roots · swalkinshaw · Sep 9, 2015 · Sep 9, 2015
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,5 @@
 ### HEAD
+* Convert sshd role variables to booleans ([#344](https://github.com/roots/trellis/pull/344))
 * Add check to validate `subtree_path` during deploy ([#334](https://github.com/roots/trellis/pull/334))
 * Rename WP site variable `subtree` to `subtree_path` ([#329](https://github.com/roots/trellis/pull/329))
 * Add extra HTTP security headers ([#322](https://github.com/roots/trellis/pull/322))

diff --git a/README.md b/README.md
@@ -69,8 +69,8 @@ For remote servers, you'll need to have a base Ubuntu 14.04 server already creat
 1. Configure your [WordPress sites](#wordpress-sites) in `group_vars/<environment>/wordpress_sites.yml`. Also see the [Passwords docs](https://roots.io/trellis/docs/passwords/).
 2. Add your server IP/hostnames to `hosts/<environment>`.
 3. Specify public SSH keys for `users` in `group_vars/all/users.yml`. See the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/).
-4. Consider setting `sshd_permit_root_login: "no"` in `group_vars/all/security.yml`. See the [Security docs](https://roots.io/trellis/docs/security/).
-5. Run `ansible-playbook -i hosts/<environment> server.yml`
+4. Consider setting `sshd_permit_root_login: false` in `group_vars/all/security.yml`. See the [Security docs](https://roots.io/trellis/docs/security/).
+5. Run `ansible-playbook -i hosts/<environment> server.yml`.
 
 ## Deploying to remote servers
 

diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml
@@ -8,5 +8,5 @@ ferm_input_list:
     hits: 20
 
