From 95e0134f2132ba08950327afe70de1db3d71fcc6 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Sun, 9 Apr 2017 20:39:22 +0200
Subject: [PATCH] 1. Disable SSH key deploying if installation on existing
 server 2. Move to the ed25519 algorithm 3. Delete unneeded option
 RSAAuthentication Fixes #272

---
 playbooks/common.yml                    | 2 +-
 playbooks/local.yml                     | 5 ++---
 roles/security/templates/sshd_config.j2 | 2 --
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/playbooks/common.yml b/playbooks/common.yml
index 3dce638..3308fa7 100644
--- a/playbooks/common.yml
+++ b/playbooks/common.yml
@@ -17,4 +17,4 @@
     user: "{{ ansible_ssh_user }}"
     state: present
     key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
-  tags: [ 'always' ]
+  tags: [ 'cloud' ]
diff --git a/playbooks/local.yml b/playbooks/local.yml
index bea1470..5376b64 100644
--- a/playbooks/local.yml
+++ b/playbooks/local.yml
@@ -1,14 +1,13 @@
 ---
 
 - name: Generate the SSH private key
-  local_action: shell echo -e  'n' | ssh-keygen -b 2048 -C {{ SSH_keys.comment }} -t rsa -f {{ SSH_keys.private }} -q -N ""
+  local_action: shell echo -e  'n' | ssh-keygen -C {{ SSH_keys.comment }} -t ed25519 -f {{ SSH_keys.private }} -q -N ""
   args:
     creates: "{{ SSH_keys.private }}"
 
 - name: Generate the SSH public key
   local_action: shell echo `ssh-keygen -y -f {{ SSH_keys.private }}` {{ SSH_keys.comment }} > {{ SSH_keys.public }}
-  args:
-    creates: "{{ SSH_keys.public }}"
+  changed_when: false
 
 - name: Change mode for the SSH private key
   local_action: file path={{ SSH_keys.private }} mode=0600
diff --git a/roles/security/templates/sshd_config.j2 b/roles/security/templates/sshd_config.j2
index ebc93ee..984f45c 100644
--- a/roles/security/templates/sshd_config.j2
+++ b/roles/security/templates/sshd_config.j2
@@ -26,7 +26,6 @@ AcceptEnv LANG LC_*
 # Turn off a lot of features
 IgnoreRhosts yes
 RhostsRSAAuthentication no
-RSAAuthentication no
 HostbasedAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
@@ -53,4 +52,3 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
 # HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
 # TODO: I haven't seen anyone review these yet
 # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
-