network_ipv6_enable: true not working

[altf4arnold]

Hello,

I had a perfectly working config file and made a git pull today on master.
I have this in my config file :

network_ipv6_enable: true

Even with that option, the ssh hardening module is still putting this in my sshd_config file :

ListenAddress 0.0.0.0

which is forcing open-ssh to only listen to IPv4.

[rndmh3ro]

Hey @altf4arnold,

I just tested it, works fine for me:

- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
  hosts: localhost
  roles:
    - ansible-ssh-hardening
  vars:
    network_ipv6_enable: true

TASK [ansible-ssh-hardening : create sshd_config and set permissions to root/600] **************************************************************************************************************
--- before: /etc/ssh/sshd_config
+++ after: /root/.ansible/tmp/ansible-local-4094ZLPK4d/tmpH_8e_r/opensshd.conf.j2
@@ -16,7 +16,7 @@
 Port 22

 # Address family should always be limited to the active network configuration.
-AddressFamily inet
+AddressFamily any

Can you please fill out the bug-template (https://github.com/dev-sec/ansible-ssh-hardening/issues/new?template=bug_report.md) so I can investigate further?

[altf4arnold]

Sorry for not complying on the bug-template. Here it is completed

The problem is that even when IPv6 is enabled into the playbook, it's still forcing to listen to IPv4 Only with the ListenAddress Option in sshd_config.

What should happen is that if IPv6 is put to true and ListenAddress is set to default, listening to [::] should also be put in the config

That is what currently happen if IPv6 is set to true without the ListenAddress specified.

 % ansible-playbook -K ssh.yml

TASK [ssh-hardening : create sshd_config and set permissions to root/600] ****************************************************************************************************************************************************************************************************
changed: [dummy.server.name]

From there I get this into /etc/ssh/sshd_config :

# Address family should always be limited to the active network configuration.
AddressFamily any

# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
ListenAddress 0.0.0.0

My playbook is :

- hosts: all
  roles:
    - role: ssh-hardening
      become: yes
      become_user: root
      become_method: sudo

      network_ipv6_enable: true
      ssh_permit_tunnel: true
      ssh_print_motd: true
      sftp_enabled: true
      ssh_banner: true
      ssh_use_dns: true
      sftp_chroot: false

What I can do to make it work is :

- hosts: all
  roles:
    - role: ssh-hardening
      become: yes
      become_user: root
      become_method: sudo

      network_ipv6_enable: true
      ssh_permit_tunnel: true
      ssh_print_motd: true
      sftp_enabled: true
      ssh_banner: true
      ssh_use_dns: true
      sftp_chroot: false
      ssh_listen_to: ['0.0.0.0','::']

I'm running Ansible from mac OS on Debian 10 servers on this version :

ansible 2.9.10
  config file = /Users/arnold/VM-Ansible/ansible.cfg
  configured module search path = ['/Users/arnold/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.9.10/libexec/lib/python3.8/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.8.4 (default, Jul 14 2020, 02:58:48) [Clang 11.0.3 (clang-1103.0.32.62)]

The ssh-hardening module is integrated in my playbook through a git submodule and those tests were made on commit : 2d876f6

[altf4arnold]

I just tested with commit 7ea747a . Still getting the same result

[rndmh3ro]

The indentation of your playbook is wrong, try this:

- hosts: all
  roles:
    - role: ansible-ssh-hardening
      become: yes
      become_user: root
      become_method: sudo

      network_ipv6_enable: true
      ssh_permit_tunnel: true
      ssh_print_motd: true
      sftp_enabled: true
      ssh_banner: true
      ssh_use_dns: true
      sftp_chroot: false

[altf4arnold]

I have the same indentation on my side (I tought while copy pasting on github that the indentation broke so I rebuilt it on here. I'm changing the indentation back to original on the original post right now)

[altf4arnold]

Updated

[rndmh3ro]

Sorry! I misunderstood your original issue.

The problem as you said is ListenAddress set to 0.0.0.0 by default, even though ipv6 should be enabled.
The correct workaround you're using is to set ssh_listen_to: ['0.0.0.0','::'].

Right now the logic is rather simple for this:

# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
{% for address in ssh_listen_to %}
ListenAddress {{ address }}
{% endfor %}

We could probably change this somehow so it works out-of-the-box for you. However I don't have an idea right now, how to make it simple enough.

[altf4arnold]

Small problem small solution... Not changing the code by any mean because it's quite logical to use. Just adding it to the documentation to make it a little bit more clear :-)

[rndmh3ro]

Thanks for this good solution. Glad you found the issue.