ansible-collection-hardening
ansible-collection-hardening copied to clipboard
Cannot re-enable MOTD once disabled
Describe the bug
I use the Dynamic MOTD defined by Ubuntu as default.
Once the MOTD was disabled (by running the playbook with the default parameters) i could not reanbale it, it did not matter if i set "ssh_print_motd" or "ssh_print_pam_motd" or both. MOTD stays gone.
Expected behavior
Once i enable the MOTD it should appear at the SSH login
Actual behavior
Login with user in SSH after the ssh-harding role was excecuted, no MOTD appears. Rerun the ansible role and enable the MOTD, when you check the ansible output it seems to skipp the step of enabling the MOTD:
TASK [dev-sec.ssh-hardening : disable dynamic MOTD] ****************************
skipping: [XX.XX.XX.XX] => {"changed": false, "skip_reason": "Conditional result was False"}
Also when you login again via SSH the MOTD is still gone. There seems to be now way to reanable the dynamic MOTD via the ansible script once it was disabled.
Example Playbook
- hosts: XX.XX.XX.XX
remote_user: username
become: yes
collections:
- devsec.hardening
roles:
- role: dev-sec.ssh-hardening
vars:
sftp_enabled: true
ssh_print_motd: ture
ssh_print_pam_motd: true
ssh_print_last_log: true
OS / Environment
Ubuntu 20.10
Ansible Version
2.9.9
Role Version
latest
That's indeed a bug and should be changed.
We could do this with the ternary operator that sets state
to present or absent depending on ssh_print_pam_motd
.
Current workaround is to revert to an earlier backup of the sshd file in /etc/pam.d on the box the playbook has run on.