ssh_hardening fail on keypair generation

[beechesII]

Hi,

the role devsec.hardening.ssh_hardening run into a failure within the play on task replace default 2048 bits RSA keypair with 4096 bits keypair.
The parameter regenerate seems to be not support be openssh_keypair. Also with installed community collection community.crypto the task is failing.
community.crypto includes openssh_keypair.

Expected behavior

With included community.crypto collection the task replace default 2048 bits RSA keypair with 4096 bits keypair should not fail.

Actual behavior

[root@my-new-host home-ansible]# ansible-playbook playbooks/ssh-hardening.yml --diff

PLAY [my_new_host] ************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
ok: [my-new-host]

TASK [devsec.hardening.ssh_hardening : include_tasks] ***************************************************************************************************************************************************************************************
included: /root/home-ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/hardening.yml for my-new-host

TASK [devsec.hardening.ssh_hardening : Fetch OS dependent variables] ************************************************************************************************************************************************************************
ok: [my-new-host] => (item=/root/home-ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/vars/RedHat.yml)

TASK [devsec.hardening.ssh_hardening : Set OS dependent variables, if not already defined by user] ******************************************************************************************************************************************
ok: [my-new-host] => (item={u'key': u'ssh_selinux_packages', u'value': [u'policycoreutils-python', u'checkpolicy']})
ok: [my-new-host] => (item={u'key': u'sshd_service_name', u'value': u'sshd'})
ok: [my-new-host] => (item={u'key': u'sshd_path', u'value': u'/usr/sbin/sshd'})
ok: [my-new-host] => (item={u'key': u'ssh_kerberos_support', u'value': True})
ok: [my-new-host] => (item={u'key': u'ssh_owner', u'value': u'root'})
ok: [my-new-host] => (item={u'key': u'ssh_group', u'value': u'root'})
ok: [my-new-host] => (item={u'key': u'sshd_disable_crypto_policy', u'value': True})
ok: [my-new-host] => (item={u'key': u'ssh_host_keys_group', u'value': u'ssh_keys'})
ok: [my-new-host] => (item={u'key': u'ssh_pam_support', u'value': True})
ok: [my-new-host] => (item={u'key': u'ssh_host_keys_owner', u'value': u'root'})
ok: [my-new-host] => (item={u'key': u'sshd_moduli_file', u'value': u'/etc/ssh/moduli'})
ok: [my-new-host] => (item={u'key': u'ssh_host_keys_dir', u'value': u'/etc/ssh'})

TASK [devsec.hardening.ssh_hardening : get openssh-version] *********************************************************************************************************************************************************************************
ok: [my-new-host]

TASK [devsec.hardening.ssh_hardening : parse openssh-version] *******************************************************************************************************************************************************************************
ok: [my-new-host]

TASK [devsec.hardening.ssh_hardening : set default for ssh_host_key_files if not supplied] **************************************************************************************************************************************************
included: /root/home-ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/crypto_hostkeys.yml for my-new-host

TASK [devsec.hardening.ssh_hardening : replace default 2048 bits RSA keypair with 4096 bits keypair] ****************************************************************************************************************************************
fatal: [my-new-host]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (openssh_keypair) module: regenerate Supported parameters include: attributes, backup, comment, content, delimiter, directory_mode, follow, force, group, mode, owner, path, regexp, remote_src, selevel, serole, setype, seuser, size, src, state, type, unsafe_writes"}

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
my-new-host            : ok=7    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Example Playbook

---
- hosts:
    - my_new_host
  gather_facts: true
  collections:
    - community.crypto
    - devsec.hardening
  roles:
    - devsec.hardening.ssh_hardening

OS / Environment

[root@my-new-host home-ansible]# cat /etc/*ease
CentOS Linux release 7.9.2009 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.9.2009 (Core)
CentOS Linux release 7.9.2009 (Core)

[root@my-new-host home-ansible]# rpm -qa | grep openssh
openssh-clients-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64

Ansible Version

ansible 2.9.16
  config file = /root/home-ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules', u'/root/home-ansible/collections/ansible_collections/community/crypto/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Nov 16 2020, 22:23:17) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]

Role Version

[root@my-new-host hardening]# pwd
/root/home-ansible/collections/ansible_collections/devsec/hardening

[root@my-new-host hardening]# git describe --tags
7.1.0

[root@my-new-host crypto]# pwd
/root/home-ansible/collections/ansible_collections/community/crypto

[root@my-new-host crypto]# git describe --tags
1.4.0

Additional context
Add any other context about the problem here.

[rndmh3ro]

Ansible 2.9's openssh_keypair really does not support the regenerate option.

community.crypto says it supports regenerate since version 1.0.0. What version did you test with?

To fix this, we could to something like this:

- name: replace default 2048 bits RSA keypair with 4096 bits keypair
  openssh_keypair:
    state: present
    type: rsa
    size: 4096
    path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
    force: false
    regenerate: {{ (ansible_version.full => '2.1.0') | ternary('partial_idempotence', omit) }}

Note that this syntax is not correct.

[schurzi]

we could also reference the module by it's fqcn and declare a dependency with community.crypto >=1.0.0. That way it would use the community module, even with older Ansible versions. The current problem is, that `openssh_keypair? is also an Ansible module that comes by default and not through collections and this overrides the collection module, even if specified.

- name: replace default 2048 bits RSA keypair with 4096 bits keypair
  community.crypto.openssh_keypair:
    state: present
    type: rsa
    size: 4096
    path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
    force: false
    regenerate: partial_idempotence

[beechesII]

Hi @rndmh3ro ,
I use community.crypto = 1.4.0:

[root@my-new-host crypto]# 
/root/home-ansible/collections/ansible_collections/community/crypto
[root@my-new-host crypto]# git describe --tags
1.4.0

[beechesII]

Hi @schurzi ,
I'm testing your fix, by editing devsec/hardening/roles/ssh_hardening/tasks/crypto_hostkeys.yml.
It works fine :)