support for custom configuration

Signed-off-by: Matthias Lohr <mail@mlohr.com>

Author: MatthiasLohr

README.md

@@ -73,6 +73,8 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
 |`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
 |`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
+|`ssh_custom_options` | [] | Custom lines for SSH client configuration |
+|`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |
 
 ## Example Playbook
 

defaults/main.yml

@@ -221,3 +221,9 @@ ssh_server_revoked_keys: []
 # Set to false to turn the role into a no-op. Useful when using
 # the Ansible role dependency mechanism.
 ssh_hardening_enabled: true
+
+# Custom options for SSH client configuration file
+ssh_custom_options: []
+
+# Custom options for SSH daemon configuration file
+sshd_custom_options: []

templates/openssh.conf.j2

@@ -115,3 +115,7 @@ Compression yes
 # Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
 UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
 {% endif %}
+
+{% for line in ssh_custom_options %}
+{{ line }}
+{% endfor %}

templates/opensshd.conf.j2

@@ -221,6 +221,10 @@ DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
 # Reject keys that are explicitly blacklisted
 RevokedKeys /etc/ssh/revoked_keys
 
+{% for line in sshd_custom_options %}
+{{ line }}
+{% endfor %}
+
 {% if sftp_enabled %}
 # SFTP matching configuration
 # ===========================