ssh

CI Testing

An Ansible role for managing ssh clients configuration.

Requirements

This role should work on any system that provides openssh client and is
supported by ansible. The role was tested on:

Role Variables

By default, the role should not modify the system configuration and generate
global ssh_config that matches OS default (the generated configuration does
not keep comments and order of the options).

By default (null) the role will modify the global configuration for all
users. Other values will be interpreted as a username and the role will
modify per-user configuration stored under ~/.ssh/config of the given user.
The user needs to exist before invoking this role otherwise it will fail.

By default (auto), the role writes the system-wide configuration file
/etc/ssh/ssh_config and keeps OS defaults defined there (true). This is
automatically disabled, when a drop-in configuration file is created
(ssh_drop_in_name!=null) or when per-user configuration file is created
(ssh_user!=null).

This defines the name for the drop-in configuration file to be placed in
system-wide drop-in directory. The name is used in the template
/etc/ssh/ssh_config.d/{name}.conf to reference the configuration file to
be modified. If the system does not support drop-in directory, setting this
option will make the play fail. Default is null if the system does not
support drop in directory and 00-ansible otherwise.

The suggested format is NN-name, where NN is two-digit number used for
sorting the and name is any descriptive name for the content or the owner
of the file.

A dict containing configuration options and respective values. See example
below.

Simple variables consisting of the option name prefixed with ssh_ can be
used rather than a dict above. The simple variable overrides values in dict
above.

This role automatically installs packages needed for most common use cases
on given platform. If some additional packages need to be installed (for
example openssh-keysign for host-based authentication), they can be specified
in this variable.

The configuration file that will be written by this role. The default is
defined by template /etc/ssh/ssh_config.d/{name}.conf if system has drop-in
directory or /etc/ssh/ssh_config otherwise. If ssh_user!=null, the
default is ~/.ssh/config.

The owner, group and mode of the created configuration file. The files are
owned by root:root with mode 0644 by default, unless
ssh_user!=null. In that case, the mode is 0600 and owner and
group are derived from username given in ssh_user variable.

Dependencies

none

Example Playbook

The folowing playbook configures the root user ssh configuration in his
home directory to use compression, control-master multiplexing and enable
GSSAPI authentication in the “match final all” block. Additionally, it
creates alias “example” for connecting to the example.com host as a user
somebody. The last line disables X11 forwarding.

- hosts: all
  tasks:
  - name: "Configure ssh clients"
    include_role:
      name: fedora.linux_system_roles.ssh
    vars:
      ssh_user: root
      ssh:
        Compression: true
        ControlMaster: auto
        ControlPath: ~/.ssh/.cm%C
        Match:
          - Condition: "final all"
            GSSAPIAuthentication: yes
        Host:
          - Condition: example
            Hostname: example.com
            User: somebody
      ssh_ForwardX11: no

More examples are in the examples/ directory.

License

LGPLv3, see the file LICENSE for more information.

Author Information

Jakub Jelen, 2021