diff --git a/playbooks/common.yml b/playbooks/common.yml index 3dce638..3308fa7 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -17,4 +17,4 @@ user: "{{ ansible_ssh_user }}" state: present key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - tags: [ 'always' ] + tags: [ 'cloud' ] diff --git a/playbooks/local.yml b/playbooks/local.yml index bea1470..5376b64 100644 --- a/playbooks/local.yml +++ b/playbooks/local.yml @@ -1,14 +1,13 @@ --- - name: Generate the SSH private key - local_action: shell echo -e 'n' | ssh-keygen -b 2048 -C {{ SSH_keys.comment }} -t rsa -f {{ SSH_keys.private }} -q -N "" + local_action: shell echo -e 'n' | ssh-keygen -C {{ SSH_keys.comment }} -t ed25519 -f {{ SSH_keys.private }} -q -N "" args: creates: "{{ SSH_keys.private }}" - name: Generate the SSH public key local_action: shell echo `ssh-keygen -y -f {{ SSH_keys.private }}` {{ SSH_keys.comment }} > {{ SSH_keys.public }} - args: - creates: "{{ SSH_keys.public }}" + changed_when: false - name: Change mode for the SSH private key local_action: file path={{ SSH_keys.private }} mode=0600 diff --git a/roles/security/templates/sshd_config.j2 b/roles/security/templates/sshd_config.j2 index ebc93ee..984f45c 100644 --- a/roles/security/templates/sshd_config.j2 +++ b/roles/security/templates/sshd_config.j2 @@ -26,7 +26,6 @@ AcceptEnv LANG LC_* # Turn off a lot of features IgnoreRhosts yes RhostsRSAAuthentication no -RSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no @@ -53,4 +52,3 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op # HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 # TODO: I haven't seen anyone review these yet # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 -