Merge pull request dev-sec#112 from fti7/permittunnel

Added support for PermitTunnel config switch

README.md

@@ -30,6 +30,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_host_key_files` | ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] |Host keys to look for when starting sshd.|
 |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
+|`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
 |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
 |`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|

defaults/main.yml

@@ -39,6 +39,9 @@ ssh_max_auth_retries: 2
 ssh_client_alive_interval: 600          # sshd
 ssh_client_alive_count: 3               # sshd
 
+# Allow SSH Tunnels
+ssh_permit_tunnel: false
+
 # Hosts with custom options.            # ssh
 # Example:
 # ssh_remote_hosts:

templates/opensshd.conf.j2

@@ -173,7 +173,7 @@ ClientAliveInterval {{ssh_client_alive_interval}}
 ClientAliveCountMax {{ssh_client_alive_count}}
 
 # Disable tunneling
-PermitTunnel no
+PermitTunnel {{ 'yes' if ssh_permit_tunnel else 'no' }}
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access