From 9eca957bb9db8cc45b40f5af42978153e4e00841 2015-03-08 11:20:24
From: Branko Majic <branko@majic.rs>
Date: 2015-03-08 11:20:24
Subject: [PATCH] MAR-1: Configure private key directory permissions.

---

diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 70d81b4a1075108b5026ad1e6c58868978424653..e25f8c2a4c9e4895686d2be9cd40af6be13b0892 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -196,6 +196,10 @@ The role implements the following:
 * Creates additional operating system users, as configured.
 * Hardens the SSH server by disabling remote ``root`` logins and password-based
   authentication.
+* Allows traversing of directory ``/etc/ssl/private/`` to everyone. This lets
+  you put TLS private keys in central location where any operating system user
+  can reach them provided they have appropriate read/write rights on the file
+  itself, and provided they know the exact path of the file.
 
 
 Parameters
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 3ac66a613f50fdf118d5c86d966e8cb2453915e7..1fda4cbf3aa20fc14a882c0762b94bff1cb2f4c2 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -45,4 +45,7 @@
 - name: Disable remote login authentication via password
   lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
   notify:
-    - Restart SSH
\ No newline at end of file
+    - Restart SSH
+
+- name: Allow users to traverse directories to TLS private key files
+  file: path=/etc/ssl/private/ mode=o+x
\ No newline at end of file