r/ssh-user-ca: Remove old AuthorizedKeysCommand

A few hosts have `AuthorizedKeysCommand` set in their *sshd(8)* configuration. This was my first attempt at centrally managing SSH keys, using a script which fetched a list of keys for each user from an HTTP server. This worked most of the time, but I didn't take good care of the HTTP server, so the script would fail frequently. Now that all hosts trust the SSH user CA, there is no longer any need for this "feature."
2024-02-01 19:27:52 -06:00 · 2024-02-01 19:27:52 -06:00 · 323ffa3426
parent f83cea50e9
commit 323ffa3426
1 changed files with 36 additions and 0 deletions
--- a/roles/ssh-user-ca/tasks/main.yml
+++ b/roles/ssh-user-ca/tasks/main.yml
@ -22,3 +22,39 @@
    mode: u=rw,go=r
  tags:
  - ssh-user-ca
+
+- name: ensure sshd AuthorizedKeysCommand is not set
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: '#AuthorizedKeysCommand none'
+    regexp: '(?i)#?\s*AuthorizedKeysCommand\b'
+    state: present
+  notify:
+  - reload sshd
+  tags:
+  - ssh-authorized-keys-command
+  - sshd-config
+  - config
+  - cleanup
+
+- name: ensure sshd AuthorizedKeysCommandUser is not set
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: '#AuthorizedKeysCommandUser nobody'
+    regexp: '(?i)#?\s*AuthorizedKeysCommandUser\b'
+    state: present
+  notify:
+  - reload sshd
+  tags:
+  - ssh-authorized-keys-command
+  - sshd-config
+  - config
+  - cleanup
+
+- name: ensure ssh-authorized-keys script is removed
+  file:
+    path: /usr/local/libexec/ssh-authorized-keys
+    state: absent
+  tags:
+  - ssh-authorized-keys-command
+  - cleanup