From 960b6b877fb2b20e76b348e722178680894c92e8 Mon Sep 17 00:00:00 2001
From: Baptiste DE RENZO <baptiste.derenzo@ubicast.eu>
Date: Mon, 6 Mar 2023 14:13:24 +0000
Subject: [PATCH] Verify root ssh authorized key file before permitrootlogin
 modification, Refs #37430

---
 roles/sysconfig/tasks/main.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/roles/sysconfig/tasks/main.yml b/roles/sysconfig/tasks/main.yml
index 69182767..21a1dea0 100644
--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -96,7 +96,18 @@
     backup: true
   notify: restart unattended-upgrades
 
-- name: enable root login via ssh with key
+- name: verify root user ssh authorized key file
+  ansible.builtin.stat:
+    path: /root/.ssh/authorized_keys
+  register: auth
+
+- name: fail if the root ssh authorized key is missing or empty
+  ansible.builtin.fail:
+    msg: "Error: root user does not have any ssh key configured !\n\
+          Cannot configure PermitRootLogin to without-password"
+  when: not auth.stat.exists or auth.stat.size == 0
+
+- name: enable root login via ssh with key only
   ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: ^#?PermitRootLogin.*
-- 
GitLab