From 6a2179d7a0bb60f4cca3d2dae01e814d636cc833 Mon Sep 17 00:00:00 2001
From: Alex Tavarez <admin@sukaato.moe>
Date: Wed, 27 May 2026 13:10:45 -0400
Subject: [PATCH] added tagged task that adds SSH authentication restrictions

---
 roles/init-server/tasks/lock.yml | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/roles/init-server/tasks/lock.yml b/roles/init-server/tasks/lock.yml
index 814c992..bf0639a 100644
--- a/roles/init-server/tasks/lock.yml
+++ b/roles/init-server/tasks/lock.yml
@@ -5,9 +5,24 @@
 - name: Checking whether administrative login used
   when: ansible_facts["user_id"] not in (admins | map(attribute="username") | list)
   ansible.builtin.fail:
-    msg: Administrative user does not exist on managed node
+    msg: Must use administrative user for subsequent tasks
+- name: Setting approved SSH authentication procedures
+  when: harden and ansible_facts["system"] == "Linux"
+  become: true
+  ansible.builtin.copy:
+    src: sshd_config.d/auth.conf
+    dest: /etc/ssh/sshd_config.d/auth.conf
+    owner: root
+    group: root
+    mode: "644"
+    force: true
+    backup: true
+    validate: "sshd -t %s"
+  register: ssh_authenticator
+  tags:
+    - ssh_secure_auth
 - name: Prohibiting SSH root login
-  when: harden
+  when: harden and ansible_facts["system"] == "Linux"
   become: true
   ansible.builtin.copy:
     src: sshd_config.d/denyroot.conf
@@ -28,6 +43,7 @@
   loop: "{{ sys_users }}"
   register: ftp_groups
 - name: Configuring SFTP for FTP group
+  when: ansible_facts["system"] == "Linux"
   become: true
   ansible.builtin.template:
     src: sshd_config.d/sftp.conf.j2