SSH secure configuration example fails on CentOS due to SELinux policy #271
Description
The current example:
- name: Update SSH configuration to be more secure.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
- regexp: "^Port"
line: "Port 2849"
notify: restart sshFails and you get the following in your logs on CentOS servers when sshd is restarted by the handler:
May 20 02:34:00 ip-172-31-91-174 polkitd[517]: Registered Authentication Agent for unix-process:1588:20133 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: error: Bind to port 2849 on 0.0.0.0 failed: Permission denied.
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: error: Bind to port 2849 on :: failed: Permission denied.
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: fatal: Cannot bind any address.
May 20 02:34:00 ip-172-31-91-174 polkitd[517]: Unregistered Authentication Agent for unix-process:1588:20133 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
You have to grant the privilege via SELinux: semanage port -a -t ssh_port_t -p tcp 4444
So on Red Hat / CentOS, the following task should be added prior to the lineinfile task:
- name: Allow sshd to listen on tcp port 2849.
seport:
ports: 2849
proto: tcp
setype: ssh_port_t
state: present