Role variables and case sensitivity in sshd_config
The documentation for /etc/ssh/sshd_config
states that:
keywords are case-insensitive and arguments are case-sensitive
The sshd -T
command returns lowercase keywords:
sshd -T | grep -e ^a
addressfamily any
allowtcpforwarding yes
allowagentforwarding yes
allowstreamlocalforwarding yes
authorizedprincipalsfile none
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedprincipalscommand none
authorizedprincipalscommanduser none
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
acceptenv LANG
acceptenv LC_*
authenticationmethods any
So perhaps this role would be better off using ssh_allowagentforwarding
rather than the current ssh_allow_agent_forwarding
, or even a dictionary for everything:
sshd_config:
addressfamily: "any"
allowtcpforwarding: "yes" # quoted to ensure that it is a string not a boolean? Should all variables be stings
allowagentforwarding: "yes" # rather than using booleans and arrays as this role currently does?
And have the whole of /etc/ssh/sshd_config
generated from the dictionary and simply moving the default file to /etc/ssh/.sshd_config.ansible.save
or something like that?
In addition JC might have support for sshd -T
added, if this happens then it would make sense for this role to use the community.general.jc
filter when reading shhd_config
.
Edited by Chris Croome