diff options
Diffstat (limited to 'releasenotes')
| -rw-r--r-- | releasenotes/notes/cold_migration_security-1543136408c76459.yaml | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/releasenotes/notes/cold_migration_security-1543136408c76459.yaml b/releasenotes/notes/cold_migration_security-1543136408c76459.yaml new file mode 100644 index 0000000..aaea57e --- /dev/null +++ b/releasenotes/notes/cold_migration_security-1543136408c76459.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Restrict nova migration ssh tunnel + * The ssh authorized_keys file is only writeable by root. + * Creates a new user for migration instead of using root/nova. + * Disables SSH forwarding for this user. + * Restricts the networks that this user can connect from. + * Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. + Adds new parameter "tripleo::profile::base::nova::migration_ssh_localaddrs" to specify which incoming IPs are allow for SSH tunnel connections. |