Last updated on: 2024-04-01 03:24:20.

bigip_security_ssh_profile – Manage SSH proxy security profiles on a BIG-IP

New in version 1.13.0.

Synopsis

  • Manage SSH proxy security profiles on a BIG-IP.

Parameters

Parameter Choices/Defaults Configuration Comments
default_action
dictionary
Specifies the default action rule for the SSH proxy security profile.
When creating a new policy, this parameter must be specified otherwise failure occurs.
agent
dictionary
Defines the use of an ssh-agent over the SSH tunnel.
Agent forwarding specifies the chain of SSH connections, forwards key challenges back to the original agent, removing the need for passwords or private keys on intermediate machines.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
forward_local
dictionary
Defines the use of the -L to do local port forwarding over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
forward_remote
dictionary
Defines the use of the -R to do remote port forwarding over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
forward_x11
dictionary
Defines the use of X11 forwarding over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
name
string / required
Name of the default_action rule to be created or modified.
other
dictionary
Defines the use of other SSH commands on SSH connection.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
rexec
dictionary
Defines the use of rexec remote execution commands over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
scp_down
dictionary
Defines the use of Secure Copy to copy files from a remote directory to a local directory over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
scp_up
dictionary
Defines the use of Secure Copy to copy files from a local directory to a remote directory over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
sftp_down
dictionary
Defines the use of Secure File Transfer Protocol to download files over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
sftp_up
dictionary
Defines the use of Secure File Transfer Protocol to upload files over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate, the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
shell
dictionary
Defines use of the shell command to open an SSH shell channel type.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
sub_system
dictionary
Defines the use of the subsystem command, to invoke remote commands that are defined on the server over the SSH tunnel.
control
string
    Choices:
  • allow
  • disallow
  • terminate
When set to allow, allows setup of the session for the selected SSH channel action.
When set to disallow, the SSH channel action is denied and a command not accepted message is sent.
When set to terminate the SSH connection is terminated with a reset message when the selected channel action is received.
log
boolean
    Choices:
  • no
  • yes
Specifies if logging should be enabled for the selected SSH action.
description
string
Specifies descriptive text that identifies the SSH proxy profile.
lang_env_tolerance
string
    Choices:
  • any
  • none
  • common
Determines which connections with LANG environment variables set are allowed to pass through if the SSH Proxy profile has the other channel type action set.
When set to any, allows connections with any LANG environment value set.
When set to none, disallows all connections with the LANG environment variable set.
When set to common allows only connections with the LANG environment value set to en_US.UTF-8 to pass through the other restrictions.
This setting is in effect only if other action is set to disallow or terminate.
name
string / required
Specifies the name of the SSH proxy security profile to manage.
partition
string
Default:
"Common"
Device partition to manage resources on.
state
string
    Choices:
  • absent
  • present ←
When present, ensures the SSH proxy security profile is created.
When absent, ensures the SSH proxy security profile is removed.
timeout
integer
Specifies a timeout for the SSH proxy, in seconds.

Examples

- name: Create an SSH proxy profile
  bigip_security_ssh_profile:
    name: test_profile
    default_action:
      name: default_rule
      shell:
        control: disallow
        log: true
      sub_system:
        control: disallow
        log: true
      agent:
        control: terminate
        log: true
      other:
        control: terminate
        log: true
    lang_env_tolerance: common
    description: "this is a new profile"
    timeout: 180
    state: present

- name: Modify an SSH proxy profile
  bigip_security_ssh_profile:
    name: test_profile
    default_action:
      name: default_rule
      shell:
        control: allow
        log: false
    timeout: 200
    state: present

- name: Remove ssh proxy profile
  bigip_security_ssh_profile:
    name: test_profile
    state: absent

Return Values

The following are the fields unique to this module:

Key Returned Description
default_action
dictionary
changed
The default action rule for SSH proxy security profile.

Sample:
hash/dictionary of values
description
string
changed
Descriptive text that identifies the SSH proxy profile.

Sample:
this is a profile
lang_env_tolerance
string
changed
Determines which connections with LANG environment variables set are allowed to pass through.

Sample:
any
timeout
integer
changed
The timeout for the SSH proxy.

Sample:
200


Status

Authors

  • Wojciech Wypior (@wojtek0806)