backup: accept older public key algorithms (#482)

mail.ams1.psf.io is using ssh-rsa still, which isn't ideal but until it is upgraded we need to accept this algorithm
python · Aug 27, 2024 · c9bda76 · c9bda76
1 parent 2dcd98a
commit c9bda76
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/salt/backup/server/init.sls b/salt/backup/server/init.sls
@@ -2,6 +2,15 @@
 include:
   - backup.base
 
+{# TODO: When we have retired distros older than 20.04, remove this #}
+/etc/ssh/ssh_config.d/pubkey.conf:
+  file.managed:
+    - contents: |
+        PubkeyAcceptedAlgorithms +ssh-rsa
+    - user: root
+    - group: root
+    - mode: "0644"
+
 {% for backup, config in salt['pillar.get']('backup-server:backups', {}).items() %}
 
 {{ backup }}-user:

diff --git a/salt/ssh/configs/sshd_config.jinja b/salt/ssh/configs/sshd_config.jinja
@@ -1,6 +1,11 @@
 # Basic configuration
 # ===================
 
+# Include sshd_config.d dir for distros that use it
+{% if grains["oscodename"] in ["jammy", "noble"] %}
+Include /etc/ssh/sshd_config.d/*.conf
+{% endif %}
+
 # Either disable or only allow root login via certificates.
 {% if salt["pillar.get"]("ssh:allow_root_with_key", False) %}
 PermitRootLogin without-password