Allow select ECDSA key format for the OpenSSH client known_hosts file
PROD-35539
Change-Id: Ic673396de4184bee6723df4d08688d336d0c32ce
diff --git a/README.rst b/README.rst
index 3a701d4..729f883 100644
--- a/README.rst
+++ b/README.rst
@@ -286,6 +286,17 @@
See PATTERNS in ssh_config(5) for more information on what <pattern> is.
+* Use ECDSA key format for the OpenSSH client known_hosts file:
+
+ - If `known_hosts_use_ecdsa` is set to `true` it will use ECDSA key format
+ in known_hosts otherwise RSA key format wil be used
+
+ .. code-block:: yaml
+
+ openssh:
+ client:
+ known_hosts_use_ecdsa: true
+
**CIS Compliance**
There is a number of configuration options that make the OpenSSH service
diff --git a/openssh/map.jinja b/openssh/map.jinja
index b16d816..14b454d 100644
--- a/openssh/map.jinja
+++ b/openssh/map.jinja
@@ -15,7 +15,11 @@
{% do root.update({'known_hosts': []}) %} {# Prepare empty list if missing so it can be appended later #}
{% endif %}
{% for host_name, fingerprints in local_nodes.iteritems() %} {# Iterate through all defined hosts #}
- {% set new_host = {'name': host_name, 'type': 'ssh-rsa', 'fingerprint': fingerprints.rsa, 'fingerprint_hash_type': 'md5'} %} {# Prepare new host record #}
+ {% if pillar.openssh.client.get('known_hosts_use_ecdsa', False) %}
+ {% set new_host = {'name': host_name, 'type': 'ecdsa', 'fingerprint': fingerprints.ecdsa, 'fingerprint_hash_type': 'md5'} %} {# Prepare new host record #}
+ {% else %}
+ {% set new_host = {'name': host_name, 'type': 'ssh-rsa', 'fingerprint': fingerprints.rsa, 'fingerprint_hash_type': 'md5'} %} {# Prepare new host record #}
+ {% endif %}
{% do root['known_hosts'].append(new_host) %} {# Add the new host to the list of known hosts #}
{% endfor %}
{% endif %}