From 323ffa34267cb364e75b266eaba91e728f272e76 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 1 Feb 2024 19:27:52 -0600
Subject: [PATCH] r/ssh-user-ca: Remove old AuthorizedKeysCommand

A few hosts have `AuthorizedKeysCommand` set in their *sshd(8)*
configuration.  This was my first attempt at centrally managing SSH
keys, using a script which fetched a list of keys for each user from an
HTTP server.  This worked most of the time, but I didn't take good care
of the HTTP server, so the script would fail frequently.  Now that all
hosts trust the SSH user CA, there is no longer any need for this
"feature."
---
 roles/ssh-user-ca/tasks/main.yml | 36 ++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/roles/ssh-user-ca/tasks/main.yml b/roles/ssh-user-ca/tasks/main.yml
index e1aae42..b73bee6 100644
--- a/roles/ssh-user-ca/tasks/main.yml
+++ b/roles/ssh-user-ca/tasks/main.yml
@@ -22,3 +22,39 @@
     mode: u=rw,go=r
   tags:
   - ssh-user-ca
+
+- name: ensure sshd AuthorizedKeysCommand is not set
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: '#AuthorizedKeysCommand none'
+    regexp: '(?i)#?\s*AuthorizedKeysCommand\b'
+    state: present
+  notify:
+  - reload sshd
+  tags:
+  - ssh-authorized-keys-command
+  - sshd-config
+  - config
+  - cleanup
+
+- name: ensure sshd AuthorizedKeysCommandUser is not set
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: '#AuthorizedKeysCommandUser nobody'
+    regexp: '(?i)#?\s*AuthorizedKeysCommandUser\b'
+    state: present
+  notify:
+  - reload sshd
+  tags:
+  - ssh-authorized-keys-command
+  - sshd-config
+  - config
+  - cleanup
+
+- name: ensure ssh-authorized-keys script is removed
+  file:
+    path: /usr/local/libexec/ssh-authorized-keys
+    state: absent
+  tags:
+  - ssh-authorized-keys-command
+  - cleanup