SSHD Improvements #401
Merged
SSHD Improvements #401
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add options:
- sshd_deny_groups
- sshd_deny_users
- sshd_host_keys_files
- sshd_host_keys_group
- sshd_host_keys_mode
- sshd_host_keys_owner
- sshd_listen
- sshd_match_addresses
- sshd_match_groups
- sshd_match_local_ports
- sshd_match_users
- sshd_print_pam_motd
- sshd_sftp_enabled
- sshd_sftp_only_chroot
- sshd_sftp_only_chroot_dir
- sshd_sftp_only_group
- sshd_sftp_subsystem
- sshd_syslog_facility
- sshd_use_privilege_separation
- Change options:
- String to boolean:
- sshd_allow_agent_forwarding
- sshd_challenge_response_authentication
- sshd_compression
- sshd_gssapi_authentication
- sshd_hostbased_authentication
- sshd_ignore_rhosts
- sshd_ignore_user_known_hosts
- sshd_kerberos_authentication
- sshd_password_authentication
- sshd_permit_empty_passwords
- sshd_permit_root_login
- sshd_permit_user_environment
- sshd_print_last_log
- sshd_print_motd
- sshd_strict_modes
- sshd_tcp_keep_alive
- sshd_use_dns
- sshd_use_pam
- sshd_x11_forwarding
- String to list:
- sshd_allow_groups
- sshd_allow_users
- sshd_ca_signature_algorithms
- sshd_ciphers
- sshd_host_key_algorithms
- sshd_kex_algorithms
- sshd_macs
- sshd_ports
|
Thanks again! Really nice improvements. I'll run some tests and get back to you. |
konstruktoid
requested changes
Sep 29, 2023
There was a problem hiding this comment.
Have a look at the lint errors https://github.com/konstruktoid/ansible-role-hardening/actions/runs/6343295236/job/17253219427?pr=401#step:4:22
|
Failing test: https://github.com/konstruktoid/ansible-role-hardening/blob/master/tasks/ufw.yml#L117-L129 |
Fixed, but after updating More details at: https://ansible.readthedocs.io/projects/lint/rules/var-naming/ |
yeah, but ignore that one for now |
Updated, it took some work to adjust the molecule, I need you to carry out the appropriate tests. |
|
Great job, please fix the conflicts and I believe we're ready to test. |
|
Awesome! |
failed: [bookworm] (item=['0', 22]) => {"ansible_loop_var": "item", "changed": false, "item": ["0", 22], "msg": "Failed to find required executable \"ufw\" in paths: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}
failed: [almalinux9] (item=['0', 22]) => {"ansible_loop_var": "item", "changed": false, "item": ["0", 22], "msg": "Failed to find required executable \"ufw\" in paths: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}failed: [focal] (item=['0', 22]) => {"ansible_loop_var": "item", "changed": false, "commands": ["/usr/sbin/ufw status verbose", "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw limit from 0 to any port 22 proto tcp comment 'ansible managed'"], "item": ["0", 22], "msg": "ERROR: Bad source address\n"}Full task log: |
|
I believe that the time debugging this would be a lot shorter if you ran your branch locally on a VM |
My test with ansible 2.15.4 and options The task below ( NOTE: I need to correct the order of the task in the file, as I changed it during the test and did not return it. A search for the variable # grep 'sshd_admin_net: \"' * -R
molecule/almalinux/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/almalinux/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/debian/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/debian/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/debian/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/ubuntu/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/ubuntu/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/ubuntu/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/ubuntu/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/redhat/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/single/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/default/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/default/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/default/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/default/molecule.yml: sshd_admin_net: "0.0.0.0/0"
molecule/default/molecule.yml: sshd_admin_net: "0.0.0.0/0"I will edit the fixes as soon as possible. |
|
What's the purpose of |
Text include in README:
|
|
Ah, so even if the |
|
Needed to make the following changes. diff --git a/README.md b/README.md
index 40977b4..f6bf46e 100644
--- a/README.md
+++ b/README.md
@@ -584,13 +584,13 @@ connection.
`sshd_required_rsa_size`, RequiredRSASize, will only be set if SSH version is higher than 9.1.
-`sshd_config_d_force_clear` force clear directory `/etc/sshd_config.d`. Default: `false`.
+`sshd_config_d_force_clear` force clear directory `/etc/ssh/sshd_config.d`. Default: `false`.
-`sshd_config_force_replace` force replace configuration file `/etc/sshd_config`. Default: `false`.
+`sshd_config_force_replace` force replace configuration file `/etc/ssh/sshd_config`. Default: `false`.
