Skip to content

Commit

Permalink
fix(sshd-certificates.yml): become no for local connection, no more Z…
Browse files Browse the repository at this point in the history 
… option
  • Loading branch information
@juju4
juju4 committed Nov 2, 2024
1 parent 538e003 commit fe89f88
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion tasks/sshd-certificates.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,17 +64,19 @@
- "{{ harden_sshd_host_key_opath | default('/tmp') }}/{{ inventory_hostname }}{{ harden_sshd_host_key | default('/etc/ssh/ssh_host_ed25519_key.pub') }}"
- "{{ harden_sshd_ca_path }}"
connection: local
become: no

- name: Sign SSH host key
ansible.builtin.command: >
ssh-keygen -s {{ harden_sshd_ca_path }} \
-I "{{ ansible_hostname }}" \
-h -Z {{ ansible_fqdn }} \
-h \
-V {{ harden_sshd_host_key_validity | default('-1d:+54w') }} \
{{ harden_sshd_host_key_opath | default('/tmp') }}/{{ inventory_hostname }}{{ harden_sshd_host_key | default('/etc/ssh/ssh_host_ed25519_key.pub') }}
args:
creates: "{{ harden_sshd_host_key_opath | default('/tmp') }}/{{ inventory_hostname }}/{{ harden_sshd_host_key | default('/etc/ssh/ssh_host_ed25519_key.pub') | regex_replace('.pub$', '-cert.pub') }}"
connection: local
become: no

- name: Return SSH host key signed
ansible.builtin.copy:
Expand Down

0 comments on commit fe89f88

Please sign in to comment.