Fix ssh config to handle custom options per Host

fullyint · fullyint · commit 8420dacb5ec1 · 2017-03-13T23:06:21.000-06:00
Formerly printed Hosts on successive lines, applying all options
to the final Host only.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_host_key_files` | ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] |Host keys to look for when starting sshd.|
 |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
-|`ssh_remote_hosts` | [] | one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!|
+|`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
 |`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
diff --git a/default.yml b/default.yml
@@ -1,5 +1,5 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
   hosts: localhost
   pre_tasks:
     - package: name="{{item}}" state=installed
@@ -15,3 +15,20 @@
     - file: path="/var/run/sshd" state=directory
   roles:
     - ansible-ssh-hardening
+  vars:
+    network_ipv6_enable: true
+    ssh_allow_root_with_key: true
+    ssh_client_password_login: true
+    ssh_client_cbc_required: true
+    ssh_server_weak_hmac: true
+    ssh_client_weak_kex: true
+    ssh_remote_hosts:
+      - names: ['example.com', 'example2.com']
+        options: ['Port 2222', 'ForwardAgent yes']
+      - names: ['example3.com']
+        options: ['StrictHostKeyChecking no']
+
+- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+  hosts: localhost
+  roles:
+    - ansible-ssh-hardening
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -37,8 +37,16 @@ ssh_max_auth_retries: 2
 
 ssh_client_alive_interval: 600          # sshd
 ssh_client_alive_count: 3               # sshd
-# one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!
-ssh_remote_hosts: []           # ssh
+
+# Hosts with custom options.            # ssh
+# Example:
+# ssh_remote_hosts:
+#   - names: ['example.com', 'example2.com']
+#     options: ['Port 2222', 'ForwardAgent yes']
+#   - names: ['example3.com']
+#     options: ['StrictHostKeyChecking no']
+ssh_remote_hosts: []
+
 # false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
 ssh_allow_root_with_key: false          # sshd
 
diff --git a/templates/openssh.conf.j2 b/templates/openssh.conf.j2
@@ -8,10 +8,18 @@
 
 # Address family should always be limited to the active network configuration.
 AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
-# Restrict the following configuration to be limited to this Host.
+
 {% for host in ssh_remote_hosts -%}
-Host {{host}}
-{% endfor %}
+{% if loop.first %}
+# Host-specific configuration
+{% endif %}
+Host {{ host.names | join(' ') }}
+  {{ host.options | join("\n") | indent(2) }}
+
+{% endfor -%}
+
+# Global defaults for all Hosts
+Host *
 
 # The port at the destination should be defined
 {% for port in ssh_client_ports -%}
