role creates duplicate parameter/values after run

[todd-dsm]

Hey guys, I've just run this issue with a very basic configuration and found duplicates in /etc/ssh/sshd_config afterwards. The relevant details:

The OS:

$ lsb_release -id
Distributor ID:	Debian
Description:	Debian GNU/Linux 8.8 (jessie)

The configuration:

- name: Configure sshd and restart                                                 
  hosts: web                                                                       
  user: bob                                                                     
  become: yes                                                                      
  roles:                                                                           
    - role: dev-sec.ssh-hardening                                                  
      ssh_port: 22                                                                 
      ssh_use_pam: true                                                            
      sftp_enabled: true                                                           
      network_ipv6_enable: false                                                   

Duplicates

sudo egrep -v '^(#|$)' /etc/ssh/sshd_config | sort | uniq -d
    
AllowAgentForwarding no
AllowTcpForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no

Workaround

As I intend to use sftp early in the process, I've commented the duplicate parameters outside of the if sftp_enabled block.

egrep '(AllowAgentForwarding|AllowTcpForwarding|PasswordAuthentication|PermitRootLogin|X11Forwarding)' templates/opensshd.conf.j2
#PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
#PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
#AllowTcpForwarding {{ 'yes' if ssh_allow_tcp_forwarding else 'no' }}
#AllowAgentForwarding {{ 'yes' if ssh_allow_agent_forwarding else 'no' }}
#X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no

This is gross but it does eliminate the duplicates:

The ansible run output with -v has been included: ansible-sshd.txt

As always, I reserve the right to be completely in the wrong :-)

Please let me know if I've duffed it.

[rndmh3ro]

Hey @todd-dsm,

that's expected id sftp is enabled. The duplicate parameters here only match the group sftponly. They can differ from the default values so should be separate (and thus duplicate).
If sftp is disabled, there should be no duplicate parameters.

Your workaround is potentially insecure, because you disabled the secure parameters for every ssh-login. They are only activated for sftp logins.

Hope it is clear what I'm trying to say :-).

[todd-dsm]

Thanks for the update. I'll dig into it.

[rndmh3ro]

I'm closing this, since there's no error here. Feel free to reopen if you still have problems!

[todd-dsm]

totally, sorry that took so long.