openstack-ansible-security: Logic fails for 'security_sshd_permit_root_login'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Medium
|
Jean-Philippe Evrard |
Bug Description
I spotted the following when I was running tests against a newly secured machine and got warnings that root login was still allowed although it was set to 'no' in defaults/main.yml.
[I tried to submit a pull request to Github but got pointed to this resource instead. Since I'm not entirely certain how to run the review and everything I'm submitting it as a bug at least. I got a proposed fix below, but need some assistance if I'm to submit it myself.]
From defaults/main.yml
# Permit direct root logins
security_
That makes sense as a setting/
The part in sshd_config_
{% if security_
# V-72247
PermitRootLogin no
{% endif %}
Basically - if the variable is set to no, the line below fails the boolean test and is not written into the sshd_config file. I believe that anyone who runs this against their hosts with this setting will still be allowing root logins although they think they're not.
If you set the variable to yes, it just 'feels and looks' wrong to me.
I'm not good enough at Ansible and Jinja2 to figure out how to do a 'negative' bool after the | so I put in the following instead:
{% if not security_
Maybe there's a more elegant solution to this?
This is the first instance of this issue I've spotted but there might be more - I'll try and go through the ssh settings closer now.
Cheers, Mike
Changed in openstack-ansible: | |
status: | New → Confirmed |
importance: | Undecided → Low |
importance: | Low → Medium |
tags: | added: low-hanging-fruit |
Changed in openstack-ansible: | |
assignee: | nobody → Jean-Philippe Evrard (jean-philippe-evrard) |
Fix proposed to branch: master /review. openstack. org/512289
Review: https:/