From 2db75b53c13aef96def13a7cbe5b09c439c20587 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 16 Nov 2023 15:20:22 +0100 Subject: [PATCH] make it possible to configure more then yes and no for PermitTunnel (#715) This is a breaking change, since the default variable is now a string instead of a bool Signed-off-by: Sebastian Gumprich --- .aar_doc.yml | 6 ++++++ molecule/ssh_hardening_custom_tests/converge.yml | 2 +- roles/ssh_hardening/README.md | 11 ++++++++--- roles/ssh_hardening/defaults/main.yml | 2 +- roles/ssh_hardening/meta/argument_specs.yml | 12 +++++++++--- roles/ssh_hardening/templates/opensshd.conf.j2 | 2 +- 6 files changed, 26 insertions(+), 9 deletions(-) diff --git a/.aar_doc.yml b/.aar_doc.yml index 492f023c..1ec52d6c 100644 --- a/.aar_doc.yml +++ b/.aar_doc.yml @@ -19,6 +19,12 @@ output_template: | - Description: {{ details.display_description }} - Type: {{ details.display_type }} - Required: {{ details.display_required }} + {%- if details.choices %} + - Choices: + {%- for choice in details.choices %} + - {{ choice }} + {%- endfor %} + {%- endif %} {%- endfor %} {%- endfor %} diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml index 1c936867..b788766f 100644 --- a/molecule/ssh_hardening_custom_tests/converge.yml +++ b/molecule/ssh_hardening_custom_tests/converge.yml @@ -38,7 +38,7 @@ ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u' ssh_max_auth_retries: 10 ssh_permit_root_login: "without-password" - ssh_permit_tunnel: true + ssh_permit_tunnel: 'yes' ssh_print_motd: true ssh_print_last_log: true ssh_banner: true diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index 5b1858d5..0bc90f05 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -272,10 +272,15 @@ Warning: This role disables root-login on the target server! Please make sure yo - Type: str - Required: no - `ssh_permit_tunnel` - - Default: `false` - - Description: Set to `true` if SSH Port Tunneling is required. - - Type: bool + - Default: `no` + - Description: Specifies whether tun(4) device forwarding is allowed. The argument must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying yes permits both point-to-point and ethernet. + - Type: str - Required: no + - Choices: + - no + - yes + - point-to-point + - ethernet - `ssh_print_debian_banner` - Default: `false` - Description: Set to `true` to print debian specific banner. diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml index 8870628d..4c21c8cd 100644 --- a/roles/ssh_hardening/defaults/main.yml +++ b/roles/ssh_hardening/defaults/main.yml @@ -65,7 +65,7 @@ ssh_client_alive_interval: 300 # sshd ssh_client_alive_count: 3 # sshd # Allow SSH Tunnels -ssh_permit_tunnel: false +ssh_permit_tunnel: "no" # Hosts with custom options. # ssh # Example: diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index d8017d02..9361672b 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -63,9 +63,15 @@ argument_specs: before disconnecting clients. type: int ssh_permit_tunnel: - default: false - type: bool - description: Set to `true` if SSH Port Tunneling is required. + default: 'no' + description: Specifies whether tun(4) device forwarding is allowed. The argument + must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying + yes permits both point-to-point and ethernet. + choices: + - 'no' + - 'yes' + - point-to-point + - ethernet ssh_remote_hosts: default: [] type: list diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2 index 59f87654..d8a0b840 100644 --- a/roles/ssh_hardening/templates/opensshd.conf.j2 +++ b/roles/ssh_hardening/templates/opensshd.conf.j2 @@ -192,7 +192,7 @@ ClientAliveInterval {{ ssh_client_alive_interval }} ClientAliveCountMax {{ ssh_client_alive_count }} # Disable tunneling -PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }} +PermitTunnel {{ ssh_permit_tunnel }} # Disable forwarding tcp connections. # no real advantage without denied shell access