From 2c5fc1dc5ad7fe18de2d414f7f907a718c4254f1 Mon Sep 17 00:00:00 2001
From: Simon Michnowicz <simon.michnowicz@monash.edu>
Date: Thu, 26 Nov 2015 14:42:32 +1100
Subject: [PATCH] Fixes up issues with known_hosts file. Renamed file. Included
 ecdsa-sha2-nistp256 keys. Deleted unencrypted file. Fixed read protections

---
 roles/setupKnownHosts/tasks/main.yml           | 18 +++++++++++++-----
 roles/setupKnownHosts/templates/known_hosts.j2 | 16 ++++++++++++----
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/roles/setupKnownHosts/tasks/main.yml b/roles/setupKnownHosts/tasks/main.yml
index 2f520d84..ad1ebffe 100644
--- a/roles/setupKnownHosts/tasks/main.yml
+++ b/roles/setupKnownHosts/tasks/main.yml
@@ -1,10 +1,18 @@
 - name: "Templating /etc/ssh/known_hosts"
-  template: src=known_hosts.j2 dest=/etc/ssh/known_hosts owner=root group=root mode=600
+  template: src=known_hosts.j2 dest=/etc/ssh/ssh_known_hosts owner=root group=root mode=644
   sudo: true
-  register: sshknowhost 
+  register: sshknownhost 
 
-- name: ecrypt the hosts file
-  shell: ssh-keygen -H -f /etc/ssh/known_hosts
+- name: encrypt the hosts file
+  shell: ssh-keygen -H -f /etc/ssh/ssh_known_hosts
+  sudo: true
+  when: sshknownhost.changed
+
+- name: set read permissions 
+  file: path=/etc/ssh/ssh_known_hosts owner=root group=root mode=644 state=file
+  sudo: true
+
+- name: delete ssh_known_hosts.old
+  file: path=/etc/ssh/ssh_known_hosts.old  state=absent
   sudo: true
-  when: sshknowhost.changed
 
diff --git a/roles/setupKnownHosts/templates/known_hosts.j2 b/roles/setupKnownHosts/templates/known_hosts.j2
index 326660a1..b083b5ee 100644
--- a/roles/setupKnownHosts/templates/known_hosts.j2
+++ b/roles/setupKnownHosts/templates/known_hosts.j2
@@ -2,14 +2,22 @@
 {% for node in groups['all'] %}
 {% for interface in hostvars[node]['ansible_interfaces'] %}
 {% if interface != "lo" %}
-{% set host = {'name': node, 'ip': hostvars[node]['ansible_'+interface]['ipv4']['address'], 'rsa': hostvars[node]['ansible_ssh_host_key_rsa_public']} %}
+{% if hostvars[node]['ansible_ssh_host_key_rsa_public'] %}
+{% set host = {'name': node, 'ip': hostvars[node]['ansible_'+interface]['ipv4']['address'], 'keytype':'ssh-rsa', 'key': hostvars[node]['ansible_ssh_host_key_rsa_public']} %}
 {% if nodelist.append(host) %}
 {% endif %}
 {% endif %}
+{% if hostvars[node]['ansible_ssh_host_key_ecdsa_public'] %}
+#{% set host = {'name': node, 'ip': hostvars[node]['ansible_'+interface]['ipv4']['address'], 'keytype':'ssh-ecdsa', 'key': hostvars[node]['ansible_ssh_host_key_ecdsa_public']} %}
+{% set host = {'name': node, 'ip': hostvars[node]['ansible_'+interface]['ipv4']['address'], 'keytype':'ecdsa-sha2-nistp256', 'key': hostvars[node]['ansible_ssh_host_key_ecdsa_public']} %}
+{% if nodelist.append(host) %}
+{% endif %}
+{% endif %}
+{% endif %}
 {% endfor %}
 {% endfor %}
 
-{% for host in nodelist|unique %}
-{{ host.ip }} ssh-rsa {{ host.rsa }}
-{{ host.name }} ssh-rsa {{ host.rsa }}
+{% for host in nodelist %}
+{{ host.ip }} {{ host.keytype }} {{ host.key }}
+{{ host.name }} {{ host.keytype }} {{ host.key }}
 {% endfor %}
-- 
GitLab