Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

change default to allow SFTP #564

Merged
merged 6 commits into from
Aug 22, 2022
Merged

change default to allow SFTP #564

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0bb4328
change default to allow SFTP
schurzi Aug 19, 2022
1a9e0ba
add documentation
schurzi Aug 19, 2022
687a9f8
diasble sftp for default tests
schurzi Aug 19, 2022
7fb84b7
extend documentation
schurzi Aug 19, 2022
dc3695b
fix typo
schurzi Aug 19, 2022
5c6be84
correct ssh version
schurzi Aug 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions molecule/ssh_hardening/converge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,5 @@
tasks:
- include_role:
name: ssh_hardening
vars:
sftp_enabled: false
1 change: 0 additions & 1 deletion molecule/ssh_hardening_custom_tests/converge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@
ssh_print_last_log: true
ssh_banner: true
ssh_server_password_login: true
sftp_enabled: true
sftp_chroot: true
# ssh_server_enabled: false
ssh_server_ports:
Expand Down
8 changes: 6 additions & 2 deletions roles/ssh_hardening/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,8 @@ As this role requires root-privileges, we added `become: true` to all tasks. So
- Default: `false`
- Description: false to disable display of last login information.
- `sftp_enabled`
- Default: `false`
- Description: true to enable sftp configuration.
- Default: `true`
- Description: false to disable sftp configuration.
- `sftp_umask`
- Default: `'0027'`
- Description: Specifies the umask for sftp.
Expand Down Expand Up @@ -272,6 +272,10 @@ Example playbook:
- "AcceptEnv LANG"
```

## After using the role Ansibles template/copy/file module does not work anymore

If you use this role to disable SFTP (`stfp_enabled: false`) you will get errors. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set `scp_if_ssh = True` in your ansible.cfg. This way Ansible uses SCP to copy files.

## Changing the default port and idempotency

This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port.
Expand Down
4 changes: 2 additions & 2 deletions roles/ssh_hardening/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,8 @@ ssh_banner_path: '/etc/ssh/banner.txt'
# false to disable distribution version leakage during initial protocol handshake
ssh_print_debian_banner: false # sshd (Debian OS family only)

# true to enable sftp configuration
sftp_enabled: false
# false to disable sftp configuration
sftp_enabled: true

# false to disable sftp chroot
sftp_chroot: true
Expand Down