From fe89f88b52cf5be3e5c6cbc5d11339111bb8961e Mon Sep 17 00:00:00 2001
From: juju4 <juju4@users.noreply.github.com>
Date: Sat, 2 Nov 2024 15:47:24 +0000
Subject: [PATCH] fix(sshd-certificates.yml): become no for local connection,
 no more Z option

---
 tasks/sshd-certificates.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tasks/sshd-certificates.yml b/tasks/sshd-certificates.yml
index f4c64f6..2025453 100644
--- a/tasks/sshd-certificates.yml
+++ b/tasks/sshd-certificates.yml
@@ -64,17 +64,19 @@
         - "{{ harden_sshd_host_key_opath | default('/tmp') }}/{{ inventory_hostname }}{{ harden_sshd_host_key | default('/etc/ssh/ssh_host_ed25519_key.pub') }}"
         - "{{ harden_sshd_ca_path }}"
       connection: local
+      become: no
 
     - name: Sign SSH host key
       ansible.builtin.command: >
         ssh-keygen -s {{ harden_sshd_ca_path }} \
           -I "{{ ansible_hostname }}" \
-          -h -Z {{ ansible_fqdn }} \
+          -h \
           -V {{ harden_sshd_host_key_validity | default('-1d:+54w') }} \
           {{ harden_sshd_host_key_opath | default('/tmp') }}/{{ inventory_hostname }}{{ harden_sshd_host_key | default('/etc/ssh/ssh_host_ed25519_key.pub') }}
       args:
         creates: "{{ harden_sshd_host_key_opath | default('/tmp') }}/{{ inventory_hostname }}/{{ harden_sshd_host_key | default('/etc/ssh/ssh_host_ed25519_key.pub') | regex_replace('.pub$', '-cert.pub') }}"
       connection: local
+      become: no
 
     - name: Return SSH host key signed
       ansible.builtin.copy: