infra-run/ansible/roles/cis-rhel9-hardening/tasks/ssh.yml

---
- name: Ensure sshd drop-in directory exists
  ansible.builtin.file:
    path: "{{ cis_ssh_dropin_path | dirname }}"
    state: directory
    owner: root
    group: root
    mode: "0755"

- name: Ensure sshd hardening drop-in exists
  ansible.builtin.file:
    path: "{{ cis_ssh_dropin_path }}"
    state: touch
    owner: root
    group: root
    mode: "0644"
    modification_time: preserve
    access_time: preserve

- name: Configure SSH root login
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PermitRootLogin\s+'
    line: "PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd

- name: Configure SSH empty password restriction
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PermitEmptyPasswords\s+'
    line: "PermitEmptyPasswords no"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd

- name: Configure SSH password authentication
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PasswordAuthentication\s+'
    line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd

- name: Configure SSH MaxAuthTries
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^MaxAuthTries\s+'
    line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd

- name: Configure SSH LoginGraceTime
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^LoginGraceTime\s+'
    line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd

- name: Configure SSH ClientAliveInterval
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^ClientAliveInterval\s+'
    line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd

- name: Configure SSH ClientAliveCountMax
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^ClientAliveCountMax\s+'
    line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"
    validate: sshd -t -f %s
  notify:
    - validate sshd
    - reload sshd
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00			`---`
			`- name: Ensure sshd drop-in directory exists`
			`ansible.builtin.file:`
			`path: "{{ cis_ssh_dropin_path \| dirname }}"`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: "0755"`

			`- name: Ensure sshd hardening drop-in exists`
			`ansible.builtin.file:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`state: touch`
			`owner: root`
			`group: root`
			`mode: "0644"`
			`modification_time: preserve`
			`access_time: preserve`

			`- name: Configure SSH root login`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^PermitRootLogin\s+'`
			`line: "PermitRootLogin {{ 'no' if cis_disable_root_login \| bool else 'prohibit-password' }}"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`

			`- name: Configure SSH empty password restriction`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^PermitEmptyPasswords\s+'`
			`line: "PermitEmptyPasswords no"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`

			`- name: Configure SSH password authentication`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^PasswordAuthentication\s+'`
			`line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth \| bool else 'yes' }}"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`

			`- name: Configure SSH MaxAuthTries`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^MaxAuthTries\s+'`
			`line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`

			`- name: Configure SSH LoginGraceTime`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^LoginGraceTime\s+'`
			`line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`

			`- name: Configure SSH ClientAliveInterval`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^ClientAliveInterval\s+'`
			`line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`

			`- name: Configure SSH ClientAliveCountMax`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_ssh_dropin_path }}"`
			`regexp: '^ClientAliveCountMax\s+'`
			`line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"`
			`validate: sshd -t -f %s`
			`notify:`
			`- validate sshd`
			`- reload sshd`