bigip_security_ssh_profile – Manage SSH proxy security profiles on a BIG-IP¶
New in version 1.13.0.
Parameters¶
Parameter | Choices/Defaults | Configuration | Comments | ||
---|---|---|---|---|---|
default_action
dictionary
|
Specifies the default action rule for the SSH proxy security profile.
When creating a new policy, this parameter must be specified otherwise failure occurs.
|
||||
agent
dictionary
|
Defines the use of an ssh-agent over the SSH tunnel.
Agent forwarding specifies the chain of SSH connections, forwards key challenges back to the original agent, removing the need for passwords or private keys on intermediate machines.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
forward_local
dictionary
|
Defines the use of the
-L to do local port forwarding over the SSH tunnel. |
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
forward_remote
dictionary
|
Defines the use of the
-R to do remote port forwarding over the SSH tunnel. |
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
forward_x11
dictionary
|
Defines the use of X11 forwarding over the SSH tunnel.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
name
string
/ required
|
Name of the
default_action rule to be created or modified. |
||||
other
dictionary
|
Defines the use of other SSH commands on SSH connection.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
rexec
dictionary
|
Defines the use of
rexec remote execution commands over the SSH tunnel. |
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
scp_down
dictionary
|
Defines the use of Secure Copy to copy files from a remote directory to a local directory over the SSH tunnel.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
scp_up
dictionary
|
Defines the use of Secure Copy to copy files from a local directory to a remote directory over the SSH tunnel.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
sftp_down
dictionary
|
Defines the use of Secure File Transfer Protocol to download files over the SSH tunnel.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
sftp_up
dictionary
|
Defines the use of Secure File Transfer Protocol to upload files over the SSH tunnel.
|
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate , the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
shell
dictionary
|
Defines use of the
shell command to open an SSH shell channel type. |
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
sub_system
dictionary
|
Defines the use of the
subsystem command, to invoke remote commands that are defined on the server over the SSH tunnel. |
||||
control
string
|
|
When set to
allow , allows setup of the session for the selected SSH channel action.When set to
disallow , the SSH channel action is denied and a command not accepted message is sent.When set to
terminate the SSH connection is terminated with a reset message when the selected channel action is received. |
|||
log
boolean
|
|
Specifies if logging should be enabled for the selected SSH action.
|
|||
description
string
|
Specifies descriptive text that identifies the SSH proxy profile.
|
||||
lang_env_tolerance
string
|
|
Determines which connections with LANG environment variables set are allowed to pass through if the SSH Proxy profile has the
other channel type action set.When set to
any , allows connections with any LANG environment value set.When set to
none , disallows all connections with the LANG environment variable set.When set to
common allows only connections with the LANG environment value set to en_US.UTF-8 to pass through the other restrictions.This setting is in effect only if
other action is set to disallow or terminate . |
|||
name
string
/ required
|
Specifies the name of the SSH proxy security profile to manage.
|
||||
partition
string
|
Default: "Common"
|
Device partition to manage resources on.
|
|||
state
string
|
|
When
present , ensures the SSH proxy security profile is created.When
absent , ensures the SSH proxy security profile is removed. |
|||
timeout
integer
|
Specifies a timeout for the SSH proxy, in seconds.
|
Examples¶
- name: Create an SSH proxy profile
bigip_security_ssh_profile:
name: test_profile
default_action:
name: default_rule
shell:
control: disallow
log: true
sub_system:
control: disallow
log: true
agent:
control: terminate
log: true
other:
control: terminate
log: true
lang_env_tolerance: common
description: "this is a new profile"
timeout: 180
state: present
- name: Modify an SSH proxy profile
bigip_security_ssh_profile:
name: test_profile
default_action:
name: default_rule
shell:
control: allow
log: false
timeout: 200
state: present
- name: Remove ssh proxy profile
bigip_security_ssh_profile:
name: test_profile
state: absent
Return Values¶
The following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
default_action
dictionary
|
changed |
The default action rule for SSH proxy security profile.
Sample:
hash/dictionary of values
|
description
string
|
changed |
Descriptive text that identifies the SSH proxy profile.
Sample:
this is a profile
|
lang_env_tolerance
string
|
changed |
Determines which connections with LANG environment variables set are allowed to pass through.
Sample:
any
|
timeout
integer
|
changed |
The timeout for the SSH proxy.
Sample:
200
|