='^Protocol 2' line='Protocol 2' - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_ed25519_key' line='HostKey /etc/ssh/ssh_host_ed25519_key' - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_rsa_key' line='HostKey /etc/ssh/ssh_host_rsa_key' - name: Disable insecure algorithms lineinfile: dest: /etc/ssh/sshd_config regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key' state: absent - lineinfile: dest: /etc/ssh/sshd_config regexp: '^HostKey /etc/ssh/ssh_host_dsa_key' state: absent - name: remove key files file: dest: /etc/ssh/ssh_host_ecdsa_key.pub state: absent - file: dest: /etc/ssh/ssh_host_ecdsa_key state: absent - file: dest: /etc/ssh/ssh_host_dsa_key.pub state: absent - file: dest: /etc/ssh/ssh_host_dsa_key state: absent - name: Disable password login and allow login only with publickey. lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey' - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no' - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no' - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes' # Set LogLevel to VERBOSE - lineinfile: dest=/etc/ssh/sshd_config regexp='^LogLevel' line='LogLevel VERBOSE' # Disable root login - lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No' # Allow only certain users to log in (you can specify AllowGroups) - lineinfile: dest=/etc/ssh/sshd_config regexp='^AllowUsers' line='AllowUsers anscfg' - name: restart sshd. service: name: sshd state: restarted - debug: msg: "Ready! If necessary, generate client keys with the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100"
If you get the error
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! when deploying such a playbook when connecting to remote hosts, remove the /home/user/.ssh/known_hosts file or delete the old keys and try connecting again.