sshd/jump allow configuration of PermitOpen per jump user

2 files changed, 9 insertions, 2 deletions

diff --git a/roles/core/sshd/jump/defaults/main.yml b/roles/core/sshd/jump/defaults/main.yml
index 792c84a2..ada0554a 100644
--- a/roles/core/sshd/jump/defaults/main.yml
+++ b/roles/core/sshd/jump/defaults/main.yml
@@ -4,3 +4,5 @@
 #     authorized_keys:
 #     - ssh-ed25519 ....
 #     - ssh-rsa ...
+#     permit_open:
+#     - host:port
diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
index 3403d8f8..2120cbd6 100644
--- a/roles/core/sshd/jump/tasks/main.yml
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -38,7 +38,8 @@
   blockinfile:
     marker: "# {mark} ansible core/sshd/jump"
     block: |
-      Match User {{ sshd_jump_users | list | join(',') }}
+      {% for name, config in sshd_jump_users.items() %}
+      Match User {{ name }}
         AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
         PasswordAuthentication no
         PermitTTY no
@@ -49,8 +50,12 @@
         AllowStreamLocalForwarding no
         ForceCommand /sbin/nologin
         AllowTcpForwarding local
-        #PermitOpen any
+        PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
         PermitListen none
+      {%   if not loop.last %}
+
+      {%   endif %}
+      {% endfor %}
     insertafter: "### ansible core/sshd/base config barrier ###"
     dest: /etc/ssh/sshd_config
   notify: restart ssh