Allow easier change of sshd_config_ports.

[ypid]

Currently, ferm and tcpwrappers have to be configured separatly.

[drybjed]

The issue I find here is that in ferm and tcpwrappers configuration I can use the name of the service from /etc/services, but you cannot do the same in sshd_config. So that would either mean that we stop using ssh in firewall and tcpwrappers configuration and use 22 instead (ehh... Not that it matters in the end, but... ehhh...), or add a separate list of ports in debops.sshd just for sshd_config, or better yet, lookup the name of the port in /etc/services and replace the service name with its number in sshd_config.

[drybjed]

The other thing is, that if you use multiple sshd ports, you most certainly have a reson of some of them to be firewalled differently, allow access from different networks, etc. Adding support for that directly in debops.sshd seems to me to be slightly overkill, when you definitely can configure that separately through Ansible inventory. And use case doesn't seem to me to be that common to warrant additional complexity in the role.

[ypid]

Ok. What about reconfiguring /etc/services if it is only one port (e.g. 22/tcp to something different)?

[drybjed]

You don't want to change standard service ports - this might confuse applications that use these names, for example if you change say, SMTP to something different than 25, and then run:

telnet remote.host.com smtp

telnet will connect to the port that you have in /etc/services, which will be different.

What you want to do is to add another set of port/service name in /etc/services for your additional SSH ports, for example:

ssh-secondary    2200/tcp

You can use debops.etc_services role to do this. But this still won't allow you to use port names in /etc/ssh/sshd_config and this is the problem we are trying to tackle. Doing a lookup for a port number in /etc/services (and you probably want to do the lookup on the remote host anyway, it's where that information is stored) is probably overkill in and of itself.

And it still does not resolve the problem that you probably would want the 22 port heavily firewalled and 2200 port configured with access from some subnet. This will add even more complexity into debops.sshd role, which IMO is unnecessary. You can easily do this configuration in ferm separately by adding one or two additional rules in Ansible Inventory.

[ypid]

I should have descibed my usecase a bit better, sorry. I want my sshd to only listen on one high, unprivlaged tcp port which does not get scaned so often. I know that this is security by obscurity and password login is of course already disabled. But I undestand that to keep the complexity down it is better when this is done manually (but still with Ansible of coure :smile: ).

[drybjed]

In that case, add this to your inventory:

sshd_ferm_limit: 'false'
sshd_allow: [ '{{ your_subnet }}' ]
sshd_config_ports: [ '22', '2200' ]
ferm_input_list:
  - dport: [ '2200' ]
    accept_any: True

What will happen is:

• firewall will only allow access to ssh port from your Ansible Controller and specified subnet, access from other hosts on ssh port will not be allowed;
• firewall will be configured to allow access to 2200 port from any hosts, you can of course customize that as you wish;

This configuration will let you configure that host using Ansible without having to set ansible_ssh_port in the inventory for that host, or changing ~/.ssh/config or any of that stuff.

[ypid]

Thanks very much. I already configured it in ~/.ssh/config …

[ypid]

Closed by #19. My use case example:

sshd_ferm_ports: [ '2323' ]
sshd_ports: '{{ sshd_ferm_ports }}'