Use cryptography backend for openssh_keypair

With default "auto" backend, opensshbin is first pick, which fails to read a key in case of insecure permissions. This makes task fail in case private key in topic has mode different from 0600, even if different mode specified for the module itself [1]. Along with switching backend we also adding mode key to be supported [1] https://github.com/ansible-collections/community.crypto/issues/564 Change-Id: I9444ef832136783bde1eff5425e4cd369f905a5c
2023-01-18 20:26:52 +01:00 · 2023-01-18 20:26:52 +01:00 · 1dbc2985d3
parent 145fd7a1e6
commit 1dbc2985d3
1 changed files with 2 additions and 0 deletions
--- a/roles/ssh_keypairs/tasks/standalone/create_keypair.yml
+++ b/roles/ssh_keypairs/tasks/standalone/create_keypair.yml
@ -28,6 +28,8 @@
          size: "{{ kp.size | default(omit) }}"
          type: "{{ kp.type | default(omit) }}"
          path: "{{ kp_dir ~ '/' ~ kp['name'] }}"
+          mode: "{{ kp.mode | default(omit) }}"
+          backend: cryptography
        register: kp_keys

      - name: Generate an OpenSSH user certificate for {{ kp['name'] }}