allow ssh jump users to also do reverse forwards

author: Christian Pointner <equinox@spreadspace.org> 2024-08-22 16:13:18 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2024-08-22 16:13:18 +0200
commit: 08bbb7ad699f95c31fdd8fd81361a2db79dd19f9 (patch)
tree: c3e122e9f517f00823203551b6f2fa795da42864 /roles
parent: add hacky workaround for thunnderbird snap with external gpg... (diff)
2 files changed, 9 insertions, 2 deletions
diff --git a/roles/core/sshd/jump/defaults/main.yml b/roles/core/sshd/jump/defaults/main.yml
index ada0554a..63546eaa 100644
--- a/roles/core/sshd/jump/defaults/main.yml
+++ b/roles/core/sshd/jump/defaults/main.yml
@@ -6,3 +6,10 @@
 #     - ssh-rsa ...
 #     permit_open:
 #     - host:port
+#   foo:
+#     authorized_keys:
+#     - ssh-ed25519 ....
+#     - ssh-rsa ...
+#     tcp_forwarding: remote
+#     permit_listen:
+#     - 22001
diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
index 2120cbd6..59cb4f66 100644
--- a/roles/core/sshd/jump/tasks/main.yml
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -49,9 +49,9 @@
         AllowAgentForwarding no
         AllowStreamLocalForwarding no
         ForceCommand /sbin/nologin
-        AllowTcpForwarding local
+        AllowTcpForwarding {{ config.tcp_forwarding | default('local') }}
         PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
-        PermitListen none
+        PermitListen {{ config.permit_listen | default(['none']) | list | join(' ') }}
       {%   if not loop.last %}
 
       {%   endif %}
author	Christian Pointner <equinox@spreadspace.org>	2024-08-22 16:13:18 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2024-08-22 16:13:18 +0200
commit	08bbb7ad699f95c31fdd8fd81361a2db79dd19f9 (patch)
tree	c3e122e9f517f00823203551b6f2fa795da42864 /roles
parent	add hacky workaround for thunnderbird snap with external gpg... (diff)