Merge pull request #82 from pepoluan/allow_list_or_string

Allow list or string for some option, and setting of ConfigBanner

openssh/files/ssh_config

@@ -2,6 +2,7 @@
 {%- set ssh_config = salt['pillar.get']('ssh_config', default=default_settings.ssh_config, merge=True) -%}
 {#- present in ssh_config and known in actual file options -#}
 {%- set processed_options = [] -%}
+{%- set string_or_list_options = ['KexAlgorithms', 'Ciphers', 'MACs'] -%}
 
 {%- macro render_raw_option(keyword, value) -%}
   {%- if value is sameas true -%}
@@ -47,8 +48,31 @@
 {{ option_impl(keyword, default, True) }}
 {%- endmacro -%}
 
+{#- macro for collapsing a list into a string -#}
+{%- macro option_collapselist(keyword, sep) -%}
+{%- do processed_options.append(keyword) -%}
+{{keyword}} {{ssh_config.get(keyword)|join(sep)}}
+{%- endmacro -%}
+
+{#- macro for handling an option that can be specified as a list or a string -#}
+{%- macro option_string_or_list(keyword, default, default_commented, sep=',') -%}
+{%- if ssh_config.get(keyword, '') is string -%}
+  {%- if default_commented -%}
+{{ option(keyword, default) }}
+  {%- else -%}
+{{ option_default_uncommented(keyword, default) }}
+  {%- endif -%}
+{%- else -%}
+{{ option_collapselist(keyword, sep) }}
+{%- endif -%}
+{%- endmacro -%}
+
+{%- if ssh_config.get('ConfigBanner', False) -%}
+{{ ssh_config['ConfigBanner'] }}
+{%- else -%}
 # Do not edit this file manually!
 # It will be overwritten by salt!
+{%- endif %}
 
 {%- if 'Hosts' in ssh_config %}
 {%- do processed_options.append('Hosts') %}
@@ -64,8 +88,13 @@ Host {{ host }}
 {%- for keyword in ssh_config.keys() %}
   {#- Matches have to be at the bottom and should be handled differently -#}
   {%- if not keyword in processed_options and keyword != 'matches' -%}
+    {%- if not keyword in string_or_list_options -%}
 {#- send a blank default as it doesn't matter #}
 {{ render_option(keyword, '') }}
+    {%- else -%}
+{#- same as above #}
+{{ option_string_or_list(keyword, '', True) }}
+    {%- endif -%}
   {%- endif -%}
 {%- endfor %}
 
@@ -78,3 +107,6 @@ Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }}
     {%- endfor %}
   {%- endfor %}
 {%- endif %}
+
+{#- vim: set ft=jinja : #}
+

openssh/files/sshd_config

@@ -42,7 +42,30 @@
 {{ option_impl(keyword, default, True) }}
 {%- endmacro -%}
 
+{#- macro for collapsing a list into a string -#}
+{%- macro option_collapselist(keyword, sep) -%}
+{%- do processed_options.append(keyword) -%}
+{{keyword}} {{sshd_config.get(keyword)|join(sep)}}
+{%- endmacro -%}
+
+{#- macro for handling an option that can be specified as a list or a string -#}
+{%- macro option_string_or_list(keyword, default, default_commented, sep=',') -%}
+{%- if sshd_config.get(keyword, '') is string -%}
+  {%- if default_commented -%}
+{{ option(keyword, default) }}
+  {%- else -%}
+{{ option_default_uncommented(keyword, default) }}
+  {%- endif -%}
+{%- else -%}
+{{ option_collapselist(keyword, sep) }}
+{%- endif -%}
+{%- endmacro -%}
+
+{%- if sshd_config.get('ConfigBanner', False) -%}
+{{ sshd_config['ConfigBanner'] }}
+{%- else -%}
 # This file is managed by salt. Manual changes risk being overwritten.
+{%- endif %}
 # The contents of the original sshd_config are kept on the bottom for
 # quick reference.
 # See the sshd_config(5) manpage for details
@@ -170,13 +193,13 @@
 {{ option('AllowGroups', '') }}
 
 # Specifies the available KEX (Key Exchange) algorithms.
-{{ option('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1') }}
+{{ option_string_or_list('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', True) }}
 
 # Specifies the ciphers allowed for protocol version 2.
-{{ option('Ciphers', 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se') }}
+{{ option_string_or_list('Ciphers', 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se', True) }}
 
 # Specifies the available MAC (message authentication code) algorithms.
-{{ option('MACs', 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96') }}
+{{ option_string_or_list('MACs', 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96', True) }}
 
 {# Handling unknown in salt template options #}
 {%- for keyword in sshd_config.keys() %}
@@ -196,3 +219,5 @@ Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }}
     {%- endfor %}
   {%- endfor %}
 {%- endif %}
+
+{#- vim: set ft=jinja : #}

pillar.example

@@ -1,4 +1,9 @@
 sshd_config:
+  # This keyword is totally optional
+  ConfigBanner: |
+    # Alternative banner for the config file
+    # (Indented) hash signs lose their special meaning here
+    # and the lines will be written as-is.
   Port: 22
   Protocol: 2
   HostKey:
@@ -53,9 +58,14 @@ sshd_config:
         AllowTcpForwarding: no
         ForceCommand: internal-sftp
   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
-  KexAlgorithms: 'diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
+  # For these three keywords, the options may be specified as a list...
+  KexAlgorithms:
+    - diffie-hellman-group14-sha1
+    - diffie-hellman-group1-sha1
+  # ... or a single string.
   Ciphers: 'aes128-ctr,aes256-ctr'
   MACs: 'hmac-sha1'
+  # Similar situation for ssh_config
 
 ssh_config:
   StrictHostKeyChecking: no