From 03abd912c95729d6547e10b362153253411e3eca Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 16 Nov 2023 12:02:02 +0100 Subject: [PATCH] make it possible to configure more then yes and no for PermitTunnel This is a breaking change, since the default variable is now a string instead of a bool Signed-off-by: Sebastian Gumprich --- .aar_doc.yml | 6 ++++++ roles/ssh_hardening/README.md | 11 ++++++++--- roles/ssh_hardening/defaults/main.yml | 2 +- roles/ssh_hardening/meta/argument_specs.yml | 12 +++++++++--- roles/ssh_hardening/templates/opensshd.conf.j2 | 2 +- 5 files changed, 25 insertions(+), 8 deletions(-) diff --git a/.aar_doc.yml b/.aar_doc.yml index 492f023c9..1ec52d6c8 100644 --- a/.aar_doc.yml +++ b/.aar_doc.yml @@ -19,6 +19,12 @@ output_template: | - Description: {{ details.display_description }} - Type: {{ details.display_type }} - Required: {{ details.display_required }} + {%- if details.choices %} + - Choices: + {%- for choice in details.choices %} + - {{ choice }} + {%- endfor %} + {%- endif %} {%- endfor %} {%- endfor %} diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index cc4e6c294..edc8b0bcc 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -269,10 +269,15 @@ Warning: This role disables root-login on the target server! Please make sure yo - Type: str - Required: no - `ssh_permit_tunnel` - - Default: `false` - - Description: Set to `true` if SSH Port Tunneling is required. - - Type: bool + - Default: `no` + - Description: Specifies whether tun(4) device forwarding is allowed. The argument must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying yes permits both point-to-point and ethernet. + - Type: str - Required: no + - Choices: + - no + - yes + - point-to-point + - ethernet - `ssh_print_debian_banner` - Default: `false` - Description: Set to `true` to print debian specific banner. diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml index 8870628db..4c21c8cd7 100644 --- a/roles/ssh_hardening/defaults/main.yml +++ b/roles/ssh_hardening/defaults/main.yml @@ -65,7 +65,7 @@ ssh_client_alive_interval: 300 # sshd ssh_client_alive_count: 3 # sshd # Allow SSH Tunnels -ssh_permit_tunnel: false +ssh_permit_tunnel: "no" # Hosts with custom options. # ssh # Example: diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index d8017d025..9361672b9 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -63,9 +63,15 @@ argument_specs: before disconnecting clients. type: int ssh_permit_tunnel: - default: false - type: bool - description: Set to `true` if SSH Port Tunneling is required. + default: 'no' + description: Specifies whether tun(4) device forwarding is allowed. The argument + must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying + yes permits both point-to-point and ethernet. + choices: + - 'no' + - 'yes' + - point-to-point + - ethernet ssh_remote_hosts: default: [] type: list diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2 index 59f876545..d8a0b8409 100644 --- a/roles/ssh_hardening/templates/opensshd.conf.j2 +++ b/roles/ssh_hardening/templates/opensshd.conf.j2 @@ -192,7 +192,7 @@ ClientAliveInterval {{ ssh_client_alive_interval }} ClientAliveCountMax {{ ssh_client_alive_count }} # Disable tunneling -PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }} +PermitTunnel {{ ssh_permit_tunnel }} # Disable forwarding tcp connections. # no real advantage without denied shell access