61 lines
1.3 KiB
YAML
61 lines
1.3 KiB
YAML
- name: ensure sshd is configured to trust user ca keys
|
|
copy:
|
|
src: trustedusercakeys.conf
|
|
dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- ssh-user-ca
|
|
- sshd-config
|
|
- config
|
|
|
|
- name: ensure ssh trusted user ca list is set
|
|
copy:
|
|
dest: /etc/ssh/ca.pub
|
|
content: >+
|
|
{{ ssh_trusted_user_ca_keys }}
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
tags:
|
|
- ssh-user-ca
|
|
|
|
- name: ensure sshd AuthorizedKeysCommand is not set
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: '#AuthorizedKeysCommand none'
|
|
regexp: '(?i)#?\s*AuthorizedKeysCommand\b'
|
|
state: present
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- ssh-authorized-keys-command
|
|
- sshd-config
|
|
- config
|
|
- cleanup
|
|
|
|
- name: ensure sshd AuthorizedKeysCommandUser is not set
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: '#AuthorizedKeysCommandUser nobody'
|
|
regexp: '(?i)#?\s*AuthorizedKeysCommandUser\b'
|
|
state: present
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- ssh-authorized-keys-command
|
|
- sshd-config
|
|
- config
|
|
- cleanup
|
|
|
|
- name: ensure ssh-authorized-keys script is removed
|
|
file:
|
|
path: /usr/local/libexec/ssh-authorized-keys
|
|
state: absent
|
|
tags:
|
|
- ssh-authorized-keys-command
|
|
- cleanup
|