Opt-in to include localhost

2025-04-23 03:58:15 +02:00 · 2018-05-01 23:04:17 +02:00 · 2018-05-01 23:04:17 +02:00 · b34b8f5fa7
commit b34b8f5fa7
parent 63438bde88
3 changed files with 16 additions and 2 deletions
--- a/README.rst
+++ b/README.rst
@ -174,6 +174,12 @@ pillar key ``openssh:known_hosts:static``::

 Pillar ``openssh:known_hosts:static`` overrides ``openssh:known_hosts:salt_ssh``.

+To **include localhost** and local IP addresses (``127.0.0.1`` and ``::1``) use this Pillar::
+
+    openssh:
+      known_hosts:
+        include_localhost: True
+
 ``openssh.moduli``
 -----------------------

--- a/openssh/files/ssh_known_hosts
+++ b/openssh/files/ssh_known_hosts
@ -3,7 +3,7 @@
 #}

 {#- Generates one known_hosts entry per given key #}
-{%- macro known_host_entry(host, host_names, keys) %}
+{%- macro known_host_entry(host, host_names, keys, include_localhost) %}

 {#-   Get IPv4 and IPv6 addresses from the DNS #}
 {%-   set ip4 = salt['dig.A'](host) -%}
@ -13,6 +13,11 @@
 {#-   If there are none, the host is used directly. #}
 {%-   set names = host_names.get(host, host) -%}
 {%-   set names = [names] if names is string else names %}
+{%-   if include_localhost and host == grains['id'] %}
+{%-     do names.append('localhost') %}
+{%-     do names.append('127.0.0.1') %}
+{%-     do names.append('::1') %}
+{%-   endif -%}

 {#-   Extract the hostname from the FQDN and add it to the names. #}
 {%-   if use_hostnames is iterable -%}
@ -53,6 +58,7 @@
 {%- set hostnames_target_default = '*' if grains['domain'] == '' else "*.{}".format(grains['domain']) -%}
 {%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
 {%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}
+{%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%}

 {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
    in the SSH known_hosts entry -#}
@ -93,5 +99,5 @@

 {#- Loop over targetted minions -#}
 {%- for host, keys in host_keys| dictsort -%}
-{{ known_host_entry(host, host_names, keys) }}
+{{ known_host_entry(host, host_names, keys, include_localhost) }}
 {%- endfor -%}
--- a/pillar.example
+++ b/pillar.example
@ -307,6 +307,8 @@ openssh:
    #  tgt_type: 'glob'
    # To activate the defaults you can just set an empty dict.
    #hostnames: {}
+    # Include localhost, 127.0.0.1 and ::1 (default: False)
+    include_localhost: False
    # Host keys fetched via salt-ssh
    salt_ssh:
      # The salt-ssh user