tasks: rhel7stig: sshd: Avoid using with_fileglob for remote hosts

'with_*' does not work as expected when running tasks on remote hosts. The reason for that is that 'with_fileglob' runs on the host running the play instead of the remote one. It's very likely that the ssh keys obtained from the running host will not exist on the remote one and the following failure could be observed: TASK [../../../ansible-hardening : Public host key files must have mode 0644 or less] *** ok: [centos7] => (item=/etc/ssh/ssh_host_rsa_key.pub) ok: [centos7] => (item=/etc/ssh/ssh_host_ecdsa_key.pub) ok: [centos7] => (item=/etc/ssh/ssh_host_ed25519_key.pub) failed: [centos7] (item=/etc/ssh/ssh_host_dsa_key.pub) => {"failed": true, "item": "/etc/ssh/ssh_host_dsa_key.pub", "msg": "file (/etc/ssh/ssh_host_dsa_key.pub) is absent, cannot continue", "path": "/etc/ssh/ssh _host_dsa_key.pub", "state": "absent"} failed: [centos7] (item=/etc/ssh/ssh_host_key.pub) => {"failed": true, "item": "/etc/ssh/ssh_host_key.pub", "msg": "file (/etc/ssh/ssh_host_key.pub) is absent, cannot continue", "path": "/etc/ssh/ssh_host_key.pu b", "state": "absent"} Link: https://github.com/ansible/ansible/issues/10115 Change-Id: Ic55c0929ee134ccc162a54194645b078706a3dfb
2017-06-21 16:32:15 +01:00 · 2017-06-21 16:32:15 +01:00 · d3c74ec319
commit d3c74ec319
parent 76b51e3710
1 changed files with 18 additions and 4 deletions
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@ -84,23 +84,37 @@
    - sshd
    - V-72235

+- name: Determine existing public ssh host keys
+  shell: ls /etc/ssh/*.pub
+  register: public_ssh_host_keys
+  # The sheel command will always report 'changed' so we need to
+  # ignore that since this role is supposed to be idempotent
+  changed_when: false
+
 - name: Public host key files must have mode 0644 or less
  file:
    path: "{{ item }}"
    mode: "u-xX,g-wxs,o-wxt"
-  with_fileglob:
-    - /etc/ssh/*.pub
+  with_items:
+    - "{{ public_ssh_host_keys.stdout_lines | default([]) }}"
  tags:
    - medium
    - sshd
    - V-72255

+- name: Determine existing private ssh host keys
+  shell: ls /etc/ssh/*_key
+  register: private_ssh_host_keys
+  # The sheel command will always report 'changed' so we need to
+  # ignore that since this role is supposed to be idempotent
+  changed_when: false
+
 - name: Private host key files must have mode 0600 or less
  file:
    path: "{{ item }}"
    mode: "u-xX,g-rwxs,o-rwxt"
-  with_fileglob:
-    - /etc/ssh/*_key
+  with_items:
+    - "{{ private_ssh_host_keys.stdout_lines | default([]) }}"
  tags:
    - medium
    - sshd