Change PermitRootLogin to allow alternate options

PermitRootLogin can be 'yes', 'no', 'without-password', 'prohibit-password' or 'forced-commands-only'. This patch changes the functionality to ensure that security_sshd_permit_root_login is one of the above settings - if so, it will use that value. Due to the way Ansible handles "no" and "yes", we have to check if the value is "False" (string equivalent for boolean no), and if so output "no", otherwise output the string (which would be one of the above options). Previously, we could only set this value to 'no'. Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed (cherry picked from commit f32cb3c081)
2017-11-06 15:04:01 +00:00 · 2017-11-06 15:04:01 +00:00 · c05e36f48d
parent 68e99a13eb
commit c05e36f48d
4 changed files with 19 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -304,7 +304,7 @@ security_sshd_client_alive_interval: 600                     # V-72237
 security_sshd_client_alive_count_max: 0                      # V-72241
 # Print the last login for a user when they log in over ssh.
 security_sshd_print_last_log: yes                            # V-72245
-# Permit direct root logins
+# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
 security_sshd_permit_root_login: no                          # V-72247
 # Disallow authentication using known hosts authentication.
 security_sshd_disallow_known_hosts_auth: yes                 # V-72249 / V-72239
--- a/doc/metadata/rhel7/V-72247.rst
+++ b/doc/metadata/rhel7/V-72247.rst
@ -7,7 +7,9 @@ tag: sshd
 The ``PermitRootLogin`` configuration is set to ``no`` in
 ``/etc/ssh/sshd_config`` and sshd is restarted.

-Deployers can opt out of this change by setting the following Ansible variable:
+Deployers can select another setting for PermitRootLogin, from the available
+options ``without-password``, ``prohibit-password``, ``forced-commands-only``,
+``yes``, or ``no`` by setting the following variable:

 .. code-block:: yaml

--- a/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml
+++ b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - The ``security_sshd_permit_root_login`` setting can
+    now be set to change the ``PermitRootLogin`` setting
+    in ``/etc/ssh/sshd_config`` to any of the possible
+    options. Set ``security_sshd_permit_root_login`` to
+    one of ``without-password``, ``prohibit-password``,
+    ``forced-commands-only``, ``yes`` or ``no``.
--- a/templates/sshd_config_block.j2
+++ b/templates/sshd_config_block.j2
@ -22,9 +22,14 @@ ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
 # V-72245
 PrintLastLog yes
 {% endif %}
-{% if not (security_sshd_permit_root_login | bool) %}
+{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
+{%   if security_sshd_permit_root_login | string in ['False', 'True'] %}
+{%     set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
+{%   else %}
+{%     set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
+{%   endif %}
 # V-72247
-PermitRootLogin no
+PermitRootLogin {{ _security_sshd_permit_root_login }}
 {% endif %}
 {% if security_sshd_disallow_known_hosts_auth | bool %}
 # V-72249 / V-72239