> **Note**
>
-> By default, the role checks whether the directory `/etc/sshd_config.d` exists and whether it is linked via the `Include` parameter in the `/etc/sshd_config` file, if so, an additional configuration file is created in `/ etc/sshd_config.d`, if not, the `/etc/sshd_config` file is overwritten.
+> By default, the role checks whether the directory `/etc/ssh/sshd_config.d` exists and whether it is linked via the `Include` parameter in the `/etc/ssh/sshd_config` file, if so, an additional configuration file is created in `/etc/ssh/sshd_config.d`, if not, the `/etc/ssh/sshd_config` file is overwritten.
> **Warning**
>
diff --git a/tasks/sshconfig.yml b/tasks/sshconfig.yml
index 511f096..85a5db1 100644
--- a/tasks/sshconfig.yml
+++ b/tasks/sshconfig.yml
@@ -93,6 +93,7 @@
- sshd_config
- name: Set default for sshd_host_keys_files if not supplied
+ become: yes
when: not sshd_host_keys_files
tags:
- sshd
@@ -140,6 +141,7 @@
loop: "{{ sshd_host_keys_files }}"
- name: Disable PAM dynamic MOTD
+ become: true
community.general.pamd:
name: sshd
type: session
@@ -226,7 +228,7 @@
owner: root
group: root
validate: "/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s"
- when: not ( sshd_config_force_replace | bool ) or sshd_config_d.stat.exists and grep_include.rc == 0
+ when: not ( sshd_config_force_replace | bool ) and sshd_config_d.stat.exists and grep_include.rc == 0
notify:
- Restart sshd service
- Restart ssh service |
TASK [Set sshd_config_parameters RequiredRSASize] ******************************
skipping: [almalinux8]
skipping: [almalinux9]
fatal: [bookworm]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ sshd_config_parameters + ['RequiredRSASize ' + sshd_required_rsa_size] }}): can only concatenate str (not \"int\") to str. can only concatenate str (not \"int\") to str"}
skipping: [focal]
skipping: [jammy]Debian Bookworm: OpenSSH_9.2, OpenSSL 3.0.9 30 May 2023 AlmaLinux9: OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022 |
|
What's this?
|
|
https://manpages.debian.org/buster/openssh-server/sshd_config.5.en.html#DebianBanner I have to see how to limit the debian family. |
|
Great work. Just some verification failing, everything else looks good. |
I believe I have to do the version treatments that are present in the template. I will also perform an isolated test of checking the parameters, to see if there are any code errors.
|
|
Yeah, it was a strange error message, will take a look as well as soon as possible. |
|
Do you think a test is necessary for this task? - name: Disable PAM dynamic MOTD
become: true
community.general.pamd:
name: sshd
type: session
control: optional
module_path: pam_motd.so
state: absent
backup: true
when:
- sshd_use_pam | bool
- not (sshd_print_pam_motd | bool)
tags:
- sshd |
Me too! 😆 |
Nah, lets skip it. I'm going to go through all tests and tasks after the merge anyway, in order to have similar tasks and tests as the ones you've made |
@cleberb, this works: line: "{{ item | indent(4,true) }}" |
In the template, if used To avoid doubts, we will leave the space characters as they were before. 👍 |
|
I only tested it in a task to be fair. |
konstruktoid
requested changes
Oct 4, 2023
cleberb
commented
Oct 9, 2023
|
Just a last suggestion regarding |
What would be the suggestion? |
|
I have no idea where the rest of the text went, but since we set a system wide umask, I suggest we remove the |
|
Great! I'll |
|
Task [WARNING]: conditional statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: {%- set lower_parameter = item.split(
)[0] | lower -%} {{ ( item | regex_replace('^[^\ ]+', lower_parameter) ) not in
sshd_config.stdout_lines }}
failed: [jammy] (item=AcceptEnv LANG LC_*) => {"ansible_loop_var": "item", "changed": false, "cmd": ["sshd", "-T"], "delta": "0:00:00.062700", "end": "2023-10-11 21:47:23.980246", "failed_when_result": true, "item": "AcceptEnv LANG LC_*", "msg": "", "rc": 0, "start": "2023-10-11 21:47:23.917546", "stderr": "", "stderr_lines": [], "stdout": "port 22\naddressfamily inet\nlistenaddress 0.0.0.0:22\nusepam yes\nlogingracetime 20\nx11displayoffset 10\nmaxauthtries 3\nmaxsessions 3\nclientaliveinterval 200\nclientalivecountmax 1\nstreamlocalbindmask 0177\npermitrootlogin no\nignorerhosts yes\nignoreuserknownhosts yes\nhostbasedauthentication