search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
3.94k stars 723 forks source link

ssh hardening role fails when `ssh_permit_root_login` var is set on ubuntu 24.04 #768

Closed gpoblon closed 3 months ago

gpoblon commented 3 months ago

Description

Running devsec ssh hardening role fails when ssh_permit_root_login is set. I tried with the following values:

Reproduction steps

Simply run this task:

---
- name: SSH Hardening
  import_role:
    name: devsec.hardening.ssh_hardening
  vars:
    ssh_permit_root_login: no

### Current Behavior

TASK [devsec.hardening.ssh_hardening : Create sshd_config and set permissions to root/600] **** fatal: [localhost]: FAILED! => {"changed": false, "checksum": "382bac9e38b410bdc5ff2434ab936398f4b61e91", "exit_status": 255, "msg": "failed to validate", "stderr": "/home/doc/.ansible/tmp/ansible-tmp-1717347306.0279121-22803-160195413881422/source line 14: unsupported option \"False\".\r\n", "stderr_lines": ["/home/doc/.ansible/tmp/ansible-tmp-1717347306.0279121-22803-160195413881422/source line 14: unsupported option \"False\"."], "stdout": "", "stdout_lines": []}


### Expected Behavior

Just go through, ssh_permit_root_login: no

### OS / Environment

Ubuntu 24.04 fresh install with default open ssh settings.

### Ansible Version

```Shell
ansible [core 2.16.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/doc/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/doc/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.3 (main, Apr 10 2024, 05:33:47) [GCC 13.2.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

### Collection Version

```Shell
9.0.1

Additional information

No response

gpoblon commented 3 months ago

Just realized it requires quotes... closing, my bad.

schurzi commented 3 months ago

@gpoblon thanks for posting the solution! This in indeed a YAML parsing problem, we can't solve this. The user is required to quote string values, that can also be interpreted as bool by the YAML parser.