Merge branch 't37430-verify-key-before-permitrootlogin-modification' into 'main'

Verify root ssh authorized key file before permitrootlogin modification, Refs #37430 See merge request sys/ansible-public!38

Merge branch 't37430-verify-key-before-permitrootlogin-modification' into 'main'
50f07f80 · Baptiste DE RENZO · 552f577d · 960b6b87 · 50f07f80
Commit 50f07f80 authored 2 years ago by Baptiste DE RENZO
--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -96,7 +96,18 @@
    backup: true
  notify: restart unattended-upgrades
- name: enable root login via ssh with key
+- name: verify root user ssh authorized key file
+  ansible.builtin.stat:
+    path: /root/.ssh/authorized_keys
+  register: auth
+- name: fail if the root ssh authorized key is missing or empty
+  ansible.builtin.fail:
+    msg: "Error: root user does not have any ssh key configured !\n\
+          Cannot configure PermitRootLogin to without-password"
+  when: not auth.stat.exists or auth.stat.size == 0
+- name: enable root login via ssh with key only
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: ^#?PermitRootLogin.*