Steampunk Ansible Documentation - f5networks.f5_bigip.bigip_security_ssh_profile (1.13.0) - module - Manage SSH proxy security profiles on a BIG-IP

Install collection

Install with ansible-galaxy collection install f5networks.f5_bigip:==1.13.0

Add to requirements.yml

  collections:
    - name: f5networks.f5_bigip
      version: 1.13.0

Description

Manage SSH proxy security profiles on a BIG-IP.

Usage examples

Scanned by Steampunk Spotter

- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_host: "lb.mydomain.com"
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes

  tasks:
    - name: Create an SSH proxy profile
      bigip_security_ssh_profile:
        name: test_profile
        default_action:
          name: default_rule
          shell:
            control: disallow
            log: True
          sub_system:
            control: disallow
            log: True
          agent:
            control: terminate
            log: True
          other:
            control: terminate
            log: True
        lang_env_tolerance: common
        description: "this is a new profile"
        timeout: 180
        state: present

    - name: Modify an SSH proxy profile
      bigip_security_ssh_profile:
        name: test_profile
        default_action:
          name: default_rule
          shell:
            control: allow
            log: False
        timeout: 200
        state: present

    - name: Remove ssh proxy profile
      bigip_security_ssh_profile:
        name: test_profile
        state: absent

Inputs

name:
description:
- Specifies the name of the SSH proxy security profile to manage.
required: true
type: str

state:
choices:
- absent
- present
default: present
description:
- When C(present), ensures the SSH proxy security profile is created.
- When C(absent), ensures the SSH proxy security profile is removed.
type: str

timeout:
description:
- Specifies a timeout for the SSH proxy, in seconds.
type: int

partition:
default: Common
description:
- Device partition to manage resources on.
type: str

description:
description:
- Specifies descriptive text that identifies the SSH proxy profile.
type: str

default_action:
description:
- Specifies the default action rule for the SSH proxy security profile.
- When creating a new policy, this parameter must be specified otherwise failure occurs.
suboptions:
agent:
description:
- Defines the use of an ssh-agent over the SSH tunnel.
- Agent forwarding specifies the chain of SSH connections, forwards key challenges
back to the original agent, removing the need for passwords or private keys
on intermediate machines.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
forward_local:
description:
- Defines the use of the C(-L) to do local port forwarding over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
forward_remote:
description:
- Defines the use of the C(-R) to do remote port forwarding over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
forward_x11:
description:
- Defines the use of X11 forwarding over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
name:
description:
- Name of the C(default_action) rule to be created or modified.
required: true
type: str
other:
description:
- Defines the use of other SSH commands on SSH connection.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
rexec:
description:
- Defines the use of C(rexec) remote execution commands over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
scp_down:
description:
- Defines the use of Secure Copy to copy files from a remote directory to a local
directory over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
scp_up:
description:
- Defines the use of Secure Copy to copy files from a local directory to a remote
directory over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
sftp_down:
description:
- Defines the use of Secure File Transfer Protocol to download files over the
SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
sftp_up:
description:
- Defines the use of Secure File Transfer Protocol to upload files over the SSH
tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
shell:
description:
- Defines use of the C(shell) command to open an SSH shell channel type.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate) the SSH connection is terminated with a reset message
when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
sub_system:
description:
- Defines the use of the C(subsystem) command, to invoke remote commands that
are defined on the server over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate) the SSH connection is terminated with a reset message
when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
type: dict

lang_env_tolerance:
choices:
- any
- none
- common
description:
- Determines which connections with LANG environment variables set are allowed to
pass through if the SSH Proxy profile has the C(other) channel type action set.
- When set to C(any), allows connections with any LANG environment value set.
- When set to C(none), disallows all connections with the LANG environment variable
set.
- When set to C(common) allows only connections with the LANG environment value set
to C(en_US.UTF-8) to pass through the C(other) restrictions.
- This setting is in effect only if C(other) action is set to C(disallow) or C(terminate).
type: str

Outputs

default_action:
  description: The default action rule for SSH proxy security profile.
  returned: changed
  sample: hash/dictionary of values
  type: dict
description:
  description: Descriptive text that identifies the SSH proxy profile.
  returned: changed
  sample: this is a profile
  type: str
lang_env_tolerance:
  description: Determines which connections with LANG environment variables set are
    allowed to pass through.
  returned: changed
  sample: any
  type: str
timeout:
  description: The timeout for the SSH proxy.
  returned: changed
  sample: 200
  type: int