You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
The sshd related tasks rely on the rhel9stig_sshd_config_file variable which is set to /etc/ssh/sshd_config by default to apply all of the appropriate sshd settings. However, there is a file /etc/ssh/sshd_config.d/50-redhat.conf which is installed as a part of the openssh-server package that contains the GSSAPIAuthentication and X11Forwarding sshd settings.
The file /etc/ssh/sshd_config.d/50-redhat.conf is added as an Include to the overall sshd_config because of RHEL-09-255055 which means the two settings from that file are taken into account for the overall sshd system configuration. Which means the two STIGs associated with those settings to technically be left open when checked using the STIG check text.
Expected Behavior
I expect every instance of GSSAPIAuthentication and X11Forwarding to be set to the appropriate value
Actual Behavior
The GSSAPIAuthentication and X11Forwarding settings are configured correctly in /etc/ssh/sshd_config but not in /etc/ssh/sshd_config.d/50-redhat.conf
Control(s) Affected
RHEL-09-255055
RHEL-09-255135
RHEL-09-255155
Environment (please complete the following information):
branch being used: devel
Ansible Version: 2.17.5
Host Python Version: 3.9.18
Ansible Server Python Version: 3.12.7
Additional Details:
Additional Notes
None
Possible Solution
Option 1) Create a Prelim tasks that searches for all possible sshd configuration files on the system and uses that variable as a way to loop through all found files to apply the settings
Option 2) Assume the user has their sshd configs in the default directories and create secondary tasks for each sshd_config related task that applies the PATCH to /etc/ssh/sshd_config.d/50-redhat.conf
The text was updated successfully, but these errors were encountered:
Thank you as always for raising the issues along with exact information, it really does assist us to indentify and work on things much quicker.
Looking at this issue in particular, i am addressing prelim as expected but the second part in a slightly different way. I am replacing all instance of the settings to be preceded with # except the file that its set to update. That way the setting should only exist in the file that have been specified. Still allows user to set where they would like the setting to exist.
I hope that makes sense, i hope to have the PR raised over the next couple of day for this.
Describe the Issue
The sshd related tasks rely on the
rhel9stig_sshd_config_file
variable which is set to/etc/ssh/sshd_config
by default to apply all of the appropriate sshd settings. However, there is a file/etc/ssh/sshd_config.d/50-redhat.conf
which is installed as a part of theopenssh-server
package that contains theGSSAPIAuthentication
andX11Forwarding
sshd settings.The file
/etc/ssh/sshd_config.d/50-redhat.conf
is added as an Include to the overall sshd_config because of RHEL-09-255055 which means the two settings from that file are taken into account for the overall sshd system configuration. Which means the two STIGs associated with those settings to technically be left open when checked using the STIG check text.Expected Behavior
I expect every instance of
GSSAPIAuthentication
andX11Forwarding
to be set to the appropriate valueActual Behavior
The
GSSAPIAuthentication
andX11Forwarding
settings are configured correctly in/etc/ssh/sshd_config
but not in/etc/ssh/sshd_config.d/50-redhat.conf
Control(s) Affected
Environment (please complete the following information):
Additional Notes
None
Possible Solution
/etc/ssh/sshd_config.d/50-redhat.conf
The text was updated successfully, but these errors were encountered: