ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

[ssh_hardening] Debian 11 - Ansible cannot transfer files

Open sylvainmetayer opened this issue 2 years ago • 0 comments

Describe the bug

Hi, and thanks for your amazing collection !

I've been trying to use ssh_hardening role. It work great, however, after running it once, I get an error on files/template transfer with ansible. like the issue describe in #521. Setting the scp_if_ssh = True in ansible.cfg does not seems to do the trick, I have to add the following to my inventory to make it work with a warning :

ansible_connection: ssh
# scp fails, and sftp is disabled by the role.
ansible_ssh_transfer_method: smart

Expected behavior

Setting scp_if_ssh = True in ansible.cfg should be enough.

Actual behavior

If ansible_ssh_transfer_method is not defined and set to smart, playbook error with

TASK [geerlingguy.docker : Ensure old versions of Docker are not installed.] *****************************************************************************************************************************************************************
jeudi 04 août 2022  00:42:26 +0200 (0:00:00.041)       0:00:00.098 ************ 
fatal: [test]: UNREACHABLE! => {
    "changed": false,
    "unreachable": true
}

MSG:

Failed to connect to the host via scp: scp: Connection closed

If set, the warning is

[WARNING]: scp transfer mechanism failed on [xx.xx.xx.xx]. Use ANSIBLE_DEBUG=1 to see detailed information

Detailled ouput is

 65946 1659564275.78674: variable 'ansible_python_interpreter' from source: host vars for 'test'
 65946 1659564275.78694: transferring module to remote /home/test/.ansible/tmp/ansible-tmp-1659564275.5541608-65946-210933147169513/AnsiballZ_apt_key.py
 65946 1659564275.78823: Sending initial data
 65946 1659564275.78830: Sent initial data (167 bytes)
 65946 1659564275.87825: stderr chunk (state=3):
Connection closed.
Connection closed
<<<
 65946 1659564275.87841: stderr chunk (state=3):
>>><<<
 65946 1659564275.87848: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [xx.xx.xx.xx]. Use ANSIBLE_DEBUG=1 to see detailed information
 65946 1659564275.87889:
Connection closed.  892:
Connection closed
 65946 1659564275.96219: stderr chunk (state=2):
>>>scp: Connection closed
<<<
 65946 1659564275.96270: stderr chunk (state=3):
>>><<<
 65946 1659564275.96276: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [xx.xx.xx.xx]. Use ANSIBLE_DEBUG=1 to see detailed information

Example Playbook

Variables are the defaults one except for network_ipv6_enable which is false. First run is successful, but second run failed with the error above.

- hosts: test
  roles:
    - role: geerlingguy.docker
      become: true
    - role: devsec.hardening.ssh_hardening
      become: true

OS / Environment

Target configuration

[email protected]:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 11 (bullseye)
Release:	11
Codename:	bullseye

Ansible Version

ansible [core 2.13.2]
  config file = /project/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /project/.direnv/python-3.10.5/lib64/python3.10/site-packages/ansible
  ansible collection location = /project/ansible/collections
  executable location = /project/.direnv/python-3.10.5/bin/ansible
  python version = 3.10.5 (main, Jun  9 2022, 00:00:00) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
  jinja version = 3.1.2
  libyaml = True

Role Version

Role is from collection

URL from galaxy.yml : https://galaxy.ansible.com/download/devsec-hardening-7.15.1.tar.gz

Additional context

A scp command is working (with -O option since sftp is default), which indicate this is related to the ansible configuration.

I've seen there is a MR about supporting Debian 11 (#538 ), is this related or does this bug apply to others OS ?

sylvainmetayer avatar Aug 03 '22 23:08 sylvainmetayer

Thank you. This is a known problem, see https://github.com/dev-sec/ansible-ssh-hardening/issues/55

We are discussing to change the default, to avoid this problem.

schurzi avatar Aug 19 '22 08:08 schurzi

I did some more digging. I think, that this issue is because scp is now basically also sftp. This might be better addressed as an Ansible bug when using scp.

Quoting from Documentation:

Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default.

I'm currently trying to build some test cases for our collection.

schurzi avatar Aug 19 '22 10:08 schurzi

So we decided to allow SFTP by default. With the next release of our collection. So this problem should be gone.

If you still want to disable SFTP I have found, you need to configure two settings in your ansible.cfg now:

scp_if_ssh = True
scp_extra_args = "-O"

Or if you like environment variables:

ANSIBLE_SCP_IF_SSH=true
ANSIBLE_SCP_EXTRA_ARGS="-O"

PS: This problem should only exist if you use OpenSSH in a version 9.0 or above. I checked with my Debian container and they still ship 8.4 unless you are on sid, So this should not affect many people right now.

schurzi avatar Aug 19 '22 19:08 schurzi

opened a bug for Ansible https://github.com/ansible/ansible/issues/78600

schurzi avatar Aug 19 '22 20:08 schurzi

Thanks for the detailed explanation ! I'll use the scp_extra_args configuration while waiting for the release to switch with default SFTP behaviour.

sylvainmetayer avatar Aug 21 '22 21:08 sylvainmetayer