From 777a4693a1c7a8219900b2e35067c0e5955bc090 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Fri, 1 Sep 2023 15:42:24 -0400
Subject: [PATCH] Improve SSH configuration for nodes

Ensure hostbased auth works with configs, remove erroneous old
conditional for authtypes, remove obsolete config option.
---
 roles/base/templates/etc/ssh/shosts.equiv.j2    | 5 +++++
 roles/base/templates/etc/ssh/ssh_known_hosts.j2 | 3 +++
 roles/base/templates/etc/ssh/sshd_config.j2     | 7 -------
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/roles/base/templates/etc/ssh/shosts.equiv.j2 b/roles/base/templates/etc/ssh/shosts.equiv.j2
index 5bb3663..a308526 100644
--- a/roles/base/templates/etc/ssh/shosts.equiv.j2
+++ b/roles/base/templates/etc/ssh/shosts.equiv.j2
@@ -1,3 +1,8 @@
 # SSH remote allowed hosts
 # {{ ansible_managed }}
 
+{% for host in groups[cluster_group] %}
+{{ host }}
+{{ host.split('.')[0] }}.{{ networks['cluster']['domain'] }}
+{{ host.split('.')[0] }}
+{% endfor %}
diff --git a/roles/base/templates/etc/ssh/ssh_known_hosts.j2 b/roles/base/templates/etc/ssh/ssh_known_hosts.j2
index 5bb3663..b17201d 100644
--- a/roles/base/templates/etc/ssh/ssh_known_hosts.j2
+++ b/roles/base/templates/etc/ssh/ssh_known_hosts.j2
@@ -1,3 +1,6 @@
 # SSH remote allowed hosts
 # {{ ansible_managed }}
 
+{% for host in groups[cluster_group] %}
+{{ host }},{{ host.split('.')[0] }}.{{ networks['cluster']['domain'] }},{{ host.split('.')[0] }} ssh-ed25519 {{ hostvars[host].ansible_ssh_host_key_ed25519_public }}
+{% endfor %}
diff --git a/roles/base/templates/etc/ssh/sshd_config.j2 b/roles/base/templates/etc/ssh/sshd_config.j2
index 9f95029..c72fac6 100644
--- a/roles/base/templates/etc/ssh/sshd_config.j2
+++ b/roles/base/templates/etc/ssh/sshd_config.j2
@@ -6,7 +6,6 @@ ListenAddress ::
 ListenAddress 0.0.0.0
 Protocol 2
 HostKey /etc/ssh/ssh_host_ed25519_key
-UsePrivilegeSeparation yes
 SyslogFacility AUTH
 LogLevel INFO
 LoginGraceTime 120
@@ -29,15 +28,9 @@ PubkeyAuthentication yes
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 PasswordAuthentication no
-{% if 'hv' in group_names %}
 HostbasedAuthentication yes
 HostbasedUsesNameFromPacketOnly yes
 IgnoreRhosts no
-PermitRootLogin yes
-{% else %}
-HostbasedAuthentication no
-IgnoreRhosts yes
 PermitRootLogin no
-{% endif %}
 
 Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO