---
- name: Disable root and password SSH login
  hosts: all
  become: true
  gather_facts: true

  tasks:

    - name: Ensure PermitRootLogin is disabled
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present

    - name: Disable password authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
        state: present

    - name: Disable challenge response authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^ChallengeResponseAuthentication'
        line: 'ChallengeResponseAuthentication no'
        state: present

    - name: Ensure PubkeyAuthentication enabled
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PubkeyAuthentication'
        line: 'PubkeyAuthentication yes'
        state: present

    - name: Restart SSH
      ansible.builtin.service:
        name: ssh
        state: restarted