Change default for sshd to only all keybased auth

Set PermitRootLogin to prohibit-password instead of yes.

Change-Id: Ifde08c43c29a6c437d622399ea48be96c0ac3432

defaults/main.yml

@@ -95,7 +95,7 @@ lxc_pip_packages:
   - lxc-python2
 
 lxc_cache_sshd_configuration:
-    - { regexp: "^PermitRootLogin",         line: "PermitRootLogin yes" }
+    - { regexp: "^PermitRootLogin",         line: "PermitRootLogin prohibit-password" }
     - { regexp: "^TCPKeepAlive",            line: "TCPKeepAlive yes" }
     - { regexp: "^UseDNS",                  line: "UseDNS no" }
     - { regexp: "^X11Forwarding",           line: "X11Forwarding no" }

releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - The PermitRootLogin in sshd_config changed from 'yes'
+    to 'prohibit-password' in the containers. By default
+    there is no password set in the containers but the ssh
+    pub key from the deployment host is injected in the
+    targets nodes authorized_keys.