From c1876bfb751053cdbc6c793e2ba1bba5c16b5b97 Mon Sep 17 00:00:00 2001 From: Frank Isemann Date: Tue, 9 May 2017 14:49:24 +0200 Subject: [PATCH] Added support for PermitTunnel config switch --- README.md | 1 + defaults/main.yml | 3 +++ templates/opensshd.conf.j2 | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c8faee0c..ac6f2131 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_host_key_files` | ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] |Host keys to look for when starting sshd.| |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages | |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent | +|`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required | |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.| |`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.| |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.| diff --git a/defaults/main.yml b/defaults/main.yml index d1c3906c..dafa4bb4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,6 +39,9 @@ ssh_max_auth_retries: 2 ssh_client_alive_interval: 600 # sshd ssh_client_alive_count: 3 # sshd +# Allow SSH Tunnels +ssh_permit_tunnel: false + # Hosts with custom options. # ssh # Example: # ssh_remote_hosts: diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index 0bcccd97..0a60578f 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -173,7 +173,7 @@ ClientAliveInterval {{ssh_client_alive_interval}} ClientAliveCountMax {{ssh_client_alive_count}} # Disable tunneling -PermitTunnel no +PermitTunnel {{ 'yes' if ssh_permit_tunnel else 'no' }} # Disable forwarding tcp connections. # no real advantage without denied shell access