From 69f9e2d11c8f823c6760a6ce64fecc50821f24f8 Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Fri, 3 May 2019 15:46:12 +0200
Subject: [PATCH] ssh-server: add option to disable forwarding

---
 ssh-server/defaults/main.yml                | 1 +
 ssh-server/templates/sshd_config_stretch.j2 | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/ssh-server/defaults/main.yml b/ssh-server/defaults/main.yml
index 288625a..90fc1a5 100644
--- a/ssh-server/defaults/main.yml
+++ b/ssh-server/defaults/main.yml
@@ -8,3 +8,4 @@ ssh_password_auth: true
 ssh_gssapi: true
 ssh_sftp_options: ""
 ssh_allow_groups: []
+ssh_allow_forwarding: true
diff --git a/ssh-server/templates/sshd_config_stretch.j2 b/ssh-server/templates/sshd_config_stretch.j2
index 67802e9..2a7a9bc 100644
--- a/ssh-server/templates/sshd_config_stretch.j2
+++ b/ssh-server/templates/sshd_config_stretch.j2
@@ -56,8 +56,16 @@ PasswordAuthentication {{ 'yes' if ssh_password_auth else 'no' }}
 GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
 #GSSAPICleanupCredentials yes
 
+{% if ssh_allow_forwarding %}
 X11Forwarding yes
 X11DisplayOffset 10
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+{% else %}
+X11Forwarding no
+AllowAgentForwarding no
+AllowTcpForwarding no
+{% endif %}
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
-- 
GitLab