rhel7stig: sshd.yml: Respect the STIG sshd configuration
Appending sshd configuration options at the end of the file doesn't work as expected. If the same keyword is set multiple times, sshd will only respect the first occurence. As such, all the options that we add at the EOF will do nothing if any of them is already set in the file already. In order to make sure that all our options are respected, we need to add all of them at the beginning of the file. This can be easily demonstrated if we use the following keywords in an sshd config file assuming we have /etc/motd already. PrintMotd yes PrintMotd no $ ssh root@localhost Last login: Tue Oct 31 09:28:28 2017 from ::1 Have a lot of fun... But if we swap the options to PrintMotd no PrintMotd yes Last login: Tue Oct 31 09:29:55 2017 from ::1 Closes-Bug: #1728735 Change-Id: I02f2b9bc612d67ed7b23d853012d3b6374f65c9d
This commit is contained in:
parent
e79c6c0594
commit
2958a406a9
@ -13,21 +13,6 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Adding additional sshd configuration options is usually easy, but if a
|
||||
# configuration file ends with certain configurations, like a "Match" stanza,
|
||||
# we need a blank line to separate those configurations from the ones that
|
||||
# are added by the security role. For that reason, we check for the existence
|
||||
# of a marker line here and add a marker line to the file if it doesn't exist.
|
||||
|
||||
- name: Find first 'Match' line in sshd_config (if it exists)
|
||||
shell: "grep '^Match' /etc/ssh/sshd_config || echo 'EOF'"
|
||||
register: sshd_match_check
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
- sshd
|
||||
|
||||
- name: Copy login warning banner
|
||||
copy:
|
||||
content: "{{ security_login_banner_text }}"
|
||||
@ -45,7 +30,7 @@
|
||||
dest: /etc/ssh/sshd_config
|
||||
state: present
|
||||
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
|
||||
insertbefore: "{{ sshd_match_check.stdout_lines[0] }}"
|
||||
insertbefore: "BOF"
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
block: "{{ lookup('template', 'sshd_config_block.j2') }}"
|
||||
notify:
|
||||
|
Loading…
x
Reference in New Issue
Block a user