commit b137c32f93a37ed8ba4659a6c91694e5a8130b26
author Filip Pytloun <filip@pytloun.cz> Fri Feb 05 15:29:41 2016 +0100
committer Filip Pytloun <filip@pytloun.cz> Fri Feb 05 15:29:42 2016 +0100
tree c4d51f8691e4215d0e7191c699a975b64f5441ad
parent fd7a9ecdee7f440c4e9c0f372a1f7875edd92e01

Allow setting more options for ssh.client

And disallow ForwardAgent by default as it may be a security risk.

openssh/files/ssh_config

diff --git a/openssh/files/ssh_config b/openssh/files/ssh_config
index d97254f..63974d7 100644
--- a/openssh/files/ssh_config
+++ b/openssh/files/ssh_config
@@ -3,13 +3,20 @@
 
 Host *
 
-    SendEnv LANG LC_*
-    HashKnownHosts yes
-    GSSAPIAuthentication {% if client.gssapi_authentication %}yes{% else %}no{% endif %}
-    GSSAPIDelegateCredentials no
-    ForwardAgent {% if client.forward_agent %}yes{% else %}no{% endif %}
+    SendEnv {% if client.send_env is defined %}{{ client.send_env }}{% else %}LANG LC_*{% endif %}
+    HashKnownHosts {% if client.get('hash_known_hosts', True) %}yes{% else %}no{% endif %}
+    GSSAPIAuthentication {% if client.get('gssapi_authentication', False) %}yes{% else %}no{% endif %}
+    GSSAPIDelegateCredentials {% if client.get('gssapi_delegate_credentials', False) %}yes{% else %}no{% endif %}
+    PubkeyAuthentication {% if client.get('pubkey_authentication', True) %}yes{% else %}no{% endif %}
+    ForwardAgent {% if client.get('forward_agent', False) %}yes{% else %}no{% endif %}
 
-    {%- if network.proxy.host != 'none' and not network.proxy.get("pkg_only", true) %}
+    {%- if client.global_known_hosts is defined %}
+    GlobalKnownHostsFile {{ client.global_known_hosts }}
+    {%- endif %}
+
+    {%- if client.proxy_command is defined %}
+    ProxyCommand {{ client.proxy_command }}
+    {%- elif network.proxy.host != 'none' and not network.proxy.get("pkg_only", true) %}
     ProxyCommand connect -H {{ network.proxy.host }}:{{ network.proxy.port }} %h %p
     {%- endif %}
     {% if client.stricthostkeychecking is not defined %}{% else %}StrictHostKeyChecking no{% endif %}

openssh/map.jinja

diff --git a/openssh/map.jinja b/openssh/map.jinja
index 2749ac5..6b1e11b 100644
--- a/openssh/map.jinja
+++ b/openssh/map.jinja
@@ -34,28 +34,20 @@
         'pkgs': ['openssh'],
         'proxy_pkgs': ['openssh'],
         'config': '/etc/ssh/ssh_config',
-        'forward_agent': True,
-        'gssapi_authentication': False,
     },
     'Debian': {
         'pkgs': ['openssh-client'],
         'proxy_pkgs': ['connect-proxy'],
         'config': '/etc/ssh/ssh_config',
-        'forward_agent': True,
-        'gssapi_authentication': False,
     },
     'MacOS': {
         'pkgs': ['openssh'],
         'proxy_pkgs': ['connect-proxy'],
         'config': '/etc/ssh/ssh_config',
-        'forward_agent': True,
-        'gssapi_authentication': False,
     },
     'RedHat': {
         'pkgs': ['openssh-clients'],
         'proxy_pkgs': ['connect-proxy'],
         'config': '/etc/ssh/ssh_config',
-        'forward_agent': True,
-        'gssapi_authentication': False,
     },
 }, merge=salt['pillar.get']('openssh:client')) %}