From fa71d35cabe2dc711c5b3a7199b8e819d34d472c Mon Sep 17 00:00:00 2001
From: Paul Belanger <pabelanger@redhat.com>
Date: Mon, 1 Aug 2016 12:46:45 -0400
Subject: [PATCH] Add @trusted_ssh_type for user to override

We need to expose the ability to override the type of match we want to
do. For example, we want to do match address 1.2.3.4 in sshd_config.

Change-Id: I28c5d71e62a62bd27f289a8bd70b235eac213e5c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
---
 manifests/init.pp         | 1 +
 templates/sshd_config.erb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 6f1c8d1..d15bcad 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,7 @@
 # == Class: ssh
 #
 class ssh (
+    $trusted_ssh_type = 'host',
     $trusted_ssh_source = 'puppetmaster.openstack.org',
     $permit_root_login = 'no',
 ) {
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 4592a86..2ed0efe 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -86,7 +86,7 @@ Subsystem sftp <%= scope.lookupvar('::ssh::params::sftp_path') %>
 UsePAM yes
 
 # allow ansible connections from puppetmaster host
-Match host <%= @trusted_ssh_source %>
+Match <%= @trusted_ssh_type %> <%= @trusted_ssh_source %>
     PermitRootLogin without-password
 # allow ansible connections from localhost
 Match host localhost