Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error in Task 'Create sshd_config and set permissions to root/600' #565

Closed
CyberGitJul opened this issue Aug 20, 2022 · 5 comments
Closed

Comments

@CyberGitJul
Copy link

CyberGitJul commented Aug 20, 2022

Target System:

  • uname -a: Linux rubitest 5.10.0-11-amd64 Add profile.conf configuration #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux
  • cat /etc/issue: Debian GNU/Linux 11 \n \l

ansible_user: root

Error in mentioned task:

FAILED! => {
    "changed": false,
    "checksum": "4280a6edb8ec3b7998204d6e76a1a1840a9eb263",
    "diff": [],
    "exit_status": 255,
    "invocation": {
        "module_args": {
            "_original_basename": "opensshd.conf.j2",
            "attributes": null,
            "backup": false,
            "checksum": "4280a6edb8ec3b7998204d6e76a1a1840a9eb263",
            "content": null,
            "dest": "/etc/ssh/sshd_config",
            "directory_mode": null,
            "follow": false,
            "force": true,
            "group": "root",
            "local_follow": null,
            "mode": "0600",
            "owner": "root",
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": "/root/.ansible/tmp/ansible-tmp-1661027523.4435546-4187-210979323250571/source",
            "unsafe_writes": false,
            "validate": "/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s"
        }
    },
    "msg": "failed to validate",
    "stderr": "/root/.ansible/tmp/ansible-tmp-1661027523.4435546-4187-210979323250571/source line 14: unsupported option \"True\".\r\n",
    "stderr_lines": [
        "/root/.ansible/tmp/ansible-tmp-1661027523.4435546-4187-210979323250571/source line 14: unsupported option \"True\"."
    ],
    "stdout": "",
    "stdout_lines": []
@schurzi
Copy link
Contributor

schurzi commented Aug 21, 2022

This seems like an configuration issue. Can you please share your playbook and Ansible variables?
Line 14 might be some sshd_custom_options that is defined wrong.

@CyberGitJul
Copy link
Author

CyberGitJul commented Aug 21, 2022

Hi, it´s pretry large that playbook, so I give you the relevant parts. It´s right on the start anyway:

playbook (the part before your ssh role call

---
- hosts: all
  remote_user: "{{ target_user | default('root') }}"

  vars:
    force_install: false

  tasks:

## BASIC TASKS
    - name: Include Global variables
      ansible.builtin.include_vars:
        dir: ./vars/


## CHECK TARGET
    - name: Check target state and stop if existing and not force
      ansible.builtin.include_tasks:
        file: ./tasks/check_initial.yml

    
## SETUP USER
    - name: Prepare User and SSH
      ansible.builtin.include_tasks:
        file: ./tasks/tasks_user_ssh_mgmt.yml
      when: new_installation or force_install

## OS PREPARATION


    - name: Run Prepare OS Tasks (Packages, Hardening)
      ansible.builtin.include_tasks:
        file: ./tasks/tasks_prepare_os.yml
      when: new_installation or force_install

tasks-file

- name: Harden all systems            
  include_role: 
    name: devsec.hardening.ssh_hardening        
  vars:
    ssh_permit_root_login: true

The vars file, which is being included in playbook, doesn´t contain any variables which are relevant ....
Many thanks for looking into this!

Cheers,

JP

@schurzi
Copy link
Contributor

schurzi commented Aug 21, 2022

ahh, this one is hard to catch, you are using ssh_permit_root_login: true but true is not possible here. see documentation in:

- `ssh_permit_root_login`
- Default: `no`
- Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required!

@schurzi schurzi closed this as completed Aug 21, 2022
@CyberGitJul
Copy link
Author

Darn, I´m so stu.... ... thanks man and sorry for wasting your time :-( ....

Have a great sunday evening :-)

@rndmh3ro
Copy link
Member

We have an open bug for this problem: #330

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants