mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-14 02:47:06 +00:00
make it possible to configure more then yes and no for PermitTunnel (#715)
This is a breaking change, since the default variable is now a string instead of a bool Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
This commit is contained in:
parent
aea12c8b90
commit
2db75b53c1
6 changed files with 26 additions and 9 deletions
|
@ -19,6 +19,12 @@ output_template: |
|
||||||
- Description: {{ details.display_description }}
|
- Description: {{ details.display_description }}
|
||||||
- Type: {{ details.display_type }}
|
- Type: {{ details.display_type }}
|
||||||
- Required: {{ details.display_required }}
|
- Required: {{ details.display_required }}
|
||||||
|
{%- if details.choices %}
|
||||||
|
- Choices:
|
||||||
|
{%- for choice in details.choices %}
|
||||||
|
- {{ choice }}
|
||||||
|
{%- endfor %}
|
||||||
|
{%- endif %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@
|
||||||
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
|
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
|
||||||
ssh_max_auth_retries: 10
|
ssh_max_auth_retries: 10
|
||||||
ssh_permit_root_login: "without-password"
|
ssh_permit_root_login: "without-password"
|
||||||
ssh_permit_tunnel: true
|
ssh_permit_tunnel: 'yes'
|
||||||
ssh_print_motd: true
|
ssh_print_motd: true
|
||||||
ssh_print_last_log: true
|
ssh_print_last_log: true
|
||||||
ssh_banner: true
|
ssh_banner: true
|
||||||
|
|
|
@ -272,10 +272,15 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
||||||
- Type: str
|
- Type: str
|
||||||
- Required: no
|
- Required: no
|
||||||
- `ssh_permit_tunnel`
|
- `ssh_permit_tunnel`
|
||||||
- Default: `false`
|
- Default: `no`
|
||||||
- Description: Set to `true` if SSH Port Tunneling is required.
|
- Description: Specifies whether tun(4) device forwarding is allowed. The argument must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying yes permits both point-to-point and ethernet.
|
||||||
- Type: bool
|
- Type: str
|
||||||
- Required: no
|
- Required: no
|
||||||
|
- Choices:
|
||||||
|
- no
|
||||||
|
- yes
|
||||||
|
- point-to-point
|
||||||
|
- ethernet
|
||||||
- `ssh_print_debian_banner`
|
- `ssh_print_debian_banner`
|
||||||
- Default: `false`
|
- Default: `false`
|
||||||
- Description: Set to `true` to print debian specific banner.
|
- Description: Set to `true` to print debian specific banner.
|
||||||
|
|
|
@ -65,7 +65,7 @@ ssh_client_alive_interval: 300 # sshd
|
||||||
ssh_client_alive_count: 3 # sshd
|
ssh_client_alive_count: 3 # sshd
|
||||||
|
|
||||||
# Allow SSH Tunnels
|
# Allow SSH Tunnels
|
||||||
ssh_permit_tunnel: false
|
ssh_permit_tunnel: "no"
|
||||||
|
|
||||||
# Hosts with custom options. # ssh
|
# Hosts with custom options. # ssh
|
||||||
# Example:
|
# Example:
|
||||||
|
|
|
@ -63,9 +63,15 @@ argument_specs:
|
||||||
before disconnecting clients.
|
before disconnecting clients.
|
||||||
type: int
|
type: int
|
||||||
ssh_permit_tunnel:
|
ssh_permit_tunnel:
|
||||||
default: false
|
default: 'no'
|
||||||
type: bool
|
description: Specifies whether tun(4) device forwarding is allowed. The argument
|
||||||
description: Set to `true` if SSH Port Tunneling is required.
|
must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying
|
||||||
|
yes permits both point-to-point and ethernet.
|
||||||
|
choices:
|
||||||
|
- 'no'
|
||||||
|
- 'yes'
|
||||||
|
- point-to-point
|
||||||
|
- ethernet
|
||||||
ssh_remote_hosts:
|
ssh_remote_hosts:
|
||||||
default: []
|
default: []
|
||||||
type: list
|
type: list
|
||||||
|
|
|
@ -192,7 +192,7 @@ ClientAliveInterval {{ ssh_client_alive_interval }}
|
||||||
ClientAliveCountMax {{ ssh_client_alive_count }}
|
ClientAliveCountMax {{ ssh_client_alive_count }}
|
||||||
|
|
||||||
# Disable tunneling
|
# Disable tunneling
|
||||||
PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
|
PermitTunnel {{ ssh_permit_tunnel }}
|
||||||
|
|
||||||
# Disable forwarding tcp connections.
|
# Disable forwarding tcp connections.
|
||||||
# no real advantage without denied shell access
|
# no real advantage without denied shell access
|
||||||
|
|
Loading…
Reference in a new issue