no\nhostbasedusesnamefrompacketonly no\npubkeyauthentication yes\nkerberosauthentication no\nkerberosorlocalpasswd yes\nkerberosticketcleanup yes\ngssapiauthentication no\ngssapicleanupcredentials yes\ngssapikeyexchange no\ngssapistrictacceptorcheck yes\ngssapistorecredentialsonrekey no\ngssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-\npasswordauthentication no\nkbdinteractiveauthentication no\nprintmotd no\nprintlastlog yes\nx11forwarding no\nx11uselocalhost yes\npermittty yes\npermituserrc yes\nstrictmodes yes\ntcpkeepalive no\npermitemptypasswords no\ncompression no\ngatewayports no\nusedns no\nallowtcpforwarding no\nallowagentforwarding no\ndisableforwarding no\nallowstreamlocalforwarding yes\nstreamlocalbindunlink no\nfingerprinthash SHA256\nexposeauthinfo no\npidfile /run/sshd.pid\nmodulifile /etc/ssh/moduli\nxauthlocation /usr/bin/xauth\nciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr\nmacs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\nbanner /etc/issue.net\nforcecommand none\nchrootdirectory none\ntrustedusercakeys none\nrevokedkeys none\nsecuritykeyprovider internal\nauthorizedprincipalsfile none\nversionaddendum none\nauthorizedkeyscommand none\nauthorizedkeyscommanduser none\nauthorizedprincipalscommand none\nauthorizedprincipalscommanduser none\nhostkeyagent none\nkexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256\ncasignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa\nhostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nhostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\npubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nloglevel VERBOSE\nsyslogfacility AUTH\nauthorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2\nhostkey /etc/ssh/ssh_host_rsa_key\nhostkey /etc/ssh/ssh_host_ecdsa_key\nhostkey /etc/ssh/ssh_host_ed25519_key\nallowusers vagrant\nallowgroups vagrant\nallowgroups sudo\nacceptenv LANG\nacceptenv LC_*\nacceptenv LANG\nacceptenv LC_*\nauthenticationmethods any\nsubsystem sftp internal-sftp -f LOCAL6 -l INFO\nmaxstartups 10:30:60\npersourcemaxstartups none\npersourcenetblocksize 32:128\npermittunnel no\nipqos lowdelay throughput\nrekeylimit 536870912 3600\npermitopen any\npermitlisten any\npermituserenvironment no\npubkeyauthoptions none", "stdout_lines": ["port 22", "addressfamily inet", "listenaddress 0.0.0.0:22", "usepam yes", "logingracetime 20", "x11displayoffset 10", "maxauthtries 3", "maxsessions 3", "clientaliveinterval 200", "clientalivecountmax 1", "streamlocalbindmask 0177", "permitrootlogin no", "ignorerhosts yes", "ignoreuserknownhosts yes", "hostbasedauthentication no", "hostbasedusesnamefrompacketonly no", "pubkeyauthentication yes", "kerberosauthentication no", "kerberosorlocalpasswd yes", "kerberosticketcleanup yes", "gssapiauthentication no", "gssapicleanupcredentials yes", "gssapikeyexchange no", "gssapistrictacceptorcheck yes", "gssapistorecredentialsonrekey no", "gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-", "passwordauthentication no", "kbdinteractiveauthentication no", "printmotd no", "printlastlog yes", "x11forwarding no", "x11uselocalhost yes", "permittty yes", "permituserrc yes", "strictmodes yes", "tcpkeepalive no", "permitemptypasswords no", "compression no", "gatewayports no", "usedns no", "allowtcpforwarding no", "allowagentforwarding no", "disableforwarding no", "allowstreamlocalforwarding yes", "streamlocalbindunlink no", "fingerprinthash SHA256", "exposeauthinfo no", "pidfile /run/sshd.pid", "modulifile /etc/ssh/moduli", "xauthlocation /usr/bin/xauth", "ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr", "macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256", "banner /etc/issue.net", "forcecommand none", "chrootdirectory none", "trustedusercakeys none", "revokedkeys none", "securitykeyprovider internal", "authorizedprincipalsfile none", "versionaddendum none", "authorizedkeyscommand none", "authorizedkeyscommanduser none", "authorizedprincipalscommand none", "authorizedprincipalscommanduser none", "hostkeyagent none", "kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256", "casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa", "hostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256", "hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256", "pubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256", "loglevel