parameterize PermitRootLogin

Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
dev-sec · Nov 11, 2018 · d152fcf · d152fcf
1 parent 833a173
commit d152fcf
Show file tree

Hide file tree

Showing 8 changed files with 62 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
 |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
 |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
-|`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
+|`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
 |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -48,8 +48,8 @@ ssh_permit_tunnel: false
 #     options: ['StrictHostKeyChecking no']
 ssh_remote_hosts: []
 
-# false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
-ssh_allow_root_with_key: false          # sshd
+# Set this to "without-password" or "yes" to allow root to login
+ssh_permit_root_login: 'no'          # sshd
 
 # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
 ssh_allow_tcp_forwarding: false         # sshd

diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -0,0 +1,27 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+  options:
+    config-file: molecule/default/yaml-lint.yml
+platforms:
+  - name: instance
+    image: "rndmh3ro/docker-centos7-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
@@ -0,0 +1,22 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+  hosts: all
+  become: true
+  pre_tasks:
+    - package: name="{{item}}" state=present
+      with_items:
+        - "openssh-clients"
+        - "openssh-server"
+      ignore_errors: true
+    - apt: name="{{item}}" state=present update_cache=true
+      with_items:
+        - "openssh-client"
+        - "openssh-server"
+      ignore_errors: true
+    - file: path="/var/run/sshd" state=directory
+    - name: create ssh host keys
+      command: "ssh-keygen -A"
+      when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7')
+
+  roles:
+    - ansible-ssh-hardening
diff --git a/molecule/default/yaml-lint.yml b/molecule/default/yaml-lint.yml
@@ -0,0 +1,6 @@
+---
+extends: default
+rules:
+  line-length:
+    max: 150
+    level: warning
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1 @@
+molecule
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -6,8 +6,8 @@
 # Basic configuration
 # ===================
 
-# Either disable or only allowssh root login via certificates.
-PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }}
+# Either disable or only allow root login via certificates.
+PermitRootLogin {{ ssh_permit_root_login }}
 
 # Define which port sshd should listen to. Default to `22`.
 {% for port in ssh_server_ports -%}

diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -21,7 +21,6 @@
     - ansible-ssh-hardening
   vars:
     network_ipv6_enable: true
-    ssh_allow_root_with_key: true
     ssh_allow_tcp_forwarding: true
     ssh_gateway_ports: true
     ssh_allow_agent_forwarding: true
@@ -37,6 +36,7 @@
     ssh_deny_groups: 'foo bar'
     ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
     ssh_max_auth_retries: 10
+    ssh_permit_root_login: "without-password"
     ssh_permit_tunnel: true
     ssh_print_motd: true
     ssh_print_last_log: true