Restric SSH, more security.

roles/kerberize/handlers/main.yml

@@ -2,5 +2,4 @@
   systemd:
     name: sshd
     state: reloaded
-  notify: "reload sshd"
   when: not run_in_installer|default(false)|bool

roles/lmn_security/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Reload sshd
+  systemd:
+    name: sshd
+    state: reloaded

roles/lmn_security/tasks/main.yml

@@ -5,7 +5,7 @@
     key: "{{ item }}"
   loop: "{{ keys2deploy }}"
 
-- name: Allow sudo access without password
+- name: Allow sudo without password for ansible
   ansible.builtin.lineinfile:
     path: /etc/sudoers.d/95-lmn-ansible
     line: 'ansible ALL=(root) NOPASSWD: ALL'
@@ -18,3 +18,12 @@
   ansible.builtin.user:
     name: ansible
     password_lock: True
+
+- name: Limit SSH access to user ansible
+  ansible.builtin.blockinfile:
+    dest: /etc/ssh/sshd_config.d/local.conf
+    create: true
+    block: |
+      PasswordAuthentication no
+      AllowUsers ansible
+  notify: Reload sshd