Closed bkus closed 1 year ago
bkus
commented
1 year ago Overall looks good. With regards to the os_linux ssh_args, I assume it is planned to have a separate group for MT devices. Those will need to have dsa keys enabled, or an effort done to clean up and update some of the older devices that still have DSA keys in use.
I thought we were fully migrated to RSA by now. Yikes.
nigelvh
commented
1 year ago One example. I'm certain there are others but don't have an exhaustive list.
[nigel@ER1.Seattle] > user ssh-keys print
Flags: R - RSA, D - DSA
# USER BITS KEY-OWNER
0 D NQ1E NQ1E-dsa
1 D monitoring monitoring@monitoring
2 D nigel nigel
3 D osburn osburn
4 D tom tom
5 D ryan_turner ryanturner@Ryans-MacBook-Pro.local
6 D ve7alb imported-openssh-key
7 R kc7aad 2048 kc7aad
8 R KD7DK 2048 KD7DK
9 R kennyr 2048 kennyr@kgrMBP.local
10 R nr3o 2048 rob
11 R W3RWN 2048 randy
12 R eo 2048 AE7SJ
13 R dylan 2048 dylan@KI7SBI And to answer your original question, yes there's already a "os_routeros" group in the inventory. There will probably be a separate role to sync those accounts. It probably won't use SSH at all.
Keeping the playbook limited to 1 host for now, by default. Making it apply network-wide is as trivial as swapping a couple comment lines though.