Merge pull request #380 from mpraeger/feature/host_certificates

add Support for OpenSSH HostCertificate config option
2024-11-10 17:24:12 +00:00 · 2021-01-22 10:43:32 +01:00 · 2021-01-22 10:43:32 +01:00 · 66feb7c2ad
commit 66feb7c2ad
parent ef31838fa2 4399d3f885
2 changed files with 8 additions and 0 deletions
--- a/roles/ssh_hardening/defaults/main.yml
+++ b/roles/ssh_hardening/defaults/main.yml
@ -36,6 +36,9 @@ ssh_listen_to: ['0.0.0.0']          # sshd
 # Host keys to look for when starting sshd.
 ssh_host_key_files: []              # sshd

+# Host certificates to look for when starting sshd.
+ssh_host_certificates: []           # sshd
+
 # Specifies the host key algorithms that the server offers
 ssh_host_key_algorithms: []         # sshd

--- a/roles/ssh_hardening/templates/opensshd.conf.j2
+++ b/roles/ssh_hardening/templates/opensshd.conf.j2
@ -38,6 +38,11 @@ ListenAddress {{ address }}
 HostKey {{ key }}
 {% endfor %}

+# HostCertificates are listed here.
+{% for certificate in ssh_host_certificates -%}
+HostCertificate {{ certificate }}
+{% endfor %}
+
 # Host key algorithms that the server offers.
 {% if sshd_version is version('5.8', '>=') %}
 {{ "HostKeyAlgorithms " ~ ssh_host_key_algorithms|join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}