This repository was archived by the owner on Dec 26, 2020. It is now read-only.
This repository was archived by the owner on Dec 26, 2020. It is now read-only.
role creates duplicate parameter/values after run #124
Description
Hey guys, I've just run this issue with a very basic configuration and found duplicates in /etc/ssh/sshd_config afterwards. The relevant details:
The OS:
$ lsb_release -id
Distributor ID: Debian
Description: Debian GNU/Linux 8.8 (jessie)The configuration:
- name: Configure sshd and restart
hosts: web
user: bob
become: yes
roles:
- role: dev-sec.ssh-hardening
ssh_port: 22
ssh_use_pam: true
sftp_enabled: true
network_ipv6_enable: false Duplicates
sudo egrep -v '^(#|$)' /etc/ssh/sshd_config | sort | uniq -d
AllowAgentForwarding no
AllowTcpForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding noWorkaround
As I intend to use sftp early in the process, I've commented the duplicate parameters outside of the if sftp_enabled block.
egrep '(AllowAgentForwarding|AllowTcpForwarding|PasswordAuthentication|PermitRootLogin|X11Forwarding)' templates/opensshd.conf.j2
#PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
#PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
#AllowTcpForwarding {{ 'yes' if ssh_allow_tcp_forwarding else 'no' }}
#AllowAgentForwarding {{ 'yes' if ssh_allow_agent_forwarding else 'no' }}
#X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no
This is gross but it does eliminate the duplicates:
The ansible run output with -v has been included: ansible-sshd.txt
As always, I reserve the right to be completely in the wrong :-)
Please let me know if I've duffed it.