sshd_config syntax guard is missing on PermitTunnel

[rvodden]

if a value for ssh_permit_tunnel is passed to the devsec.hardening.ssh_hardening role, then at present that value is passed on without validation.

This is because the value of ssh_permit_tunnel is not guarded in opensshd.conf.j2:

PermitTunnel {{ ssh_permit_tunnel }}

this stands in contrast to other boolean values which have appropriate guards to ensure valid syntax:
e,g,

AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}

This PR resolves this issue and ensures that PermitTunnel will render correctly

[schurzi]

Hey @rvodden, thank you for this contribution. I am a bit puzzled since there should be no problem as we are using Role argument validation there should never be any invalid values present.

We have defined all valid inputs for ssh_permit_tunnel:

ansible-collection-hardening/roles/ssh_hardening/meta/argument_specs.yml

Lines 64 to 73 in e746a25

	ssh_permit_tunnel:
	default: 'no'
	description: Specifies whether tun(4) device forwarding is allowed. The argument
	must be "yes", point-to-point (layer 3), ethernet (layer 2), or "no". Specifying
	yes permits both point-to-point and ethernet. - The quotes are required!
	choices:
	- 'no'
	- 'yes'
	- point-to-point
	- ethernet

Did you encounter any actual problems?

[rvodden]

That's interesting. I set ssh_permit_tunnel to true - which as you pointed out, isn't on the list of valid options; but I didn't get any warnings or errors from ansible. I'll see if I can construct a minimal example to illustrate. The value I ultimate got in sshd_config was True which isn't valid.