 # Documentation: https://roots.io/trellis/docs/security/
-sshd_permit_root_login: "yes" # If "no", admin_user must be in 'users' (`users.yml`) with sudo group and in `sudoer_passwords`
-sshd_password_authentication: "no"
+sshd_permit_root_login: true # If `false`, `admin_user` must be in 'users' (`users.yml`) with sudo group and in `sudoer_passwords`
+sshd_password_authentication: false
diff --git a/roles/sshd/README.md b/roles/sshd/README.md
@@ -20,36 +20,36 @@ sshd_protocol: 2
 sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key
 sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key
 sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key
-sshd_use_privilege_separation: "yes"
+sshd_use_privilege_separation: true
 sshd_key_regeneration_interval: 3600
 sshd_server_key_bits: 768
 sshd_syslog_facility: AUTH
 sshd_log_level: INFO
 sshd_login_grace_time: 120
-sshd_permit_root_login: "yes"
-sshd_strict_modes: "yes"
-sshd_rsa_authentication: "yes"
-sshd_pubkey_authentication: "yes"
+sshd_permit_root_login: true
+sshd_strict_modes: true
+sshd_rsa_authentication: true
+sshd_pubkey_authentication: true
 sshd_authorized_keys_file: "%h/.ssh/authorized_keys"
-sshd_ignore_rhosts: "yes"
-sshd_rhosts_rsa_authentication: "no"
-sshd_host_based_authentication: "no"
-sshd_ignore_user_known_hosts: "no"
-sshd_permit_empty_passwords: "no"
-sshd_challenge_response_authentication: "no"
-sshd_password_authentication: "no"
-sshd_gss_api_authentication: "no"
-sshd_gss_api_cleanup_credentials: "yes"
-sshd_x11_forwarding: "yes"
+sshd_ignore_rhosts: true
+sshd_rhosts_rsa_authentication: false
+sshd_host_based_authentication: false
+sshd_ignore_user_known_hosts: false
+sshd_permit_empty_passwords: false
+sshd_challenge_response_authentication: false
+sshd_password_authentication: false
+sshd_gss_api_authentication: false
+sshd_gss_api_cleanup_credentials: true
+sshd_x11_forwarding: true
 sshd_x11_display_offset: 10
-sshd_print_motd: "no"
-sshd_print_last_log: "yes"
-sshd_tcp_keep_alive: "yes"
+sshd_print_motd: false
+sshd_print_last_log: true
+sshd_tcp_keep_alive: true
 sshd_max_startups: 10:30:100
 sshd_banner: none
 sshd_accept_env: LANG LC_*
 sshd_subsystem: sftp /usr/lib/openssh/sftp-server
-sshd_use_pam: "yes"
+sshd_use_pam: true
 ```
 
 ## Attribution

diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
@@ -5,33 +5,33 @@ sshd_protocol: 2
 sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key
 sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key
 sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key
-sshd_use_privilege_separation: "yes"
+sshd_use_privilege_separation: true
 sshd_key_regeneration_interval: 3600
 sshd_server_key_bits: 768
 sshd_syslog_facility: AUTH
 sshd_log_level: INFO
 sshd_login_grace_time: 120
-sshd_permit_root_login: "yes"
-sshd_strict_modes: "yes"
-sshd_rsa_authentication: "yes"
-sshd_pubkey_authentication: "yes"
+sshd_permit_root_login: true
+sshd_strict_modes: true
+sshd_rsa_authentication: true
+sshd_pubkey_authentication: true
 sshd_authorized_keys_file: "%h/.ssh/authorized_keys"
-sshd_ignore_rhosts: "yes"
-sshd_rhosts_rsa_authentication: "no"
-sshd_host_based_authentication: "no"
-sshd_ignore_user_known_hosts: "no"
-sshd_permit_empty_passwords: "no"
-sshd_challenge_response_authentication: "no"
-sshd_password_authentication: "no"
-sshd_gss_api_authentication: "no"
-sshd_gss_api_cleanup_credentials: "yes"
-sshd_x11_forwarding: "yes"
+sshd_ignore_rhosts: true
+sshd_rhosts_rsa_authentication: false
+sshd_host_based_authentication: false
+sshd_ignore_user_known_hosts: false
+sshd_permit_empty_passwords: false
+sshd_challenge_response_authentication: false
+sshd_password_authentication: false
+sshd_gss_api_authentication: false
+sshd_gss_api_cleanup_credentials: true
+sshd_x11_forwarding: true
 sshd_x11_display_offset: 10
-sshd_print_motd: "no"
-sshd_print_last_log: "yes"
-sshd_tcp_keep_alive: "yes"
+sshd_print_motd: false
+sshd_print_last_log: true
+sshd_tcp_keep_alive: true
 sshd_max_startups: 10:30:100
 sshd_banner: none
 sshd_accept_env: LANG LC_*
 sshd_subsystem: sftp /usr/lib/openssh/sftp-server
-sshd_use_pam: "yes"
+sshd_use_pam: true
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
@@ -1,39 +1,38 @@
 # {{ ansible_managed }}
-# manual customization of this file is not recommended
 
 Port {{ sshd_port }}
 ListenAddress {{ sshd_listen_address }}
 Protocol {{ sshd_protocol }}
 HostKey {{ sshd_host_rsa_key }}
 HostKey {{ sshd_host_dsa_key }}
 HostKey {{ sshd_host_ecdsa_key }}
-UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
+UsePrivilegeSeparation {{ sshd_use_privilege_separation | ternary('yes', 'no') }}
 KeyRegenerationInterval {{ sshd_key_regeneration_interval }}
 ServerKeyBits {{ sshd_server_key_bits }}
 SyslogFacility {{ sshd_syslog_facility }}
 LogLevel {{ sshd_log_level }}
 LoginGraceTime {{ sshd_login_grace_time }}
-PermitRootLogin {{ sshd_permit_root_login }}
-StrictModes {{ sshd_strict_modes }}
-RSAAuthentication {{ sshd_rsa_authentication }}
-PubkeyAuthentication {{ sshd_pubkey_authentication }}
+PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }}
+StrictModes {{ sshd_strict_modes | ternary('yes', 'no') }}
+RSAAuthentication {{ sshd_rsa_authentication | ternary('yes', 'no') }}
+PubkeyAuthentication {{ sshd_pubkey_authentication | ternary('yes', 'no') }}
 AuthorizedKeysFile {{ sshd_authorized_keys_file }}
-IgnoreRhosts {{ sshd_ignore_rhosts }}
-RhostsRSAAuthentication {{ sshd_rhosts_rsa_authentication }}
-HostbasedAuthentication {{ sshd_host_based_authentication }}
-IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts }}
-PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
-ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }}
-PasswordAuthentication {{ sshd_password_authentication }}
-GSSAPIAuthentication {{ sshd_gss_api_authentication }}
-GSSAPICleanupCredentials {{ sshd_gss_api_cleanup_credentials }}
-X11Forwarding {{ sshd_x11_forwarding }}
+IgnoreRhosts {{ sshd_ignore_rhosts | ternary('yes', 'no') }}
+RhostsRSAAuthentication {{ sshd_rhosts_rsa_authentication  | ternary('yes', 'no') }}
+HostbasedAuthentication {{ sshd_host_based_authentication | ternary('yes', 'no') }}
+IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts | ternary('yes', 'no') }}
+PermitEmptyPasswords {{ sshd_permit_empty_passwords | ternary('yes', 'no') }}
+ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }}
+PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }}
+GSSAPIAuthentication {{ sshd_gss_api_authentication | ternary('yes', 'no') }}
+GSSAPICleanupCredentials {{ sshd_gss_api_cleanup_credentials | ternary('yes', 'no') }}
+X11Forwarding {{ sshd_x11_forwarding | ternary('yes', 'no') }}
 X11DisplayOffset {{ sshd_x11_display_offset }}
-PrintMotd {{ sshd_print_motd }}
-PrintLastLog {{ sshd_print_last_log }}
-TCPKeepAlive {{ sshd_tcp_keep_alive }}
+PrintMotd {{ sshd_print_motd | ternary('yes', 'no') }}
+PrintLastLog {{ sshd_print_last_log | ternary('yes', 'no') }}
+TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }}
 MaxStartups {{ sshd_max_startups }}
 Banner {{ sshd_banner }}
 AcceptEnv {{ sshd_accept_env }}
 Subsystem {{ sshd_subsystem }}
-UsePAM {{ sshd_use_pam }}
+UsePAM {{ sshd_use_pam | ternary('yes', 'no') }}