X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fssh_conf_hardening%2Ftasks%2Fmain.yaml;h=66d4bce618e43ef5ea8c22dc14bfefb2e593092f;hb=c4369e76d0ea181f6e8e637f3704cb7356a9e104;hp=1058a5286ddeabbbb9b7089ef03f9f19c54d7238;hpb=74a49ba6ef2ea715fa492db0bcd85c30398688e8;p=ta%2Finfra-ansible.git

diff --git a/roles/ssh_conf_hardening/tasks/main.yaml b/roles/ssh_conf_hardening/tasks/main.yaml
index 1058a52..66d4bce 100644
--- a/roles/ssh_conf_hardening/tasks/main.yaml
+++ b/roles/ssh_conf_hardening/tasks/main.yaml
@@ -62,7 +62,7 @@
 - name: User Alive Interval setting
   ssh_conf:
     regexp: '[\s]*ClientAliveInterval'
-    values: "ClientAliveInterval 900\n"
+    values: "ClientAliveInterval 300\n"
 
 - name: Disable the X11forwarding
   ssh_conf:
@@ -107,13 +107,23 @@
 - name: MaxAuthTries setting
   ssh_conf:
     regexp: '[\s]*MaxAuthTries'
-    values: "MaxAuthTries 6\n"
+    values: "MaxAuthTries 3\n"
+
+- name: "Limit interactive session count to 2"
+  ssh_conf:
+    regexp: '[\s]*MaxSessions'
+    values: "MaxSessions 2\n"
 
 - name: Banner creation
   ssh_conf:
     regexp: '[\s]*Banner'
     values: "Banner /etc/banner\n"
 
+- name: "Disable Keepalive"
+  ssh_conf:
+    regexp: '[\s]*TCPKeepAlive'
+    values: "TCPKeepAlive no\n"
+
 - name: "Enable the Ipv6"
   lineinfile:
     path: /etc/ssh/sshd_config
@@ -140,6 +150,11 @@
     regexp: '[\s]*ClientAliveCountMax'
     values: "ClientAliveCountMax 0\n"
 
+- name: "Limit logins to members of admin, keystone, and ironic groups"
+  ssh_conf:
+    regexp: '[\s]*AllowGroups'
+    values: "AllowGroups {{ users['admin_user_name'] }} {{ keystone_system_group_name |default('keystone') }} {{ ironic_system_group_name | default('ironic') }}\n"
+
 - name: "Disable SSH Support for User Known Hosts"
   ssh_conf:
     regexp: '[\s]*IgnoreUserKnownHosts'
@@ -154,7 +169,7 @@
     name: sshd
     state: restarted
 
-- name : create a banner file
+- name: create a banner file
   lineinfile:
     path: /etc/banner
     create: yes