---
- hosts: all
  vars:
    conf: /etc/ssh/sshd_config
  sudo: yes
  tasks:
  # - name: find sshd_config
  #   set_fact: conf={{item}}
  #   # how to check remote files?
  #   with_first_found:
  #   - /etc/ssh/sshd_config
  #   - /etc/sshd_config
  # - name: assert sshd_config found
  #   assert: that="conf is defined"
  - name: Protocol 2
    lineinfile: dest={{conf}}
                regexp="^(#)?Protocol"
                line="Protocol 2"
    notify: restart sshd
  - name: PermitRootLogin no
    lineinfile: dest={{conf}}
                regexp="^(#)?PermitRootLogin"
                line="PermitRootLogin no"
    notify: restart sshd
  - name: RSAAuthentication no
    lineinfile: dest={{conf}}
                regexp="^(#)?RSAAuthentication"
                line="RSAAuthentication no"
    notify: restart sshd
  - name: PasswordAuthentication no
    lineinfile: dest={{conf}}
                regexp="^(#)?PasswordAuthentication"
                line="PasswordAuthentication no"
    notify: restart sshd
  - name: PermitEmptyPassword no
    lineinfile: dest={{conf}}
                regexp="^(#)?PermitEmptyPasswords"
                line="PermitEmptyPasswords no"
    notify: restart sshd
  - name: ChallengeResponseAuthentication no
    lineinfile: dest={{conf}}
                regexp="^(#)?ChallengeResponseAuthentication"
                line="ChallengeResponseAuthentication no"
    notify: restart sshd
  - name: UseDNS no
    lineinfile: dest={{conf}}
                regexp="^(#)?UseDNS"
                line="UseDNS no"
    notify: restart sshd
  - name: UsePAM no
    lineinfile: dest={{conf}}
                regexp="^(#)?UsePAM"
                line="UsePAM no"
    notify: restart sshd

  handlers:
  - name: restart sshd
    service: name=ssh state=restarted