add '/etc/security/limits.conf', modify '/etc/ssh/sshd_config'.

hosts

@@ -106,4 +106,4 @@ file-mbr.mbr-bln.netz ansible_user=root
 file-mbr.mbr-bln.netz ansible_user=root
 
 [samba_server]
-#file-mbr.mbr-bln.netz ansible_user=root
+file-mbr.mbr-bln.netz ansible_user=root

roles/common/tasks/basic.yml

@@ -43,3 +43,26 @@
     -  etc_systemd_system_conf.stat.exists == true
   tags:
     - systemd-nofiles
+
+- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
+  stat:
+    path: /etc/security/limits.conf.ORIG
+  register: etc_security_limits_conf_ORIG
+  tags:
+    - limits-conf
+
+- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf'
+  command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG
+  when: etc_security_limits_conf_ORIG.stat.exists == False
+  tags:
+    - limits-conf
+
+- name: (basic.yml) Create new sshd_config from template limits.conf.j2
+  template:
+    src: etc/security/limits.conf.j2
+    dest: /etc/security/limits.conf
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - limits-conf

roles/common/templates/etc/security/limits.conf.j2

@@ -0,0 +1,62 @@
+# {{ ansible_managed }}
+
+# /etc/security/limits.conf
+# 
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#        - NOTE: group and wildcard limits are not applied to root.
+#          To apply a limit to the root user, <domain> must be
+#          the literal username root.
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#        - chroot - change root to directory (Debian-specific)
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#root            hard    core            100000
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#ftp             -       chroot          /ftp
+#@student        -       maxlogins       4
+
+*     -  nofile   1048576
+root  -  nofile   1048576
+
+
+# End of file

roles/common/templates/etc/ssh/sshd_config.j2

@@ -186,7 +186,7 @@ AllowUsers {{ fact_sshd_allowed_users }}
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
+UsePAM {{ sshd_use_pam }}
 
 # Specifies whether login(1) is used for interactive login sessions.
 # Note that login(1) is never used for remote command execution.