Last updated on: 2024-05-14 02:50:40.

bigip_security_ssh_profile_rules – Manage SSH proxy security profile rules on a BIG-IP

New in version 1.13.0.

Synopsis

  • Manage SSH proxy security profile rules on a BIG-IP.

Parameters

Parameter Choices/Defaults Configuration Comments
action
dictionary
Species the action of the rule which is to be applied to the SSH security profile.
agent
dictionary
Defines the use of an ssh-agent over the SSH tunnel.
Agent forwarding specifies the chain of SSH connections, forwards key challenges back to the original agent, removing the need for passwords or private keys on intermediate machines.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
forward_local
dictionary
Defines the use of the -L to do local port forwarding over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
forward_remote
dictionary
Defines the use of the -R to do remote port forwarding over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
forward_x11
dictionary
Defines the use of X11 forwarding over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
name
string / required
Name of the action to be created or modified.
other
dictionary
Defines the use of other SSH commands on the SSH connection.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
rexec
dictionary
Defines the use of rexec remote execution commands over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
scp_down
dictionary
Defines the use of Secure Copy to copy files from a remote directory to a local directory over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
scp_up
dictionary
Defines the use of Secure Copy to copy files from a local directory to a remote directory over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
sftp_down
dictionary
Defines the use of Secure File Transfer Protocol to download files over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
sftp_up
dictionary
Defines the use of Secure File Transfer Protocol to upload files over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
shell
dictionary
Defines the use of the shell command to open an SSH shell channel type.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with reset message when the selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
sub_system
dictionary
Defines the use of the subsystem command to invoke remote commands that are defined on the server over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
  • unspecified
When set to allow allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with reset message when selected channel action is received.
When set to unspecified, no action is taken.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
name
string / required
Specifies the name of the rule that will be applied to the SSH security profile.
partition
string
Default:
"Common"
Device partition to manage resources on.
profile_name
string / required
Specifies the name of the SSH security profile to which this rule applies.
state
string
    Choices:
  • absent
  • present ←
When present, ensures the SSH proxy security profile rule is created.
When absent, ensures the SSH proxy security profile rule is removed.
users
list / elements=string
Specifies the list of users to be added to the SSH proxy permissions list.

Examples

- name: Create ssh profile rule
  bigip_security_ssh_profile_rules:
    name: test_rule_1
    users:
      - test_user_1
      - test_user_2
    profile_name: test_ssh
    action:
      name: test_action
      shell:
        control: allow
        log: true
      forward_x11:
        control: terminate
        log: true

- name: Modify ssh profile rule, add action
  bigip_security_ssh_profile_rules:
    name: test_rule_1
    users:
      - test_user_1
      - test_user_2
    profile_name: test_ssh
    action:
      name: test_action
      shell:
        control: allow
        log: true
      forward_x11:
        control: terminate
        log: true
      other:
        control: terminate
        log: true

- name: Delete ssh profile rule
  bigip_security_ssh_profile_rules:
    name: test_rule_1
    profile_name: test_ssh
    state: absent

Return Values

The following are the fields unique to this module:

Key Returned Description
action
dictionary
changed
The action rule that is applied to the SSH security profile.

Sample:
hash/dictionary of values
users
list
changed
The list of users to be added to the SSH proxy permissions list.

Sample:
['...', '...']


Status

Authors

  • Rohit Upadhyay (@urohit011)