diff --git a/docs/README.rst b/docs/README.rst index f5bd59d..be69b8a 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -117,7 +117,7 @@ setup those functions through pillar:: public_ssh_host_keys: mine_function: cmd.run cmd: cat /etc/ssh/ssh_host_*_key.pub - python_shell: True + python_shell: true public_ssh_hostname: mine_function: grains.get key: id @@ -210,7 +210,20 @@ To **include localhost** and local IP addresses (``127.0.0.1`` and ``::1``) use openssh: known_hosts: - include_localhost: True + include_localhost: true + +To prevent ever-changing IP addresses from being added to a host, use this:: + + openssh: + known_hosts: + omit_ip_address: + - my.host.tld + +To completely disable adding IP addresses:: + + openssh: + known_hosts: + omit_ip_address: true ``openssh.moduli`` ^^^^^^^^^^^^^^^^^^ diff --git a/openssh/files/default/ssh_known_hosts b/openssh/files/default/ssh_known_hosts index 0839c46..d0c7dc9 100644 --- a/openssh/files/default/ssh_known_hosts +++ b/openssh/files/default/ssh_known_hosts @@ -3,11 +3,16 @@ #} {#- Generates one known_hosts entry per given key #} -{%- macro known_host_entry(host, host_names, keys, include_localhost) %} +{%- macro known_host_entry(host, host_names, keys, include_localhost, omit_ip_address) %} {#- Get IPv4 and IPv6 addresses from the DNS #} -{%- set ip4 = salt['dig.A'](host) -%} -{%- set ip6 = salt['dig.AAAA'](host) -%} +{%- if not (omit_ip_address is sameas true or host in omit_ip_address) %} +{%- set ip4 = salt['dig.A'](host) -%} +{%- set ip6 = salt['dig.AAAA'](host) -%} +{%- else %} +{%- set ip4 = [] -%} +{%- set ip6 = [] -%} +{%- endif %} {#- The host names to use are to be found within the dict 'host_names'. #} {#- If there are none, the host is used directly. #} @@ -59,6 +64,7 @@ {%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%} {%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%} {%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%} +{%- set omit_ip_address = salt['pillar.get']('openssh:known_hosts:omit_ip_address', []) -%} {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name in the SSH known_hosts entry -#} @@ -98,5 +104,5 @@ {#- Loop over targetted minions -#} {%- for host, keys in host_keys| dictsort -%} -{{ known_host_entry(host, host_names, keys, include_localhost) }} +{{ known_host_entry(host, host_names, keys, include_localhost, omit_ip_address) }} {%- endfor -%} diff --git a/pillar.example b/pillar.example index 8c4aafa..2c86d92 100644 --- a/pillar.example +++ b/pillar.example @@ -335,6 +335,13 @@ openssh: static: github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' + # Prevent an ever-changing ssh_known_hosts file caused by a domain which + # is served from multiple IP addresses. + # To disable completely: + # omit_ip_address: true + # Or to disable by specific hosts: + omit_ip_address: + - github.com # yamllint disable rule:line-length # specify DH parameters (see /etc/ssh/moduli) diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index 0b25845..be0af66 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -168,6 +168,8 @@ openssh: static: github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' + omit_ip_address: + - github.com # specify DH parameters (see /etc/ssh/moduli) # yamllint disable rule:line-length