r/ssu-user-ca: Configure sshd TrustedUserCAKeys

The `TrustedUserCAKeys` setting for *sshd(8)* tells the server to accept
any certificates signed by keys listed in the specified file.
The authenticating username has to match one of the principals listed in
the certificate, of course.

This role is applied to all machines, via the `base.yml` playbook.
Certificates issued by the user CA managed by SSHCA will therefore be
trusted everywhere.  This brings us one step closer to eliminating the
dependency on Active Directory/Samba.

roles/ssh-user-ca/defaults/main.yml

@@ -0,0 +1 @@
+ssh_trusted_user_ca_keys: ''

roles/ssh-user-ca/files/trustedusercakeys.conf

@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/ca.pub

roles/ssh-user-ca/tasks/main.yml

@@ -0,0 +1,24 @@
+- name: ensure sshd is configured to trust user ca keys
+  copy:
+    src:  trustedusercakeys.conf
+    dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - ssh-user-ca
+  - sshd-config
+  - config
+
+- name: ensure ssh trusted user ca list is set
+  copy:
+    dest: /etc/ssh/ca.pub
+    content: >+
+      {{ ssh_trusted_user_ca_keys }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - ssh-user-ca