From f32cb3c0817441e3ba907c6481963bdd03c869cd Mon Sep 17 00:00:00 2001 From: Andy McCrae Date: Mon, 6 Nov 2017 15:04:01 +0000 Subject: [PATCH] Change PermitRootLogin to allow alternate options PermitRootLogin can be 'yes', 'no', 'without-password', 'prohibit-password' or 'forced-commands-only'. This patch changes the functionality to ensure that security_sshd_permit_root_login is one of the above settings - if so, it will use that value. Due to the way Ansible handles "no" and "yes", we have to check if the value is "False" (string equivalent for boolean no), and if so output "no", otherwise output the string (which would be one of the above options). Previously, we could only set this value to 'no'. Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed --- defaults/main.yml | 2 +- doc/metadata/rhel7/V-72247.rst | 4 +++- .../notes/permitrootlogin_options-a62e33ccc4a69657.yaml | 8 ++++++++ templates/sshd_config_block.j2 | 9 +++++++-- 4 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 6024f92b..917ecef9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -325,7 +325,7 @@ security_sshd_client_alive_interval: 600 # V-72237 security_sshd_client_alive_count_max: 0 # V-72241 # Print the last login for a user when they log in over ssh. security_sshd_print_last_log: yes # V-72245 -# Permit direct root logins +# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only') security_sshd_permit_root_login: no # V-72247 # Disallow authentication using known hosts authentication. security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239 diff --git a/doc/metadata/rhel7/V-72247.rst b/doc/metadata/rhel7/V-72247.rst index 07b29567..35684b0a 100644 --- a/doc/metadata/rhel7/V-72247.rst +++ b/doc/metadata/rhel7/V-72247.rst @@ -7,7 +7,9 @@ tag: sshd The ``PermitRootLogin`` configuration is set to ``no`` in ``/etc/ssh/sshd_config`` and sshd is restarted. -Deployers can opt out of this change by setting the following Ansible variable: +Deployers can select another setting for PermitRootLogin, from the available +options ``without-password``, ``prohibit-password``, ``forced-commands-only``, +``yes``, or ``no`` by setting the following variable: .. code-block:: yaml diff --git a/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml new file mode 100644 index 00000000..ebe6b02f --- /dev/null +++ b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml @@ -0,0 +1,8 @@ +--- +features: + - The ``security_sshd_permit_root_login`` setting can + now be set to change the ``PermitRootLogin`` setting + in ``/etc/ssh/sshd_config`` to any of the possible + options. Set ``security_sshd_permit_root_login`` to + one of ``without-password``, ``prohibit-password``, + ``forced-commands-only``, ``yes`` or ``no``. diff --git a/templates/sshd_config_block.j2 b/templates/sshd_config_block.j2 index 28c6fd9f..586a1453 100644 --- a/templates/sshd_config_block.j2 +++ b/templates/sshd_config_block.j2 @@ -22,9 +22,14 @@ ClientAliveCountMax {{ security_sshd_client_alive_count_max }} # V-72245 PrintLastLog yes {% endif %} -{% if not (security_sshd_permit_root_login | bool) %} +{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %} +{% if security_sshd_permit_root_login | string in ['False', 'True'] %} +{% set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %} +{% else %} +{% set _security_sshd_permit_root_login = security_sshd_permit_root_login %} +{% endif %} # V-72247 -PermitRootLogin no +PermitRootLogin {{ _security_sshd_permit_root_login }} {% endif %} {% if security_sshd_disallow_known_hosts_auth | bool %} # V-72249 / V-72239