-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the old SFTP-Reminder to the stable ssh_hardening role for ansible #521
Comments
Sounds good to me! Do you want to create a PR? |
Yes of course. Do I need to meet the requirements for contributing as explained on https://dev-sec.io/contributing/ ? Especially asking in regard of DCO Sign-Off . |
Yes, that'd be good. Do you need help with it? Normally it's just a |
In the readme.md of the archived old ssh hardening role (https://github.com/dev-sec/ansible-ssh-hardening) you're explaining that this role disables by default the sftp ssh-module which is used by ansible for various commands and modules:
This little text does not exists in the new ssh_hardening role readme.md (https://github.com/dev-sec/ansible-collection-hardening/tree/master/roles/ssh_hardening). Why is the quoted text not available here? Ansible still seems to prefer the usage of sftp over scp. I assume this as I still get a warning message from ansible-playbooks after running this role without sftp_enabled: true
Warning message is:
[WARNING]: sftp transfer mechanism failed on [hostname]. Use ANSIBLE_DEBUG=1 to see detailed information
If I add 'scp_if_ssh = True' to ansible.cfg, the warning goes away. As the tasks (template and file copy) still run and replace files without scp_if_ssh = True and disabled ssh sftp module, I'm assuming the new ansible behavior is an automatic fallback to scp.
For my first test usage of this role, I only read through the notes at the end of the readme.md and not all listed vars, so I wasn't aware of the sftp behavior. Even if I would have read through them, I'm sure I wouldn't be aware of ansible and its usage of sftp- (and i belief this is true for the most people out there which aren't using ansible all day long). So what i ask for would be:
Please note: I know this is not really a bug or missing feature and people with a deep knowledge and/or experience with their used tools and os will be aware of this. Also a big thx for those roles, seems to be a great baseline to start with.
The text was updated successfully, but these errors were encountered: