Merge pull request #135 from thaim/ssh-refactor

Refactor ssh related role

Author: thaim

playbook-desktop.yml

@@ -4,6 +4,7 @@
   roles:
     - { role: git, tags: git, GIT_INSTALLER: 'extra' }
     - { role: shell, tags: shell, SHELL_TYPE: 'bash' }
+    - { role: ssh, tags: ssh }
     - { role: fonts, tags: fonts }
     - { role: golang, tags: golang }
     - { role: aqua, tags: aqua }

roles/secure-sshd/files/sshd_config

@@ -1,8 +1,41 @@
 ---
 
-- name: ssh | Deny Root login
-  sudo: yes
-  lineinfile: dest=/etc/ssh/sshd_config
-              regexp="PermitRootLogin"
-              line="PermitRootLogin no"
-              insertafter="# Authentication:"
+# ssh config
+
+- name: Get SSH client version
+  ansible.builtin.shell: |
+    set -o pipefail
+    ssh -V 2>&1 | head -n1 | sed 's/.*_\([0-9]\+\.[0-9]\+\).*/\1/'
+  register: ssh_version_output
+  changed_when: false
+
+- name: Set SSH version fact
+  ansible.builtin.set_fact:
+    ssh_version: "{{ ssh_version_output.stdout | float }}"
+
+- name: Ensure .ssh directory exists
+  ansible.builtin.file:
+    path: "{{ ansible_env.HOME }}/.ssh"
+    state: directory
+    mode: '0700'
+
+- name: Configure ObscureKeystrokeTiming for SSH versions < 10.0
+  ansible.builtin.blockinfile:
+    path: "{{ ansible_env.HOME }}/.ssh/config"
+    block: |
+      Host *
+          ObscureKeystrokeTiming no
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - ObscureKeystrokeTiming"
+    create: yes
+    mode: '0600'
+  when: ssh_version < 10.0
+
+# sshd config
+
+- name: Deny root login
+  become: yes
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "PermitRootLogin"
+    line: "PermitRootLogin no"
+    insertafter: "# Authentication:"