ansible/ansible_role_sshd
1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_sshd.git synced 2024-08-16 11:59:49 +02:00
Code Issues Releases Activity

manage ssh host keys

Browse source
This commit is contained in:
Lilian Roller 2020-03-18 18:15:23 +01:00
parent 9768133a23
commit 1ab79c4b78
No known key found for this signature in database
GPG key ID: 5215C3441797AB2B
6 changed files with 38 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
defaults/main.yml
View file

@ -8,10 +8,10 @@ sshd:
manage_key_types: true manage_key_types: true
# choose ssh server allowed key types # choose ssh server allowed key types
key_types: key_types:
- ed25519 - 'ed25519'
# - rsa # - 'rsa'
# - ecdsa # - 'ecdsa'
# - dsa # (do not use!) # - 'dsa' # (do not use!)
key_algorithmus: key_algorithmus:
- 'ssh-ed25519-cert-v01@openssh.com' - 'ssh-ed25519-cert-v01@openssh.com'

36
tasks/main.yml
View file

@ -43,7 +43,6 @@
with_items: "{{ sshd.key_types }}" with_items: "{{ sshd.key_types }}"
when: when:
- sshd.manage_key_types | bool - sshd.manage_key_types | bool
- pause:
- name: Remove unwanted host keys - name: Remove unwanted host keys
become: yes become: yes
@ -56,49 +55,22 @@
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh
- name: Remove unwanted host keys
become: yes
file:
path: '/etc/ssh/ssh_host_{{ item }}_key'
state: absent
with_items:
- ecdsa
- rsa
- dsa
notify:
- systemctrl restart ssh
when:
- not generate_ecdsa_too | bool
- ansible_distribution_release != 'wheezy'
- do_not_delete_legacy_ssh_keys | bool
- name: make sure the correct keys are available - name: make sure the correct keys are available
file: file:
path: '/etc/ssh/ssh_host_{{ item }}_key.pub' path: '/etc/ssh/ssh_host_{{ item }}_key'
state: absent state: absent
become: yes become: yes
with_items: with_items:
- ecdsa - "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
- rsa
- dsa
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh
when:
- not generate_ecdsa_too | bool
- ansible_distribution_release != 'wheezy'
- do_not_delete_legacy_ssh_keys | bool
- name: make sure the correct keys are available except ecdsa - name: make sure the correct pubkeys are available
file: file:
path: '/etc/ssh/ssh_host_{{ item }}_key.pub' path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
state: absent state: absent
become: yes become: yes
with_items: with_items:
- rsa - "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
- dsa
notify: notify:
- systemctrl restart ssh - systemctrl restart ssh
when:
- generate_ecdsa_too | bool
- ansible_distribution_release != 'wheezy'
- do_not_delete_legacy_ssh_keys | bool

8
vars/archlinux.yml
View file

@ -1,2 +1,10 @@
--- ---
sshd_service: sshd sshd_service: sshd
sshd_key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
- xorg-xauth

8
vars/centos.yml
View file

@ -1,2 +1,10 @@
--- ---
sshd_service: sshd sshd_service: sshd
sshd_key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
- xorg-xauth

6
vars/default.yml
View file

@ -1,4 +1,10 @@
--- ---
sshd_service: ssh sshd_service: ssh
sshd_key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth: sshd_xauth:
- xorg-xauth - xorg-xauth

8
vars/fedora.yml
View file

@ -1,2 +1,10 @@
--- ---
sshd_service: sshd sshd_service: sshd
sshd_key_types_list:
- ed25519
- rsa
- ecdsa
- dsa
sshd_xauth:
- xorg-xauth