Skip to content

Commit

Permalink
make it possible to configure more then yes and no for PermitTunnel
Browse files Browse the repository at this point in the history
This is a breaking change, since the default variable is now a string instead of a bool

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
  • Loading branch information
rndmh3ro committed Nov 16, 2023
1 parent 9bf243f commit 03abd91
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 8 deletions.
6 changes: 6 additions & 0 deletions .aar_doc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,12 @@ output_template: |
- Description: {{ details.display_description }}
- Type: {{ details.display_type }}
- Required: {{ details.display_required }}
{%- if details.choices %}
- Choices:
{%- for choice in details.choices %}
- {{ choice }}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endfor %}
Expand Down
11 changes: 8 additions & 3 deletions roles/ssh_hardening/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -269,10 +269,15 @@ Warning: This role disables root-login on the target server! Please make sure yo
- Type: str
- Required: no
- `ssh_permit_tunnel`
- Default: `false`
- Description: Set to `true` if SSH Port Tunneling is required.
- Type: bool
- Default: `no`
- Description: Specifies whether tun(4) device forwarding is allowed. The argument must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying yes permits both point-to-point and ethernet.
- Type: str
- Required: no
- Choices:
- no
- yes
- point-to-point
- ethernet
- `ssh_print_debian_banner`
- Default: `false`
- Description: Set to `true` to print debian specific banner.
Expand Down
2 changes: 1 addition & 1 deletion roles/ssh_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ ssh_client_alive_interval: 300 # sshd
ssh_client_alive_count: 3 # sshd

# Allow SSH Tunnels
ssh_permit_tunnel: false
ssh_permit_tunnel: "no"

# Hosts with custom options. # ssh
# Example:
Expand Down
12 changes: 9 additions & 3 deletions roles/ssh_hardening/meta/argument_specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,15 @@ argument_specs:
before disconnecting clients.
type: int
ssh_permit_tunnel:
default: false
type: bool
description: Set to `true` if SSH Port Tunneling is required.
default: 'no'
description: Specifies whether tun(4) device forwarding is allowed. The argument
must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying
yes permits both point-to-point and ethernet.
choices:
- 'no'
- 'yes'
- point-to-point
- ethernet
ssh_remote_hosts:
default: []
type: list
Expand Down
2 changes: 1 addition & 1 deletion roles/ssh_hardening/templates/opensshd.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ ClientAliveInterval {{ ssh_client_alive_interval }}
ClientAliveCountMax {{ ssh_client_alive_count }}

# Disable tunneling
PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
PermitTunnel {{ ssh_permit_tunnel }}

# Disable forwarding tcp connections.
# no real advantage without denied shell access
Expand Down

0 comments on commit 03abd91

Please sign in to comment.