dev-sec · rndmh3ro · Nov 18, 2018 · Nov 15, 2018
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
 |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
 |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
-|`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
+|`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
 |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -48,8 +48,8 @@ ssh_permit_tunnel: false
 #     options: ['StrictHostKeyChecking no']
 ssh_remote_hosts: []
 
-# false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
-ssh_allow_root_with_key: false          # sshd
+# Set this to "without-password" or "yes" to allow root to login
+ssh_permit_root_login: 'no'          # sshd
 
 # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
 ssh_allow_tcp_forwarding: false         # sshd

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -6,8 +6,8 @@
 # Basic configuration
 # ===================
 
-# Either disable or only allowssh root login via certificates.
-PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }}
+# Either disable or only allow root login via certificates.
+PermitRootLogin {{ ssh_permit_root_login }}
 
 # Define which port sshd should listen to. Default to `22`.
 {% for port in ssh_server_ports -%}

diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -21,7 +21,6 @@
     - ansible-ssh-hardening
   vars:
     network_ipv6_enable: true
-    ssh_allow_root_with_key: true
     ssh_allow_tcp_forwarding: true
     ssh_gateway_ports: true
     ssh_allow_agent_forwarding: true
@@ -37,6 +36,7 @@
     ssh_deny_groups: 'foo bar'
     ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
     ssh_max_auth_retries: 10
+    ssh_permit_root_login: "without-password"
     ssh_permit_tunnel: true
     ssh_print_motd: true
     ssh_print_last_log: true