Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Allow ssh_allow_tcp_forwarding to be a boolean (#600)

Browse source 
* Allow ssh_allow_tcp_forwarding to be a boolean

Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>

* Update documentation related to ssh_allow_tcp_forwarding

Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>

Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
This commit is contained in:
Cristian Baldi 2022-11-23 13:45:01 +01:00 committed by GitHub
parent 03f3974f37
commit 7d1da63c94
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/ssh_hardening/README.md
View file

@ -64,7 +64,7 @@ As this role requires root-privileges, we added `become: true` to all tasks. So
- Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required!
- `ssh_allow_tcp_forwarding`
- Default: `no`
- Description: `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. <br> _Note_: values passed to this variable must be strings, thus values `'yes'`and`'no'` should be passed with quotes.
- Description: `'no'` or `False` to disable TCP Forwarding. Set to `'yes'` or `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`.
- `ssh_gateway_ports`
- Default: `false`
- Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.

4
roles/ssh_hardening/templates/opensshd.conf.j2
View file

@ -197,9 +197,9 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
# Disable forwarding tcp connections.
# no real advantage without denied shell access
{% if sshd_version is version('6.2', '>=') %}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all', 'remote')) else 'no' }}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all', 'remote')) else ('yes' if (ssh_allow_tcp_forwarding|bool) else 'no') }}
{% else %}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else ('yes' if (ssh_allow_tcp_forwarding|bool) else 'no') }}
{% endif %}
# Disable agent forwarding, since local agent could be accessed through forwarded connection.