Update to 2024-03-19 12:01

roles/ssh/defaults/main.yml

@@ -71,3 +71,7 @@ sshd_max_conn_per_minute: 0
 # Use DNS. If disabled, kerb auth won't be used (as it uses DNS)
 # You might need to disable it when you need no SSH login delay even if DNS is unavailable
 sshd_use_dns: True
+
+# List of users for which no management of the SSH keys will be done by ansible (they will
+# be able to set their own ~/.ssh/authorized_keys)
+ssh_local_users: []

roles/ssh/tasks/conf.yml

@@ -1,7 +1,10 @@
 ---
 
 - name: Deploy sshd configuration
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    validate: sshd -t -f %s
   notify: restart sshd
   tags: ssh
 

roles/ssh/templates/sshd_config.j2

@@ -57,7 +57,7 @@ X11Forwarding no
 Subsystem       sftp    internal-sftp
 
 # Local user are managed separately
-Match User root,ansible,lbkp,zimbra,zfs-recv
+Match User root,ansible,lbkp,zimbra,zfs-recv{% if ssh_local_users | length > 0 %},{{ ssh_local_users | join(',') }}{% endif +%}
   AuthorizedKeysFile /etc/ssh/authorized_keys/%u/authorized_keys %h/.ssh/authorized_keys
 
 {% for user in ssh_users | default([]) %}