sshd_limit_access::enforce: false still locked out

[opentokix]

Hello,

I have this configuration in hiera

cis_security_hardening::profile: server
cis_security_hardening::level: "2"
cis_security_hardening::time_until_reboot: 60
cis_security_hardening::exclude_dirs_sticky_ww: []
cis_security_hardening::update_postrun_command: true
cis_security_hardening::fact_upload_command: "/usr/share/cis_security_hardening/bin/fact_upload.sh"
cis_security_hardening::auditd_dirs_to_include:
  - "/usr"
cis_security_hardening::verbose_logging: false

cis_security_hardening::rules::cramfs::enforce: true
cis_security_hardening::rules::squashfs::enforce: true
cis_security_hardening::rules::fat::enforce: false
cis_security_hardening::rules::udf::enforce: true
cis_security_hardening::rules::disable_ipv6: false
cis_security_hardening::rules::sudo_installed:
  enforce: false
cis_security_hardening::rules::sshd_limit_access:
  enforce: false

And still my ssh get disabled and I am locked out of the machine.

"Permission denied (publickey)."

[tom-krieger]

Hi,

please look into you ssh configuration and double check, if your ssh private key matches the public key and the user is allowed to login.

What about the logs? Any hints in secure or auth logs?

[opentokix]

Looks like it just ignores enforce: false - I added myself to allow_groups/users and could login again. Might be so that I can't have enforce as a hash, it has to be one line for each.

This module does not play nice with other systems either, esp. the firewallconfiguration breaks everything (fail2ban, docker etc)

[tom-krieger]

On my servers it does not break anything regarding firewall configuration. Can you please provide more details?

[opentokix]

It was me that was newbie on the module - I have since adjusted how it's configured.

[tom-krieger]

I close this for now