Change PermitRootLogin to allow alternate options
PermitRootLogin can be 'yes', 'no', 'without-password', 'prohibit-password' or 'forced-commands-only'. This patch changes the functionality to ensure that security_sshd_permit_root_login is one of the above settings - if so, it will use that value. Due to the way Ansible handles "no" and "yes", we have to check if the value is "False" (string equivalent for boolean no), and if so output "no", otherwise output the string (which would be one of the above options). Previously, we could only set this value to 'no'. Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
This commit is contained in:
parent
ff73470848
commit
f32cb3c081
|
@ -325,7 +325,7 @@ security_sshd_client_alive_interval: 600 # V-72237
|
|||
security_sshd_client_alive_count_max: 0 # V-72241
|
||||
# Print the last login for a user when they log in over ssh.
|
||||
security_sshd_print_last_log: yes # V-72245
|
||||
# Permit direct root logins
|
||||
# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
|
||||
security_sshd_permit_root_login: no # V-72247
|
||||
# Disallow authentication using known hosts authentication.
|
||||
security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239
|
||||
|
|
|
@ -7,7 +7,9 @@ tag: sshd
|
|||
The ``PermitRootLogin`` configuration is set to ``no`` in
|
||||
``/etc/ssh/sshd_config`` and sshd is restarted.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
Deployers can select another setting for PermitRootLogin, from the available
|
||||
options ``without-password``, ``prohibit-password``, ``forced-commands-only``,
|
||||
``yes``, or ``no`` by setting the following variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
features:
|
||||
- The ``security_sshd_permit_root_login`` setting can
|
||||
now be set to change the ``PermitRootLogin`` setting
|
||||
in ``/etc/ssh/sshd_config`` to any of the possible
|
||||
options. Set ``security_sshd_permit_root_login`` to
|
||||
one of ``without-password``, ``prohibit-password``,
|
||||
``forced-commands-only``, ``yes`` or ``no``.
|
|
@ -22,9 +22,14 @@ ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
|
|||
# V-72245
|
||||
PrintLastLog yes
|
||||
{% endif %}
|
||||
{% if not (security_sshd_permit_root_login | bool) %}
|
||||
{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
|
||||
{% if security_sshd_permit_root_login | string in ['False', 'True'] %}
|
||||
{% set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
|
||||
{% else %}
|
||||
{% set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
|
||||
{% endif %}
|
||||
# V-72247
|
||||
PermitRootLogin no
|
||||
PermitRootLogin {{ _security_sshd_permit_root_login }}
|
||||
{% endif %}
|
||||
{% if security_sshd_disallow_known_hosts_auth | bool %}
|
||||
# V-72249 / V-72239
|
||||
|
|
Loading…
Reference in New Issue