fabric: disable less-than-sane Cumulus SSH default options

Why no ed25519 keys?
2024-07-26 14:27:34 +02:00 · 2024-07-26 14:27:34 +02:00 · c741b90981
parent 82b10e8133
commit c741b90981
2 changed files with 14 additions and 0 deletions
--- a/roles/fabric/handlers/main.yml
+++ b/roles/fabric/handlers/main.yml
@ -1,3 +1,9 @@
+- name: reload sshd
+  service:
+    name: ssh@mgmt
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
+
 - name: reload switchd
  service:
    name: switchd
--- a/roles/fabric/tasks/main.yml
+++ b/roles/fabric/tasks/main.yml
@ -64,6 +64,14 @@
    mode: 0644
  notify: reload interfaces

+- name: Unoverride Cumulus SSH options
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^(PubkeyAcceptedKeyTypes .*)'
+    line: '#\1'
+    backrefs: yes
+  notify: reload sshd
+
 - name: Disable SSH in default VRF
  service:
    name: ssh