From bfaa81f5223151d77b049f3c78e75cab528ee8c8 Mon Sep 17 00:00:00 2001
From: pizzaniels <niels@kunis.nl>
Date: Sun, 15 Jan 2023 14:31:34 +0100
Subject: [PATCH] added ssh_conf. set HashKnownHosts to no to make known_hosts
 human readable and reviewable. Also set GSSAPIAuthentication to no because it
 is not required.

---
 roles/ssh/files/ssh_config | 54 ++++++++++++++++++++++++++++++++++++++
 roles/ssh/tasks/main.yml   |  5 ++++
 2 files changed, 59 insertions(+)
 create mode 100644 roles/ssh/files/ssh_config

diff --git a/roles/ssh/files/ssh_config b/roles/ssh/files/ssh_config
new file mode 100644
index 0000000..9ea50e1
--- /dev/null
+++ b/roles/ssh/files/ssh_config
@@ -0,0 +1,54 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+    SendEnv LANG LC_*
+
+#   set HashKnownHosts to no to make known_hosts human readable and reviewable. 
+#    HashKnownHosts yes
+#    GSSAPIAuthentication yes
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
index b5ffdfa..9c7311c 100644
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@@ -3,6 +3,11 @@
     src: "{{ role_path }}/files/sshd_config"
     dest: /etc/ssh/sshd_config
   register: sshd_config
+- name: Copy ssh config
+  copy:
+    src: "{{ role_path }}/files/ssh_config"
+    dest: /etc/ssh/ssh_config
+  register: ssh_config
 - name: Restart SSH service
   systemd:
     enabled: true