feat(ssh_known_hosts): allow to omit IP addresses
This commit is contained in:
parent
dfaeb8f505
commit
ea221ab52b
|
@ -117,7 +117,7 @@ setup those functions through pillar::
|
||||||
public_ssh_host_keys:
|
public_ssh_host_keys:
|
||||||
mine_function: cmd.run
|
mine_function: cmd.run
|
||||||
cmd: cat /etc/ssh/ssh_host_*_key.pub
|
cmd: cat /etc/ssh/ssh_host_*_key.pub
|
||||||
python_shell: True
|
python_shell: true
|
||||||
public_ssh_hostname:
|
public_ssh_hostname:
|
||||||
mine_function: grains.get
|
mine_function: grains.get
|
||||||
key: id
|
key: id
|
||||||
|
@ -210,7 +210,20 @@ To **include localhost** and local IP addresses (``127.0.0.1`` and ``::1``) use
|
||||||
|
|
||||||
openssh:
|
openssh:
|
||||||
known_hosts:
|
known_hosts:
|
||||||
include_localhost: True
|
include_localhost: true
|
||||||
|
|
||||||
|
To prevent ever-changing IP addresses from being added to a host, use this::
|
||||||
|
|
||||||
|
openssh:
|
||||||
|
known_hosts:
|
||||||
|
omit_ip_address:
|
||||||
|
- my.host.tld
|
||||||
|
|
||||||
|
To completely disable adding IP addresses::
|
||||||
|
|
||||||
|
openssh:
|
||||||
|
known_hosts:
|
||||||
|
omit_ip_address: true
|
||||||
|
|
||||||
``openssh.moduli``
|
``openssh.moduli``
|
||||||
^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^
|
||||||
|
|
|
@ -3,11 +3,16 @@
|
||||||
#}
|
#}
|
||||||
|
|
||||||
{#- Generates one known_hosts entry per given key #}
|
{#- Generates one known_hosts entry per given key #}
|
||||||
{%- macro known_host_entry(host, host_names, keys, include_localhost) %}
|
{%- macro known_host_entry(host, host_names, keys, include_localhost, omit_ip_address) %}
|
||||||
|
|
||||||
{#- Get IPv4 and IPv6 addresses from the DNS #}
|
{#- Get IPv4 and IPv6 addresses from the DNS #}
|
||||||
|
{%- if not (omit_ip_address is sameas true or host in omit_ip_address) %}
|
||||||
{%- set ip4 = salt['dig.A'](host) -%}
|
{%- set ip4 = salt['dig.A'](host) -%}
|
||||||
{%- set ip6 = salt['dig.AAAA'](host) -%}
|
{%- set ip6 = salt['dig.AAAA'](host) -%}
|
||||||
|
{%- else %}
|
||||||
|
{%- set ip4 = [] -%}
|
||||||
|
{%- set ip6 = [] -%}
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
{#- The host names to use are to be found within the dict 'host_names'. #}
|
{#- The host names to use are to be found within the dict 'host_names'. #}
|
||||||
{#- If there are none, the host is used directly. #}
|
{#- If there are none, the host is used directly. #}
|
||||||
|
@ -59,6 +64,7 @@
|
||||||
{%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
|
{%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
|
||||||
{%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}
|
{%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}
|
||||||
{%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%}
|
{%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%}
|
||||||
|
{%- set omit_ip_address = salt['pillar.get']('openssh:known_hosts:omit_ip_address', []) -%}
|
||||||
|
|
||||||
{#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
|
{#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
|
||||||
in the SSH known_hosts entry -#}
|
in the SSH known_hosts entry -#}
|
||||||
|
@ -98,5 +104,5 @@
|
||||||
|
|
||||||
{#- Loop over targetted minions -#}
|
{#- Loop over targetted minions -#}
|
||||||
{%- for host, keys in host_keys| dictsort -%}
|
{%- for host, keys in host_keys| dictsort -%}
|
||||||
{{ known_host_entry(host, host_names, keys, include_localhost) }}
|
{{ known_host_entry(host, host_names, keys, include_localhost, omit_ip_address) }}
|
||||||
{%- endfor -%}
|
{%- endfor -%}
|
||||||
|
|
|
@ -335,6 +335,13 @@ openssh:
|
||||||
static:
|
static:
|
||||||
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
|
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
|
||||||
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
|
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
|
||||||
|
# Prevent an ever-changing ssh_known_hosts file caused by a domain which
|
||||||
|
# is served from multiple IP addresses.
|
||||||
|
# To disable completely:
|
||||||
|
# omit_ip_address: true
|
||||||
|
# Or to disable by specific hosts:
|
||||||
|
omit_ip_address:
|
||||||
|
- github.com
|
||||||
|
|
||||||
# yamllint disable rule:line-length
|
# yamllint disable rule:line-length
|
||||||
# specify DH parameters (see /etc/ssh/moduli)
|
# specify DH parameters (see /etc/ssh/moduli)
|
||||||
|
|
|
@ -168,6 +168,8 @@ openssh:
|
||||||
static:
|
static:
|
||||||
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
|
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
|
||||||
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
|
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
|
||||||
|
omit_ip_address:
|
||||||
|
- github.com
|
||||||
|
|
||||||
# specify DH parameters (see /etc/ssh/moduli)
|
# specify DH parameters (see /etc/ssh/moduli)
|
||||||
# yamllint disable rule:line-length
|
# yamllint disable rule:line-length
|
||||||
|
|
Loading…
Reference in New Issue