From 58c0f0acdf58f1d2f437887447a786ff1a8a5ac0 Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Sun, 23 Feb 2020 15:55:02 +0100
Subject: [PATCH] ssh-server: deploy ssh-config to enable SSHFP checking

---
 ssh-server/tasks/main.yml                          | 12 ++++++++++++
 ssh-server/templates/{ssh_config => ssh_config.j2} |  1 +
 2 files changed, 13 insertions(+)
 rename ssh-server/templates/{ssh_config => ssh_config.j2} (98%)

diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index cd13d30..5543870 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -38,6 +38,18 @@
   tags:
     - ssh
 
+- name: ensure ssh is configured
+  template:
+    src: ssh_config.j2
+    dest: /etc/ssh/ssh_config
+    owner: root
+    group: root
+    mode: '0644'
+    backup: true
+  when: debian_version != "jessie"
+  tags:
+    - ssh
+
 - name: ensure standard pam configuration for sshd
   copy:
     src: pam/sshd
diff --git a/ssh-server/templates/ssh_config b/ssh-server/templates/ssh_config.j2
similarity index 98%
rename from ssh-server/templates/ssh_config
rename to ssh-server/templates/ssh_config.j2
index 3810e13..4fefb09 100644
--- a/ssh-server/templates/ssh_config
+++ b/ssh-server/templates/ssh_config.j2
@@ -52,3 +52,4 @@ Host *
     HashKnownHosts yes
     GSSAPIAuthentication yes
     GSSAPIDelegateCredentials no
+    VerifyHostKeyDNS yes
-- 
GitLab