dev-sec · rndmh3ro · Dec 1, 2019 · Nov 24, 2019 · Nov 26, 2019
diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
 |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
 |`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
-|`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
+|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`|
 |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
 |`ssh_pam_support` | true | true if SSH has PAM support.|

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -52,7 +52,7 @@ ssh_remote_hosts: []
 ssh_permit_root_login: 'no'          # sshd
 
 # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
-ssh_allow_tcp_forwarding: false         # sshd
+ssh_allow_tcp_forwarding: 'no'        # sshd
 
 # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
 # Set to 'clientspecified' to allow the client to specify which address to bind to.

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -174,7 +174,11 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access
-AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }}
+{% if sshd_version.stdout is version('6.2', '>=') %}
+AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all')) else 'no' }}
+{% else %}
+AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }}
+{% endif %}
 
 # Disable agent forwarding, since local agent could be accessed through forwarded connection.
 # no real advantage without denied shell access

diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -23,7 +23,7 @@
     - ansible-ssh-hardening
   vars:
     network_ipv6_enable: true
-    ssh_allow_tcp_forwarding: true
+    ssh_allow_tcp_forwarding: 'yes'
     ssh_gateway_ports: true
     ssh_allow_agent_forwarding: true
     ssh_server_permit_environment_vars: 'yes'