bastion02: try resigning and using better host certs.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2020-11-03 14:59:21 -08:00 · 2020-11-03 14:59:21 -08:00 · 259a1734ae
commit 259a1734ae
parent e5606578de
1 changed files with 7 additions and 0 deletions
--- a/roles/basessh/templates/sshd_config
+++ b/roles/basessh/templates/sshd_config
@ -13,7 +13,14 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
 {% endif %}

 HostKey /etc/ssh/ssh_host_rsa_key
+{% if ansible_hostname == 'bastion02' %}
+HostKey /etc/ssh/ssh_host_ed25519_key
+{% endif %}
+
 HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+{% if ansible_hostname == "bastion02" %}
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+{% endif %}

 SyslogFacility AUTHPRIV
 LogLevel VERBOSE