f32cb3c081
PermitRootLogin can be 'yes', 'no', 'without-password', 'prohibit-password' or 'forced-commands-only'. This patch changes the functionality to ensure that security_sshd_permit_root_login is one of the above settings - if so, it will use that value. Due to the way Ansible handles "no" and "yes", we have to check if the value is "False" (string equivalent for boolean no), and if so output "no", otherwise output the string (which would be one of the above options). Previously, we could only set this value to 'no'. Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
64 lines
1.9 KiB
Django/Jinja
64 lines
1.9 KiB
Django/Jinja
{% if security_sshd_disallow_empty_password | bool %}
|
|
# V-71939 / RHEL-07-010440
|
|
PermitEmptyPasswords no
|
|
{% endif %}
|
|
{% if security_sshd_disallow_environment_override | bool %}
|
|
# V-71957
|
|
PermitUserEnvironment no
|
|
{% endif %}
|
|
{% if security_sshd_disallow_host_based_auth | bool %}
|
|
# V-71959
|
|
HostbasedAuthentication no
|
|
{% endif %}
|
|
# V-72221
|
|
Ciphers {{ security_sshd_cipher_list }}
|
|
# V-72225
|
|
Banner {{ security_sshd_banner_file }}
|
|
# V-72237
|
|
ClientAliveInterval {{ security_sshd_client_alive_interval }}
|
|
# V-72241
|
|
ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
|
|
{% if security_sshd_print_last_log | bool %}
|
|
# V-72245
|
|
PrintLastLog yes
|
|
{% endif %}
|
|
{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
|
|
{% if security_sshd_permit_root_login | string in ['False', 'True'] %}
|
|
{% set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
|
|
{% else %}
|
|
{% set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
|
|
{% endif %}
|
|
# V-72247
|
|
PermitRootLogin {{ _security_sshd_permit_root_login }}
|
|
{% endif %}
|
|
{% if security_sshd_disallow_known_hosts_auth | bool %}
|
|
# V-72249 / V-72239
|
|
IgnoreUserKnownHosts yes
|
|
{% endif %}
|
|
{% if security_sshd_disallow_rhosts_auth | bool %}
|
|
# V-72243
|
|
IgnoreRhosts yes
|
|
{% endif %}
|
|
{% if security_sshd_enable_x11_forwarding | bool %}
|
|
# V-72303
|
|
X11Forwarding yes
|
|
{% endif %}
|
|
# V-72251
|
|
Protocol {{ security_sshd_protocol }}
|
|
# V-72253
|
|
MACs {{security_sshd_allowed_macs }}
|
|
{% if security_sshd_enable_privilege_separation | bool %}
|
|
# V-72265
|
|
UsePrivilegeSeparation sandbox
|
|
{% endif %}
|
|
# V-72267
|
|
Compression {{ security_sshd_compression }}
|
|
{% if security_sshd_disable_kerberos_auth | bool %}
|
|
# V-72261
|
|
KerberosAuthentication no
|
|
{% endif %}
|
|
{% if security_sshd_enable_strict_modes| bool %}
|
|
# V-72263
|
|
StrictModes yes
|
|
{% endif %}
|