Allow VS Code Remote SSH while blocking NFS mounts (#799)

Author: priteau

ansible/roles/sshd/README.md

@@ -6,5 +6,6 @@ Configure sshd.
 
 - `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`.
 - `sshd_disable_forwarding`: Optional bool. Whether to disable all forwarding features (X11, ssh-agent, TCP and StreamLocal). Default `true`.
+- `sshd_allow_local_forwarding`: Optional bool. Whether to allow limited forwarding for the Visual Studio Code Remote - SSH extension. Use together with `sshd_disable_forwarding: false`. NOTE THIS MAY BE INSECURE! Default `false`.
 - `sshd_conf_src`: Optional string. Path to sshd configuration template. Default is in-role template.
 - `sshd_conf_dest`: Optional string. Path to destination for sshd configuration file. Default is `/etc/ssh/sshd_config.d/10-ansible.conf` which overrides `50-{cloud-init,redhat}` files, if present.

ansible/roles/sshd/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 sshd_password_authentication: false
 sshd_disable_forwarding: true
+sshd_allow_local_forwarding: false
 sshd_conf_src: sshd.conf.j2
 sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf

ansible/roles/sshd/templates/sshd.conf.j2

@@ -1,3 +1,7 @@
 # {{ ansible_managed }}
 PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}
 DisableForwarding {{ 'yes' if sshd_disable_forwarding | bool else 'no' }}
+{% if sshd_allow_local_forwarding %}
+AllowTcpForwarding local
+PermitOpen 127.0.0.1:*
+{% endif %}