Mitigate ssh-keysign-pwn exploits

See https://seclists.org/oss-sec/2026/q2/529 for details.
Disabling PTRACE_ATTACH for non-admins by settings the tunable
kernel.yama.ptrace_scope=2 blocks known exploits.

Author: elelaysh

ansible/mitigations.yml

@@ -23,3 +23,32 @@
       ansible.builtin.command:
         cmd: echo 3 > /proc/sys/vm/drop_caches
       changed_when: true
+
+- name: Apply ssh-keysign-pwn mitigation
+  hosts: mitigate_ssh_keysign_pwn
+  become: true
+  gather_facts: false
+  tasks:
+    # See https://docs.kernel.org/admin-guide/LSM/Yama.html for explanation
+    - name: Apply ssh-keysign-pwn mitigation to live system
+      ansible.builtin.command: sysctl kernel.yama.ptrace_scope=2
+      changed_when: true
+    - name: Get current ptrace_scope value
+      ansible.builtin.slurp:
+        src: /proc/sys/kernel/yama/ptrace_scope
+      check_mode: false
+      changed_when: false
+      register: ptrace_scope
+    - name: Show ptrace_scope after fix
+      ansible.builtin.debug:
+        msg: "/proc/sys/kernel/yama/ptrace_scope={{ ptrace_scope.content|b64decode }}"
+    - name: Prepare sysctl.d file to apply mitigation upon reboot
+      ansible.builtin.copy:
+        dest: /etc/sysctl.d/99-prevent-ptrace_scope.conf
+        content: |
+          # this is a mitigation for ssh-keysign-pwn
+          # See https://seclists.org/oss-sec/2026/q2/529 for the announcement
+          kernel.yama.ptrace_scope=2
+        owner: root
+        group: root
+        mode: "0644"

environments/common/inventory/groups

@@ -247,3 +247,4 @@ doca
 
 ## Vulnerability mitigation groups
 [mitigate_dirtyfrag]
+[mitigate_ssh_keysign_pwn]

environments/site/inventory/groups

@@ -220,3 +220,5 @@ compute
 ## Vulnerability mitigation groups
 [mitigate_dirtyfrag:children]
 builder
+[mitigate_ssh_keysign_pwn:children]
+builder