Merge pull request #493 from konstruktoid/sshkeys

fix sshd host key permissions

molecule/default/molecule.yml

@@ -22,6 +22,7 @@ provisioner:
         sshd_allow_groups:
           - vagrant
           - sudo
+        sshd_host_keys_group: ssh_keys
         sshd_update_moduli: true
         suid_sgid_permissions: false
       almalinux9:
@@ -31,6 +32,7 @@ provisioner:
         sshd_allow_groups:
           - vagrant
           - sudo
+        sshd_host_keys_group: ssh_keys
         sshd_update_moduli: true
       bookworm:
         ansible_become_pass: vagrant

tasks/sshconfig.yml

@@ -182,14 +182,6 @@
           - /etc/ssh/ssh_host_ed25519_key
       when: ssh_installed_version is version('6.5', '>=')
 
-    - name: Change host private key ownership, group and permissions
-      ansible.builtin.file:
-        path: "{{ item }}"
-        owner: "{{ sshd_host_keys_owner }}"
-        group: "{{ sshd_host_keys_group }}"
-        mode: "{{ sshd_host_keys_mode }}"
-      loop: "{{ sshd_host_keys_files }}"
-
 - name: Disable PAM dynamic MOTD
   become: true
   community.general.pamd:
@@ -356,9 +348,9 @@
 - name: Set sshd host key permissions
   become: true
   ansible.builtin.file:
-    owner: root
-    group: root
-    mode: "0600"
+    owner: "{{ sshd_host_keys_owner }}"
+    group: "{{ sshd_host_keys_group }}"
+    mode: "{{ sshd_host_keys_mode }}"
     path: "{{ item.path }}"
   loop: "{{ ssh_host_keys.files }}"
   loop_control: