dev-sec/ansible-ssh-hardening

Possible issue with Ansible 2.7 and ssh_hardening_enabled flag

jcheroske opened this issue · 4 comments

jcheroske commented

I just upgraded to 2.7 and I ran into a bug where I needed to explicitly set the ssh_hardening_enabled flag to true to get the role to run. Previously, even if the role was listed as a dependency and the flag was set to false, invoking the role for real without specifying the flag worked correctly. Now however, it seems that the value for the flag from the dependency section is "sticky" and shows up unless you explicitly override it. Obviously, this is not ideal. I don't have a fix in mind yet.

Example:

You set the dep like normal:

- name: dev-sec.ssh-hardening
    scm: git
    src: https://github.com/dev-sec/ansible-ssh-hardening.git
    vars:
      ssh_hardening_enabled: no
    version: master

This should just work:

- name: 'Harden ssh client and server'
  import_role:
    name: dev-sec.ssh-hardening
  become: yes

But it seems that you now have to do:

- name: 'Harden ssh client and server'
  import_role:
    name: dev-sec.ssh-hardening
    vars:
      ssh_hardening_enabled: yes
  become: yes
jcheroske commented

Just FYI: I got so sick and tired of Ansible doing weird stuff with variables that I switched all of my roles over to accepting one variable. This variable is a dict that contains all of the roles variables. I name the top-level dict var something that relates to the role name. Here is an example using this role:

  import_role:
    name: dev-sec.ssh-hardening
    vars:
      ssh_hardening:      # <--- This line is the magic!
        allow_agent_forwarding: no
        allow_tcp_forwarding: yes
        allow_users: ubuntu
        sftp_enabled: yes
  become: yes

As you can see, all variables are effectively namespaced under the ssh_hardening name, so they wouldn't need to be prefixed anymore. I've never seen Ansible do anything strange with this pattern; my vars always show up the way they are supposed to. All of my roles using this pattern continued working fine with 2.7.

szEvEz commented

Hello!

I am sorry, but I can not reproduce your issue.

I've set the following dependency like you:

- name: dev-sec.ssh-hardening
  scm: git
  src: https://github.com/dev-sec/ansible-ssh-hardening.git
  vars:
    ssh_hardening_enabled: no
  version: master

And executed a playbook successfully using

- name: 'Harden ssh client and server'
  import_role:
    name: dev-sec.ssh-hardening
  become: yes

Running Ansible version

ansible 2.7.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

If the issue still persists for you, could you please elaborate a bit further?

Thanks :)

  • 👍1
jcheroske commented
rndmh3ro commented

@jcheroske please reopen, if the problem persists!