VERBOSE", "syslogfacility AUTH", "authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2", "hostkey /etc/ssh/ssh_host_rsa_key", "hostkey /etc/ssh/ssh_host_ecdsa_key", "hostkey /etc/ssh/ssh_host_ed25519_key", "allowusers vagrant", "allowgroups vagrant", "allowgroups sudo", "acceptenv LANG", "acceptenv LC_*", "acceptenv LANG", "acceptenv LC_*", "authenticationmethods any", "subsystem sftp internal-sftp -f LOCAL6 -l INFO", "maxstartups 10:30:60", "persourcemaxstartups none", "persourcenetblocksize 32:128", "permittunnel no", "ipqos lowdelay throughput", "rekeylimit 536870912 3600", "permitopen any", "permitlisten any", "permituserenvironment no", "pubkeyauthoptions none"]}Add it as task you to see what you get: - name: Verify sshd runtime configuration
become: true
environment:
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ansible.builtin.command: sshd -T
check_mode: false
register: sshd_config
changed_when: false
failed_when: >-
{%- set lower_parameter = item.split( )[0] | lower -%}
{{ ( item | regex_replace('^[^\ ]+', lower_parameter) ) not in sshd_config.stdout_lines }}
loop: "{{ (sshd_config_parameters | reject('regex', 'Allowgroups ') | list) + ['allowgroups vagrant', 'allowgroups sudo'] }}" |
|
Closes #408 |
Runtime show: I will agree as soon as possible. |
|
I believe it has become more organized and it will be easier to make changes in the future. Some values were ignored because it would take too much work to be handled dynamically. |
Absolutely, thanks for the great work. |
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index bd10e6a..299be25 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -373,6 +373,7 @@
- rekeylimit
# listenaddress: runtime returns values addresses and ports(Ex: 0.0.0.0:22), ports is optional and can have multiple values.
- listenaddress
+ - debianbanner
- name: Verify sshd runtime configuration
become: true |
This option is filtered by the distribution, has there been an error with it? |
|
Yeah, the sshd runtime check doesn't catch it. I don't believe it's in the output. |
$ lsb_release -d
Description: Ubuntu 22.04.3 LTS
$ sudo grep -Ri banner /etc/ssh/* | grep -v '#'
/etc/ssh/sshd_config.d/01-hardening.conf:Banner /etc/issue.net
/etc/ssh/sshd_config.d/01-hardening.conf:DebianBanner no
$ sudo sshd -T | grep -i banner
banner /etc/issue.net
$$ sudo systemctl restart ssh
$ sudo grep -Ri banner /etc/ssh/* | grep -v '#'
/etc/ssh/sshd_config.d/01-hardening.conf:Banner /etc/issue.net
/etc/ssh/sshd_config.d/01-hardening.conf:DebianBanner yes
$ sudo systemctl restart ssh
$ sudo sshd -T | grep -i banner
banner /etc/issue.net |
konstruktoid
approved these changes
Oct 19, 2023
molecule/default/verify.yml
Outdated
|
|
||
| - name: Set sshd_config_parameters AcceptEnv | ||
| ansible.builtin.set_fact: | ||
| sshd_config_parameters: "{{ sshd_config_parameters + ['AcceptEnv ' + sshd_authentication_methods] }}" |
There was a problem hiding this comment.
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index b78df3a..02078d9 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -275,7 +275,7 @@
- name: Set sshd_config_parameters AcceptEnv
ansible.builtin.set_fact:
- sshd_config_parameters: "{{ sshd_config_parameters + ['AcceptEnv ' + sshd_authentication_methods] }}"
+ sshd_config_parameters: "{{ sshd_config_parameters + ['AcceptEnv ' + sshd_accept_env] }}"
when: sshd_accept_env is defined and sshd_accept_env | length != 0
- name: Set sshd_config_parameters AuthenticationMethods| - IgnoreRhosts {{ 'yes' if (sshd_ignore_rhosts | bool) else 'no' }} | ||
| - IgnoreUserKnownHosts {{ 'yes' if (sshd_ignore_user_known_hosts | bool) else 'no' }} | ||
| - >- | ||
| {%- if ssh_installed_version is version('8.7', '>=') -%} | ||
| KbdInteractiveAuthentication {{ 'yes' if (sshd_kbd_interactive_authentication | bool) else 'no' }} |
defaults/main/sshd.yml
Outdated
| sshd_sftp_only_chroot: true | ||
| sshd_sftp_only_chroot_dir: '%h' | ||
| sshd_sftp_only_group: '' | ||
| sshd_sftp_subsystem: internal-sftp -f LOCAL6 -l INFO -u 0027 |
There was a problem hiding this comment.
Since we set the umask on system level I think we should remove -u 0027
|
Thanks for the massive work, looks good now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add options:
Change options: