feat(ssh_known_hosts): allow to omit IP addresses

Author: alxwr

docs/README.rst

@@ -117,7 +117,7 @@ setup those functions through pillar::
       public_ssh_host_keys:
         mine_function: cmd.run
         cmd: cat /etc/ssh/ssh_host_*_key.pub
-        python_shell: True
+        python_shell: true
       public_ssh_hostname:
         mine_function: grains.get
         key: id
@@ -210,7 +210,20 @@ To **include localhost** and local IP addresses (``127.0.0.1`` and ``::1``) use
 
     openssh:
       known_hosts:
-        include_localhost: True
+        include_localhost: true
+
+To prevent ever-changing IP addresses from being added to a host, use this::
+
+    openssh:
+      known_hosts:
+        omit_ip_address:
+          - my.host.tld
+
+To completely disable adding IP addresses::
+
+    openssh:
+      known_hosts:
+        omit_ip_address: true
 
 ``openssh.moduli``
 ^^^^^^^^^^^^^^^^^^

openssh/files/default/ssh_known_hosts

@@ -3,11 +3,16 @@
 #}
 
 {#- Generates one known_hosts entry per given key #}
-{%- macro known_host_entry(host, host_names, keys, include_localhost) %}
+{%- macro known_host_entry(host, host_names, keys, include_localhost, omit_ip_address) %}
 
 {#-   Get IPv4 and IPv6 addresses from the DNS #}
-{%-   set ip4 = salt['dig.A'](host) -%}
-{%-   set ip6 = salt['dig.AAAA'](host) -%}
+{%-   if not (omit_ip_address is sameas true or host in omit_ip_address) %}
+{%-     set ip4 = salt['dig.A'](host) -%}
+{%-     set ip6 = salt['dig.AAAA'](host) -%}
+{%-   else %}
+{%-     set ip4 = [] -%}
+{%-     set ip6 = [] -%}
+{%-   endif %}
 
 {#-   The host names to use are to be found within the dict 'host_names'. #}
 {#-   If there are none, the host is used directly. #}
@@ -59,6 +64,7 @@
 {%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
 {%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}
 {%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%}
+{%- set omit_ip_address = salt['pillar.get']('openssh:known_hosts:omit_ip_address', []) -%}
 
 {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
     in the SSH known_hosts entry -#}
@@ -98,5 +104,5 @@
 
 {#- Loop over targetted minions -#}
 {%- for host, keys in host_keys| dictsort -%}
-{{ known_host_entry(host, host_names, keys, include_localhost) }}
+{{ known_host_entry(host, host_names, keys, include_localhost, omit_ip_address) }}
 {%- endfor -%}

pillar.example

@@ -335,6 +335,13 @@ openssh:
     static:
       github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
       gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
+    # Prevent an ever-changing ssh_known_hosts file caused by a domain which
+    # is served from multiple IP addresses.
+    # To disable completely:
+    # omit_ip_address: true
+    # Or to disable by specific hosts:
+    omit_ip_address:
+      - github.com
 
   # yamllint disable rule:line-length
   # specify DH parameters (see /etc/ssh/moduli)

test/salt/pillar/default.sls

@@ -168,6 +168,8 @@ openssh:
     static:
       github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
       gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
+    omit_ip_address:
+      - github.com
 
   # specify DH parameters (see /etc/ssh/moduli)
   # yamllint disable rule:line-length