From 7fd90c2d7fc6cb6d93a4f1a9fb9e801e6519c738 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 13 Apr 2021 01:49:06 +0200
Subject: sshd/jump allow configuration of PermitOpen per jump user

---
 roles/core/sshd/jump/defaults/main.yml | 2 ++
 roles/core/sshd/jump/tasks/main.yml    | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'roles')

diff --git a/roles/core/sshd/jump/defaults/main.yml b/roles/core/sshd/jump/defaults/main.yml
index 792c84a2..ada0554a 100644
--- a/roles/core/sshd/jump/defaults/main.yml
+++ b/roles/core/sshd/jump/defaults/main.yml
@@ -4,3 +4,5 @@
 #     authorized_keys:
 #     - ssh-ed25519 ....
 #     - ssh-rsa ...
+#     permit_open:
+#     - host:port
diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
index 3403d8f8..2120cbd6 100644
--- a/roles/core/sshd/jump/tasks/main.yml
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -38,7 +38,8 @@
   blockinfile:
     marker: "# {mark} ansible core/sshd/jump"
     block: |
-      Match User {{ sshd_jump_users | list | join(',') }}
+      {% for name, config in sshd_jump_users.items() %}
+      Match User {{ name }}
         AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
         PasswordAuthentication no
         PermitTTY no
@@ -49,8 +50,12 @@
         AllowStreamLocalForwarding no
         ForceCommand /sbin/nologin
         AllowTcpForwarding local
-        #PermitOpen any
+        PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
         PermitListen none
+      {%   if not loop.last %}
+
+      {%   endif %}
+      {% endfor %}
     insertafter: "### ansible core/sshd/base config barrier ###"
     dest: /etc/ssh/sshd_config
   notify: restart ssh
-- 
cgit v1.2.3