make it possible to configure more then yes and no for PermitTunnel (#715)

This is a breaking change, since the default variable is now a string instead of a bool

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>

.aar_doc.yml

@@ -19,6 +19,12 @@ output_template: |
     - Description: {{ details.display_description }}
     - Type: {{ details.display_type }}
     - Required: {{ details.display_required }}
+    {%- if details.choices %}
+    - Choices:
+      {%- for choice in details.choices %}
+      - {{ choice }}
+      {%- endfor %}
+    {%- endif %}
   {%- endfor %}
   {%- endfor %}
 

molecule/ssh_hardening_custom_tests/converge.yml

@@ -38,7 +38,7 @@
     ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
     ssh_max_auth_retries: 10
     ssh_permit_root_login: "without-password"
-    ssh_permit_tunnel: true
+    ssh_permit_tunnel: 'yes'
     ssh_print_motd: true
     ssh_print_last_log: true
     ssh_banner: true

roles/ssh_hardening/README.md

@@ -272,10 +272,15 @@ Warning: This role disables root-login on the target server! Please make sure yo
   - Type: str
   - Required: no
 - `ssh_permit_tunnel`
-  - Default: `false`
+  - Default: `no`
-  - Description: Set to `true` if SSH Port Tunneling is required.
+  - Description: Specifies whether tun(4) device forwarding is allowed. The argument must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying yes permits both point-to-point and ethernet.
-  - Type: bool
+  - Type: str
   - Required: no
+  - Choices:
+    - no
+    - yes
+    - point-to-point
+    - ethernet
 - `ssh_print_debian_banner`
   - Default: `false`
   - Description: Set to `true` to print debian specific banner.

roles/ssh_hardening/defaults/main.yml

@@ -65,7 +65,7 @@ ssh_client_alive_interval: 300 # sshd
 ssh_client_alive_count: 3 # sshd
 
 # Allow SSH Tunnels
-ssh_permit_tunnel: false
+ssh_permit_tunnel: "no"
 
 # Hosts with custom options.        # ssh
 # Example:

roles/ssh_hardening/meta/argument_specs.yml

@@ -63,9 +63,15 @@ argument_specs:
           before disconnecting clients.
         type: int
       ssh_permit_tunnel:
-        default: false
+        default: 'no'
-        type: bool
+        description: Specifies whether tun(4) device forwarding is allowed. The argument
-        description: Set to `true` if SSH Port Tunneling is required.
+          must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying
+          yes permits both point-to-point and ethernet.
+        choices:
+          - 'no'
+          - 'yes'
+          - point-to-point
+          - ethernet
       ssh_remote_hosts:
         default: []
         type: list

roles/ssh_hardening/templates/opensshd.conf.j2

@@ -192,7 +192,7 @@ ClientAliveInterval {{ ssh_client_alive_interval }}
 ClientAliveCountMax {{ ssh_client_alive_count }}
 
 # Disable tunneling
-PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
+PermitTunnel {{ ssh_permit_tunnel }}
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access