Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh: explicitly enable or disable the service at boot #771

Merged
merged 1 commit into from
Jun 24, 2024

Conversation

Byh0ki
Copy link
Contributor

@Byh0ki Byh0ki commented Jun 16, 2024

Hello,

This PR aims to explicitly allow someone to enable or disable the sshd service at boot. They are 2 main reasons/use cases:

  1. We should not trust the distro/package manager default state for the service. We should explicitly set the "enabled" setting at true or false if it's what we want to
  2. Even given the usual need of a always on sshd for a Ansible user, Ansible can also be used with a local connexion. For example, I'm planning on using this role to configure sshd on a laptop, I don't need the service up and running at each boot but I would still like to benefit from the hardened settings when I'm starting it to transfer some files or to work on my laptop from a remote computer.

Hopefully my variable naming is not too confusing, maybe we could rename the ssh_server_enabled var but this would create a braking change :/

S.

ansible.builtin.service:
name: "{{ sshd_service_name }}"
enabled: "{{ ssh_server_service_enabled }}"
become: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you add become here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've copied the behavior from the handlers/main.yml but I've just realized that the become is already passed as an arg in tasks/main.yml, I'll correct this part.

In the mean time, shouldn't we also check that the package is installed with

- name: Install openssh
  ansible.builtin.package:
    name: "{{ ssh_pkg_name }}"
    state: present

for the same reasons I listed above? The role is almost complete (from a "I want to have a functioning ssh server or client" POV) and it seems quite strange to install and enable the service outside of this role. I'm curious about your thoughts on that

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the past, we always assumed that ssh is installed. But since we're now already changing how ssh is started (see https://github.com/dev-sec/ansible-collection-hardening/blob/master/roles/ssh_hardening/tasks/disable-systemd-socket.yml) I don't see any reason not to install it, too.

Do you want to create an additional PR for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, I'll create an MR for that if it's ok for you?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please. :)

Signed-off-by: Sevan Murriguian-Watrin <git@byh0ki.fr>
@Byh0ki Byh0ki force-pushed the ssh-sshd-service-enable branch from 72057b1 to a7fe280 Compare June 20, 2024 00:56
@rndmh3ro rndmh3ro merged commit b0488e8 into dev-sec:master Jun 24, 2024
36 checks passed
@Byh0ki Byh0ki deleted the ssh-sshd-service-enable branch June 24, 2024 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants