Add the old SFTP-Reminder to the stable ssh_hardening role for ansible

[saintcore]

In the readme.md of the archived old ssh hardening role (https://github.com/dev-sec/ansible-ssh-hardening) you're explaining that this role disables by default the sftp ssh-module which is used by ansible for various commands and modules:

After using the role Ansibles template/copy/file module does not work anymore!

This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set scp_if_ssh = True in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting sftp_enabled to true.

This little text does not exists in the new ssh_hardening role readme.md (https://github.com/dev-sec/ansible-collection-hardening/tree/master/roles/ssh_hardening). Why is the quoted text not available here? Ansible still seems to prefer the usage of sftp over scp. I assume this as I still get a warning message from ansible-playbooks after running this role without sftp_enabled: true
Warning message is:
[WARNING]: sftp transfer mechanism failed on [hostname]. Use ANSIBLE_DEBUG=1 to see detailed information

If I add 'scp_if_ssh = True' to ansible.cfg, the warning goes away. As the tasks (template and file copy) still run and replace files without scp_if_ssh = True and disabled ssh sftp module, I'm assuming the new ansible behavior is an automatic fallback to scp.

For my first test usage of this role, I only read through the notes at the end of the readme.md and not all listed vars, so I wasn't aware of the sftp behavior. Even if I would have read through them, I'm sure I wouldn't be aware of ansible and its usage of sftp- (and i belief this is true for the most people out there which aren't using ansible all day long). So what i ask for would be:

• Add an updated (fallback behavior seems to be new) version of the old quoted text to the notes section at the end of readme.md (https://github.com/dev-sec/ansible-collection-hardening/tree/master/roles/ssh_hardening)
• OR just add a little more descriptive text to the var sftp_enabled within the same readme.md For example:
  • Description: true to enable sftp configuration. Ansible uses sftp by default for various operations and will fallback to scp by default if sftp is disabled or not available. You can configure ansible to use scp by default by adding scp_if_ssh = True in your ansible.cfg

Please note: I know this is not really a bug or missing feature and people with a deep knowledge and/or experience with their used tools and os will be aware of this. Also a big thx for those roles, seems to be a great baseline to start with.

[rndmh3ro]

OR just add a little more descriptive text to the var sftp_enabled within the same readme.md For example:
Description: true to enable sftp configuration. Ansible uses sftp by default for various operations and will fallback to scp by default if sftp is disabled or not available. You can configure ansible to use scp by default by adding scp_if_ssh = True in your ansible.cfg

Sounds good to me! Do you want to create a PR?

[saintcore]

OR just add a little more descriptive text to the var sftp_enabled within the same readme.md For example:
Description: true to enable sftp configuration. Ansible uses sftp by default for various operations and will fallback to scp by default if sftp is disabled or not available. You can configure ansible to use scp by default by adding scp_if_ssh = True in your ansible.cfg

Sounds good to me! Do you want to create a PR?

Yes of course. Do I need to meet the requirements for contributing as explained on https://dev-sec.io/contributing/ ? Especially asking in regard of DCO Sign-Off .

[rndmh3ro]

Yes of course. Do I need to meet the requirements for contributing as explained on https://dev-sec.io/contributing/ ? Especially asking in regard of DCO Sign-Off .

Yes, that'd be good. Do you need help with it? Normally it's just a git commit -s.