From a23741999ea981b41c1666d3922037939e9b029f Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Fri, 21 Jun 2024 16:57:04 +0000
Subject: [PATCH] Actually check key type

Don't assume that users won't lie to you. I actually hit this when
following the terraform multinode README. My version of openssh will
generate ed25519 keys by default and the example command in the README
names this id_rsa[1]. This of course ends up locking you out of the
system.

[1] https://github.com/stackhpc/terraform-kayobe-multinode/blob/a3e72a90c8ce835cc2bb4cbda83e79b0c32afdde/README.rst#L73
---
 etc/kayobe/ansible/cis.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
index f35906344..fada43731 100644
--- a/etc/kayobe/ansible/cis.yml
+++ b/etc/kayobe/ansible/cis.yml
@@ -6,12 +6,19 @@
   tasks:
     # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
     # https://gitlab.com/gitlab-org/gitlab/-/issues/367429#note_1840422075
-    - name: Assert that we are using a supported SSH key
-      assert:
-        that:
-          - ssh_key_type != 'ed25519'
-        fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
-      when: ansible_facts.os_family == 'RedHat'
+    - when: ansible_facts.os_family == 'RedHat'
+      block:
+       - name: Check type of key using the file command
+         raw: file {{ ssh_private_key_path }}
+         delegate_to: localhost
+         changed_when: false
+         register: ssh_key_check
+
+       - name: Assert that we are using a supported SSH key
+         assert:
+            that:
+              - ssh_key_check.stdout | regex_search('ed25519', ignorecase=true)
+            fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
 
     - name: Ensure the cron package is installed on ubuntu
       package: