SSH secure configuration example fails on CentOS due to SELinux policy

[geerlingguy]

The current example:

    - name: Update SSH configuration to be more secure.
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
      with_items:
        - regexp: "^PasswordAuthentication"
          line: "PasswordAuthentication no"
        - regexp: "^PermitRootLogin"
          line: "PermitRootLogin no"
        - regexp: "^Port"
          line: "Port 2849"
      notify: restart ssh

Fails and you get the following in your logs on CentOS servers when sshd is restarted by the handler:

May 20 02:34:00 ip-172-31-91-174 polkitd[517]: Registered Authentication Agent for unix-process:1588:20133 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: error: Bind to port 2849 on 0.0.0.0 failed: Permission denied.
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: error: Bind to port 2849 on :: failed: Permission denied.
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: fatal: Cannot bind any address.
May 20 02:34:00 ip-172-31-91-174 polkitd[517]: Unregistered Authentication Agent for unix-process:1588:20133 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

You have to grant the privilege via SELinux: semanage port -a -t ssh_port_t -p tcp 4444

So on Red Hat / CentOS, the following task should be added prior to the lineinfile task:

    - name: Allow sshd to listen on tcp port 2849.
      seport:
        ports: 2849
        proto: tcp
        setype: ssh_port_t
        state: present

[geerlingguy]

Fixed in the manuscript; this will be in the book's next version. I added a note after the example in the text for those using Red Hat / CentOS.