---

- name: Disable SSH root login without password
  lineinfile: 
    path: /etc/ssh/sshd_config
    regexp: '^#?PermitRootLogin .*$'
    line: "PermitRootLogin prohibit-password" 
    state: present
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart ssh

- name: Disable PasswordAuthentication
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#PasswordAuthentication .*$'
    line: "PasswordAuthentication no"
    state: present
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart ssh

- name: Disable X11 forwarding
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?X11Forwarding .*$'
    line: "X11Forwarding no"
    state: present
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart ssh