From 6e1058e59e8326b35c2d95a0e0d080c53135f6a9 Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Thu, 1 May 2025 16:25:32 +0200
Subject: [PATCH] enable ssh host key verification over DNS

---
 roles/base/files/system_setup/ssh_custom.conf |  1 +
 roles/base/tasks/system_setup/openssh.yml     | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 roles/base/files/system_setup/ssh_custom.conf

diff --git a/roles/base/files/system_setup/ssh_custom.conf b/roles/base/files/system_setup/ssh_custom.conf
new file mode 100644
index 0000000..ec8194e
--- /dev/null
+++ b/roles/base/files/system_setup/ssh_custom.conf
@@ -0,0 +1 @@
+VerifyHostKeyDNS yes
\ No newline at end of file
diff --git a/roles/base/tasks/system_setup/openssh.yml b/roles/base/tasks/system_setup/openssh.yml
index 1bf736a..99b4d33 100644
--- a/roles/base/tasks/system_setup/openssh.yml
+++ b/roles/base/tasks/system_setup/openssh.yml
@@ -36,6 +36,16 @@
     mode: '0644'
   notify: restart_sshd
 
+- name: system setup | openssh | copy ssh client custom config
+  tags: openssh,ssh,system,settings
+  copy:
+    force: True
+    src: system_setup/ssh_custom.conf
+    dest: /etc/ssh/ssh_config.d/custom.conf
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: system setup | openssh | install fail2ban
   tags: fail2ban,ssh,system,settings
   package: