Merge "Change PermitRootLogin to allow alternate options"

2017-11-14 16:34:28 +00:00 · 2017-11-14 16:34:28 +00:00 · 422b793b80
parent d2548a4b44 f32cb3c081
commit 422b793b80
4 changed files with 19 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -327,7 +327,7 @@ security_sshd_client_alive_interval: 600                     # V-72237
 security_sshd_client_alive_count_max: 0                      # V-72241
 # Print the last login for a user when they log in over ssh.
 security_sshd_print_last_log: yes                            # V-72245
-# Permit direct root logins
+# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
 security_sshd_permit_root_login: no                          # V-72247
 # Disallow authentication using known hosts authentication.
 security_sshd_disallow_known_hosts_auth: yes                 # V-72249 / V-72239
--- a/doc/metadata/rhel7/V-72247.rst
+++ b/doc/metadata/rhel7/V-72247.rst
@ -7,7 +7,9 @@ tag: sshd
 The ``PermitRootLogin`` configuration is set to ``no`` in
 ``/etc/ssh/sshd_config`` and sshd is restarted.

-Deployers can opt out of this change by setting the following Ansible variable:
+Deployers can select another setting for PermitRootLogin, from the available
+options ``without-password``, ``prohibit-password``, ``forced-commands-only``,
+``yes``, or ``no`` by setting the following variable:

 .. code-block:: yaml

--- a/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml
+++ b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - The ``security_sshd_permit_root_login`` setting can
+    now be set to change the ``PermitRootLogin`` setting
+    in ``/etc/ssh/sshd_config`` to any of the possible
+    options. Set ``security_sshd_permit_root_login`` to
+    one of ``without-password``, ``prohibit-password``,
+    ``forced-commands-only``, ``yes`` or ``no``.
--- a/templates/sshd_config_block.j2
+++ b/templates/sshd_config_block.j2
@ -22,9 +22,14 @@ ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
 # V-72245
 PrintLastLog yes
 {% endif %}
-{% if not (security_sshd_permit_root_login | bool) %}
+{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
+{%   if security_sshd_permit_root_login | string in ['False', 'True'] %}
+{%     set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
+{%   else %}
+{%     set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
+{%   endif %}
 # V-72247
-PermitRootLogin no
+PermitRootLogin {{ _security_sshd_permit_root_login }}
 {% endif %}
 {% if security_sshd_disallow_known_hosts_auth | bool %}
 # V-72249 / V-72239