From 5481c377e73848a7505114cf10e5d7d4e1521402 Mon Sep 17 00:00:00 2001 From: Maximilian Mehnert Date: Sun, 25 Feb 2024 22:51:06 +0100 Subject: [PATCH] Add support for AuthorizedKeysCommand and AuthorizedKeysCommandUser --- README.md | 3 +++ defaults/main.yml | 1 + templates/etc/ssh/sshd_config.j2 | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 530c98b..da9fbb8 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,9 @@ None * `ssh_server_allow_users`: [default: `[]`]: A list of user name patterns. If specified, login is allowed only for user names that match one of the patterns * `ssh_server_deny_groups`: [default: `[]`]: A list of group name patterns. If specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns * `ssh_server_deny_users`: [default: `[]`]: A list of user name patterns. If specified, login is disallowed for user names that match one of the patterns +* `ssh_server_autorized_keys_command`: [default: ]: Specifies a program to be used to look up the user's public keys. +* `ssh_server_autorized_keys_command_user`: [default: `nobody`]: Specifies the user under whose account the AuthorizedKeysCommand is run + ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index e717642..90d915d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,3 +48,4 @@ ssh_server_allow_groups: [] ssh_server_allow_users: [] ssh_server_deny_groups: [] ssh_server_deny_users: [] +ssh_server_autorized_keys_command_user: nobody diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index 18dffcf..9824063 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -42,6 +42,12 @@ RSAAuthentication {{ ssh_server_rsa_authentication | bool | ternary('yes', 'no') PubkeyAuthentication {{ ssh_server_pubkey_authentication | bool | ternary('yes', 'no') }} AuthorizedKeysFile {{ ssh_server_authorized_keys_file }} +{% if ssh_server_autorized_keys_command is defined %} +AuthorizedKeysCommand {{ ssh_server_autorized_keys_command }} +AuthorizedKeysCommandUser {{ ssh_server_autorized_keys_command_user }} +{% endif %} + + # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts {{ ssh_server_ignore_rhosts | bool | ternary('yes', 'no') }} {% if ssh_server_version is version('7.4', '<') %}