From 2c6da106b2567c9e663719d4ad6b717adba4774d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Tue, 26 Aug 2025 01:13:19 +0200
Subject: [PATCH] fix: ssh authorized_keys fallback

---
 roles/sshd/tasks/main.yml           |  8 ++++++++
 roles/sshd/templates/sshd_config.j2 | 11 +++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 218cbd5..3a5e5bd 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -53,6 +53,14 @@
     - name: Backup authorized_keys out of HOME dir (if unavailable at startup)
       command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}"
       loop: "{{ ssh_users.split() }}"
+
+    - name: Fix ownership
+      file:
+        path: "{{ssh_authorized_keys_fallback_dir}}/{{ item }}"
+        owner: "{{ item }}"
+        group: "{{ item }}"
+        mode: "0600"
+      loop: "{{ ssh_users.split() }}"
   when: ssh_authorized_keys_fallback_enabled
 
 - name: Create an SSH banner
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index eb1061d..b34257c 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -19,6 +19,11 @@ ChallengeResponseAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
 UsePAM yes
+{% if ssh_authorized_keys_fallback_enabled %}
+AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
+{% else %}
+AuthorizedKeysFile .ssh/authorized_keys
+{% endif %}
 
 # Login timeout and grace period
 LoginGraceTime 30s
@@ -62,9 +67,3 @@ Compression no
 {% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
 UsePrivilegeSeparation sandbox
 {% endif %}
-
-{% if ssh_authorized_keys_fallback_enabled %}
-AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
-{% else %}
-AuthorizedKeysFile .ssh/authorized_keys
-{% endif %}