disable ssh forwarding by default

sjpb · sjpb · commit 7212f2f66380 · 2025-03-04T09:08:17.000Z
diff --git a/ansible/roles/sshd/README.md b/ansible/roles/sshd/README.md
@@ -5,5 +5,6 @@ Configure sshd.
 ## Role variables
 
 - `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`.
+- `sshd_disable_forwarding`: Optional bool. Whether to disable all forwarding features (X11, ssh-agent, TCP and StreamLocal). Default `true`.
 - `sshd_conf_src`: Optional string. Path to sshd configuration template. Default is in-role template.
 - `sshd_conf_dest`: Optional string. Path to destination for sshd configuration file. Default is `/etc/ssh/sshd_config.d/10-ansible.conf` which overides `50-{cloud-init,redhat}` files, if present.
diff --git a/ansible/roles/sshd/defaults/main.yml b/ansible/roles/sshd/defaults/main.yml
@@ -1,3 +1,4 @@
 sshd_password_authentication: false
+sshd_disable_forwarding: true
 sshd_conf_src: sshd.conf.j2
 sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf
diff --git a/ansible/roles/sshd/templates/sshd.conf.j2 b/ansible/roles/sshd/templates/sshd.conf.j2
@@ -1,2 +1,3 @@
 # {{ ansible_managed }}
 PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}
+DisableForwarding {{ 'yes' if sshd_disable_forwarding | bool else 'no' }}

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`# {{ ansible_managed }}`
`2`	`2`	`PasswordAuthentication {{ 'yes' if sshd_password_authentication \| bool else 'no' }}`
	`3`	`+DisableForwarding {{ 'yes' if sshd_disable_forwarding \| bool else 'no' }}`