From 278d9427f82c19e4548fbd29805ebc943a70d62a Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 30 Jan 2026 11:16:01 -0800
Subject: [PATCH] bastion: allow ssh tcp forwarding on bastion hosts

We need this in order to be able to use them as jumphosts with ssh.
Without it, there's no easy way to get to any internal machines.
Just enable it here and leave the default off.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/basessh/templates/sshd_config.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/basessh/templates/sshd_config.j2 b/roles/basessh/templates/sshd_config.j2
index bec3249904..76556a6f1f 100644
--- a/roles/basessh/templates/sshd_config.j2
+++ b/roles/basessh/templates/sshd_config.j2
@@ -40,7 +40,12 @@ UsePAM yes
 AllowAgentForwarding no
 X11Forwarding no
 PermitTunnel no
+{% if not ansible_hostname.startswith(('bastion')) %}
+# This is a bastion host, we need tcp forwarding here.
+AllowTcpForwarding yes
+{% else %}
 AllowTcpForwarding no
+{% endif %}
 
 # Accept locale-related environment
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES