From d3c74ec31933d647268607145dc1bed8c2cc2951 Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Wed, 21 Jun 2017 16:32:15 +0100
Subject: [PATCH] tasks: rhel7stig: sshd: Avoid using with_fileglob for remote
 hosts

'with_*' does not work as expected when running tasks on remote hosts.
The reason for that is that 'with_fileglob' runs on the host running the
play instead of the remote one. It's very likely that the ssh keys
obtained from the running host will not exist on the remote one and
the following failure could be observed:

TASK [../../../ansible-hardening : Public host key files must have mode 0644 or less] ***
ok: [centos7] => (item=/etc/ssh/ssh_host_rsa_key.pub)
ok: [centos7] => (item=/etc/ssh/ssh_host_ecdsa_key.pub)
ok: [centos7] => (item=/etc/ssh/ssh_host_ed25519_key.pub)
failed: [centos7] (item=/etc/ssh/ssh_host_dsa_key.pub) => {"failed": true, "item": "/etc/ssh/ssh_host_dsa_key.pub", "msg": "file (/etc/ssh/ssh_host_dsa_key.pub) is absent, cannot continue", "path": "/etc/ssh/ssh
_host_dsa_key.pub", "state": "absent"}
failed: [centos7] (item=/etc/ssh/ssh_host_key.pub) => {"failed": true, "item": "/etc/ssh/ssh_host_key.pub", "msg": "file (/etc/ssh/ssh_host_key.pub) is absent, cannot continue", "path": "/etc/ssh/ssh_host_key.pu
b", "state": "absent"}

Link: https://github.com/ansible/ansible/issues/10115
Change-Id: Ic55c0929ee134ccc162a54194645b078706a3dfb
---
 tasks/rhel7stig/sshd.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml
index e25af47b..e80ec30a 100644
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@@ -84,23 +84,37 @@
     - sshd
     - V-72235
 
+- name: Determine existing public ssh host keys
+  shell: ls /etc/ssh/*.pub
+  register: public_ssh_host_keys
+  # The sheel command will always report 'changed' so we need to
+  # ignore that since this role is supposed to be idempotent
+  changed_when: false
+
 - name: Public host key files must have mode 0644 or less
   file:
     path: "{{ item }}"
     mode: "u-xX,g-wxs,o-wxt"
-  with_fileglob:
-    - /etc/ssh/*.pub
+  with_items:
+    - "{{ public_ssh_host_keys.stdout_lines | default([]) }}"
   tags:
     - medium
     - sshd
     - V-72255
 
+- name: Determine existing private ssh host keys
+  shell: ls /etc/ssh/*_key
+  register: private_ssh_host_keys
+  # The sheel command will always report 'changed' so we need to
+  # ignore that since this role is supposed to be idempotent
+  changed_when: false
+
 - name: Private host key files must have mode 0600 or less
   file:
     path: "{{ item }}"
     mode: "u-xX,g-rwxs,o-rwxt"
-  with_fileglob:
-    - /etc/ssh/*_key
+  with_items:
+    - "{{ private_ssh_host_keys.stdout_lines | default([]) }}"
   tags:
     - medium
     - sshd