Fix dev-sec#348: make ssh configuration files paths configurable (dev…

…-sec#350) Signed-off-by: Sylvain Prat <sylvain.prat@gmail.com>
divialth · Dec 16, 2020 · 17af9ba · 17af9ba
1 parent 7478220
commit 17af9ba
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
@@ -17,6 +17,12 @@ Warning: This role disables root-login on the target server! Please make sure yo
 - `network_ipv6_enable`
   - Default: `false`
   - Description: true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).
+- `ssh_client_config_file`
+  - Default: `'/etc/ssh/ssh_config'`
+  - Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`
+- `ssh_server_config_file`
+  - Default: `'/etc/ssh/sshd_config'`
+  - Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`
 - `ssh_server_ports`
   - Default: `['22']`
   - Description: ports on which ssh-server should listen

diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
@@ -2,6 +2,10 @@
 # true if IPv6 is needed
 network_ipv6_enable: false          # sshd + ssh
 
+# Paths of the config files
+ssh_client_config_file: /etc/ssh/ssh_config   # ssh
+ssh_server_config_file: /etc/ssh/sshd_config  # sshd
+
 # true if sshd should be started and enabled
 ssh_server_enabled: true            # sshd
 

diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
@@ -46,7 +46,7 @@
 - name: create sshd_config and set permissions to root/600
   template:
     src: 'opensshd.conf.j2'
-    dest: '/etc/ssh/sshd_config'
+    dest: "{{ ssh_server_config_file }}"
     mode: '0600'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
@@ -70,7 +70,7 @@
 - name: create ssh_config and set permissions to root/644
   template:
     src: 'openssh.conf.j2'
-    dest: '/etc/ssh/ssh_config'
+    dest: "{{ ssh_client_config_file }}"
     mode: '0644'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'