From 1ab79c4b78a09d76aa0fa34f52443ba833c21b05 Mon Sep 17 00:00:00 2001 From: Lilian Roller Date: Wed, 18 Mar 2020 18:15:23 +0100 Subject: [PATCH] manage ssh host keys --- defaults/main.yml | 8 ++++---- tasks/main.yml | 36 ++++-------------------------------- vars/archlinux.yml | 8 ++++++++ vars/centos.yml | 8 ++++++++ vars/default.yml | 6 ++++++ vars/fedora.yml | 8 ++++++++ 6 files changed, 38 insertions(+), 36 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c6ac4b0..075031d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,10 +8,10 @@ sshd: manage_key_types: true # choose ssh server allowed key types key_types: - - ed25519 - # - rsa - # - ecdsa - # - dsa # (do not use!) + - 'ed25519' + # - 'rsa' + # - 'ecdsa' + # - 'dsa' # (do not use!) key_algorithmus: - 'ssh-ed25519-cert-v01@openssh.com' diff --git a/tasks/main.yml b/tasks/main.yml index 5cf0866..fefe669 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,7 +43,6 @@ with_items: "{{ sshd.key_types }}" when: - sshd.manage_key_types | bool -- pause: - name: Remove unwanted host keys become: yes @@ -56,49 +55,22 @@ notify: - systemctrl restart ssh -- name: Remove unwanted host keys - become: yes - file: - path: '/etc/ssh/ssh_host_{{ item }}_key' - state: absent - with_items: - - ecdsa - - rsa - - dsa - notify: - - systemctrl restart ssh - when: - - not generate_ecdsa_too | bool - - ansible_distribution_release != 'wheezy' - - do_not_delete_legacy_ssh_keys | bool - - name: make sure the correct keys are available file: - path: '/etc/ssh/ssh_host_{{ item }}_key.pub' + path: '/etc/ssh/ssh_host_{{ item }}_key' state: absent become: yes with_items: - - ecdsa - - rsa - - dsa + - "{{ sshd_key_types_list | difference( sshd.key_types ) }}" notify: - systemctrl restart ssh - when: - - not generate_ecdsa_too | bool - - ansible_distribution_release != 'wheezy' - - do_not_delete_legacy_ssh_keys | bool -- name: make sure the correct keys are available except ecdsa +- name: make sure the correct pubkeys are available file: path: '/etc/ssh/ssh_host_{{ item }}_key.pub' state: absent become: yes with_items: - - rsa - - dsa + - "{{ sshd_key_types_list | difference( sshd.key_types ) }}" notify: - systemctrl restart ssh - when: - - generate_ecdsa_too | bool - - ansible_distribution_release != 'wheezy' - - do_not_delete_legacy_ssh_keys | bool diff --git a/vars/archlinux.yml b/vars/archlinux.yml index a24e2b4..5ac9abc 100644 --- a/vars/archlinux.yml +++ b/vars/archlinux.yml @@ -1,2 +1,10 @@ --- sshd_service: sshd +sshd_key_types_list: + - ed25519 + - rsa + - ecdsa + - dsa + +sshd_xauth: + - xorg-xauth diff --git a/vars/centos.yml b/vars/centos.yml index a24e2b4..5ac9abc 100644 --- a/vars/centos.yml +++ b/vars/centos.yml @@ -1,2 +1,10 @@ --- sshd_service: sshd +sshd_key_types_list: + - ed25519 + - rsa + - ecdsa + - dsa + +sshd_xauth: + - xorg-xauth diff --git a/vars/default.yml b/vars/default.yml index 8e9b655..a6b6476 100644 --- a/vars/default.yml +++ b/vars/default.yml @@ -1,4 +1,10 @@ --- sshd_service: ssh +sshd_key_types_list: + - ed25519 + - rsa + - ecdsa + - dsa + sshd_xauth: - xorg-xauth diff --git a/vars/fedora.yml b/vars/fedora.yml index a24e2b4..5ac9abc 100644 --- a/vars/fedora.yml +++ b/vars/fedora.yml @@ -1,2 +1,10 @@ --- sshd_service: sshd +sshd_key_types_list: + - ed25519 + - rsa + - ecdsa + - dsa + +sshd_xauth: + - xorg-xauth