--- - name: Apply SSH best practices configuration hosts: all become: yes tasks: - name: Ensure the sshd_config.d directory exists file: path: /etc/ssh/sshd_config.d state: directory owner: root group: root mode: '0755' - name: Create a configuration file to apply SSH best practices copy: content: | # Disable password authentication PasswordAuthentication no # Disable challenge-response authentication ChallengeResponseAuthentication no # Allow root login PermitRootLogin yes # Disable empty passwords PermitEmptyPasswords no # Disable X11 forwarding X11Forwarding no # Use only protocol 2 Protocol 2 # Log more verbosely LogLevel VERBOSE # Keep-alive packets to ensure connection stability TCPKeepAlive yes ClientAliveInterval 60 ClientAliveCountMax 10 dest: /etc/ssh/sshd_config.d/best_practices.conf owner: root group: root mode: '0644' - name: Restart SSH service to apply changes service: name: sshd state: restarted - name: Verify SSH configuration settings shell: "sshd -T" register: ssh_config_result - name: Check specific SSH settings debug: msg: "{{ ssh_config_result.stdout_lines | select('search', 'passwordauthentication no') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'challengeresponseauthentication no') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'permitrootlogin yes') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'permitemptypasswords no') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'x11forwarding no') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'protocol 2') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'loglevel verbose') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'clientaliveinterval 60') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'clientalivecountmax 3') | list }}\n {{ ssh_config_result.stdout_lines | select('search', 'tcpkeepalive yes') | list }}"