openstack-ansible-security: Logic fails for 'security_sshd_permit_root_login'

Bug #1685194 reported by Mike Eriksson on 2017-04-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jean-Philippe Evrard

Bug Description

I spotted the following when I was running tests against a newly secured machine and got warnings that root login was still allowed although it was set to 'no' in defaults/main.yml.

[I tried to submit a pull request to Github but got pointed to this resource instead. Since I'm not entirely certain how to run the review and everything I'm submitting it as a bug at least. I got a proposed fix below, but need some assistance if I'm to submit it myself.]

From defaults/main.yml

# Permit direct root logins
security_sshd_permit_root_login: no # V-72247

That makes sense as a setting/configuration since that echoes what you'd expect to set in sshd_config yourself. However, when this is handled in tasks/rhel7stig/sshd.yml and ultimately templates/sshd_config_block.j2 this doesn't work as expected.

The part in sshd_config_block.j2 than references this is:

{% if security_sshd_permit_root_login | bool %}
# V-72247
PermitRootLogin no
{% endif %}

Basically - if the variable is set to no, the line below fails the boolean test and is not written into the sshd_config file. I believe that anyone who runs this against their hosts with this setting will still be allowing root logins although they think they're not.

If you set the variable to yes, it just 'feels and looks' wrong to me.

I'm not good enough at Ansible and Jinja2 to figure out how to do a 'negative' bool after the | so I put in the following instead:

{% if not security_sshd_permit_root_login | bool %}

Maybe there's a more elegant solution to this?

This is the first instance of this issue I've spotted but there might be more - I'll try and go through the ssh settings closer now.

Cheers, Mike

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Low
importance: Low → Medium
tags: added: low-hanging-fruit
Changed in openstack-ansible:
assignee: nobody → Jean-Philippe Evrard (jean-philippe-evrard)

Fix proposed to branch: master

Changed in openstack-ansible:
status: Confirmed → In Progress

Submitter: Zuul
Branch: master

commit 2cf232ae627514bccc283ef3f578e422f7bcf745
Author: Jean-Philippe Evrard <email address hidden>
Date: Mon Oct 16 13:04:05 2017 +0000

    Fix logic error

    if security_sshd_permit_root_login is not set to yes, we should
    override this and template a "no", instead of templating a "no"
    when the value is set to yes.

    Change-Id: I747a8818762119eee63fa03d175b66ae4021f6da
    Closes-Bug: #1685194

Changed in openstack-ansible:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers