Dustin C. Hatch
323ffa3426
A few hosts have `AuthorizedKeysCommand` set in their *sshd(8)* configuration. This was my first attempt at centrally managing SSH keys, using a script which fetched a list of keys for each user from an HTTP server. This worked most of the time, but I didn't take good care of the HTTP server, so the script would fail frequently. Now that all hosts trust the SSH user CA, there is no longer any need for this "feature."
61 lines
1.3 KiB
YAML
61 lines
1.3 KiB
YAML
- name: ensure sshd is configured to trust user ca keys
|
|
copy:
|
|
src: trustedusercakeys.conf
|
|
dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- ssh-user-ca
|
|
- sshd-config
|
|
- config
|
|
|
|
- name: ensure ssh trusted user ca list is set
|
|
copy:
|
|
dest: /etc/ssh/ca.pub
|
|
content: >+
|
|
{{ ssh_trusted_user_ca_keys }}
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
tags:
|
|
- ssh-user-ca
|
|
|
|
- name: ensure sshd AuthorizedKeysCommand is not set
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: '#AuthorizedKeysCommand none'
|
|
regexp: '(?i)#?\s*AuthorizedKeysCommand\b'
|
|
state: present
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- ssh-authorized-keys-command
|
|
- sshd-config
|
|
- config
|
|
- cleanup
|
|
|
|
- name: ensure sshd AuthorizedKeysCommandUser is not set
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: '#AuthorizedKeysCommandUser nobody'
|
|
regexp: '(?i)#?\s*AuthorizedKeysCommandUser\b'
|
|
state: present
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- ssh-authorized-keys-command
|
|
- sshd-config
|
|
- config
|
|
- cleanup
|
|
|
|
- name: ensure ssh-authorized-keys script is removed
|
|
file:
|
|
path: /usr/local/libexec/ssh-authorized-keys
|
|
state: absent
|
|
tags:
|
|
- ssh-authorized-keys-command
|
|
- cleanup
|