From 08bbb7ad699f95c31fdd8fd81361a2db79dd19f9 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 22 Aug 2024 16:13:18 +0200
Subject: allow ssh jump users to also do reverse forwards

---
 roles/core/sshd/jump/defaults/main.yml | 7 +++++++
 roles/core/sshd/jump/tasks/main.yml    | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'roles/core/sshd/jump')

diff --git a/roles/core/sshd/jump/defaults/main.yml b/roles/core/sshd/jump/defaults/main.yml
index ada0554a..63546eaa 100644
--- a/roles/core/sshd/jump/defaults/main.yml
+++ b/roles/core/sshd/jump/defaults/main.yml
@@ -6,3 +6,10 @@
 #     - ssh-rsa ...
 #     permit_open:
 #     - host:port
+#   foo:
+#     authorized_keys:
+#     - ssh-ed25519 ....
+#     - ssh-rsa ...
+#     tcp_forwarding: remote
+#     permit_listen:
+#     - 22001
diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
index 2120cbd6..59cb4f66 100644
--- a/roles/core/sshd/jump/tasks/main.yml
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -49,9 +49,9 @@
         AllowAgentForwarding no
         AllowStreamLocalForwarding no
         ForceCommand /sbin/nologin
-        AllowTcpForwarding local
+        AllowTcpForwarding {{ config.tcp_forwarding | default('local') }}
         PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
-        PermitListen none
+        PermitListen {{ config.permit_listen | default(['none']) | list | join(' ') }}
       {%   if not loop.last %}
 
       {%   endif %}
-- 
cgit v1.2.3