From de2f88e4fc79eac738a72020f27b322a78cf7958 Mon Sep 17 00:00:00 2001
From: David Galloway <dgallowa@redhat.com>
Date: Tue, 21 Feb 2017 17:43:26 -0500
Subject: [PATCH] public_facing: Disable PasswordAuthentication in sshd config

Signed-off-by: David Galloway <dgallowa@redhat.com>
---
 roles/public_facing/handlers/main.yml | 6 ++++++
 roles/public_facing/tasks/main.yml    | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/roles/public_facing/handlers/main.yml b/roles/public_facing/handlers/main.yml
index 99bcd684..d548b28c 100644
--- a/roles/public_facing/handlers/main.yml
+++ b/roles/public_facing/handlers/main.yml
@@ -10,3 +10,9 @@
   service:
     name: fail2ban
     state: reloaded
+
+# Restart sshd
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
diff --git a/roles/public_facing/tasks/main.yml b/roles/public_facing/tasks/main.yml
index 7be38dbb..6e215de4 100644
--- a/roles/public_facing/tasks/main.yml
+++ b/roles/public_facing/tasks/main.yml
@@ -13,6 +13,14 @@
     - always
   when: use_fail2ban == true
 
+- name: Disable password authentication
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication no"
+    state: present
+  notify: restart sshd
+
 ## Individual host tasks
 
 # local_action in the task after this causes 'ansible_host' to change to 'localhost'
-- 
2.47.3