From cbf997e73771735d9c8536376b7de075bc8256e1 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Sun, 12 Mar 2017 03:24:35 +0000 Subject: SSHD Service extensions This change implements a MOTD message and provides a hash of sshd config options which are sourced to the puppet-ssh module as a hash. The SSHD puppet service is enabled by default, as it is required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293. Also added the service to the CI roles. Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e Depends-On: I1d09530d69e42c0c36311789166554a889e46556 Closes-Bug: #1668543 Co-Authored-By: Oliver Walsh (cherry picked from commit 5e14f95a4a46fcf88293f1b0fa93327566614d43) --- ci/environments/multinode-3nodes.yaml | 2 ++ ci/environments/multinode.yaml | 1 + ci/environments/multinode_major_upgrade.yaml | 1 + ci/environments/scenario002-multinode.yaml | 1 + ci/environments/scenario003-multinode.yaml | 1 + ci/environments/scenario004-multinode.yaml | 1 + environments/sshd-banner.yaml | 6 ++--- overcloud-resource-registry-puppet.j2.yaml | 2 +- puppet/services/sshd.yaml | 31 +++++++++++++++++++++- .../sshd-service-extensions-0c4d0879942a2052.yaml | 5 ++++ 10 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml index 03065c6a..ec9af4a3 100644 --- a/ci/environments/multinode-3nodes.yaml +++ b/ci/environments/multinode-3nodes.yaml @@ -55,6 +55,7 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::Sshd - name: Controller CountDefault: 1 @@ -76,3 +77,4 @@ - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml index c946ec8a..daa2d6f0 100644 --- a/ci/environments/multinode.yaml +++ b/ci/environments/multinode.yaml @@ -51,6 +51,7 @@ parameter_defaults: - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml index 2251cc0c..a0f9b093 100644 --- a/ci/environments/multinode_major_upgrade.yaml +++ b/ci/environments/multinode_major_upgrade.yaml @@ -55,6 +55,7 @@ parameter_defaults: - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Pacemaker - OS::TripleO::Services::Horizon + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml index cbcfa9b3..f53ec1f6 100644 --- a/ci/environments/scenario002-multinode.yaml +++ b/ci/environments/scenario002-multinode.yaml @@ -60,6 +60,7 @@ parameter_defaults: - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml index 6e926f74..035f7492 100644 --- a/ci/environments/scenario003-multinode.yaml +++ b/ci/environments/scenario003-multinode.yaml @@ -54,6 +54,7 @@ parameter_defaults: - OS::TripleO::Services::MistralExecutor - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index 67515284..a914c97c 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -65,6 +65,7 @@ parameter_defaults: - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml index 041c0990..894bf1c9 100644 --- a/environments/sshd-banner.yaml +++ b/environments/sshd-banner.yaml @@ -1,6 +1,3 @@ -resource_registry: - OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml - parameter_defaults: BannerText: | ****************************************************************** @@ -11,3 +8,6 @@ parameter_defaults: * evidence of criminal activity, system personnel may provide * * the evidence from such monitoring to law enforcement officials.* ****************************************************************** + MessageOfTheDay: | + ALERT! You are entering into a secured area! + This service is restricted to authorized users only. diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 65a727ed..f05dd411 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -173,7 +173,7 @@ resource_registry: OS::TripleO::Services::Memcached: puppet/services/memcached.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None - OS::TripleO::Services::Sshd: OS::Heat::None + OS::TripleO::Services::Sshd: puppet/services/sshd.yaml OS::TripleO::Services::Redis: puppet/services/database/redis.yaml OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml index 41e144a0..e09a8894 100644 --- a/puppet/services/sshd.yaml +++ b/puppet/services/sshd.yaml @@ -22,6 +22,33 @@ parameters: default: '' description: Configures Banner text in sshd_config type: string + MessageOfTheDay: + default: '' + description: Configures /etc/motd text + type: string + SshServerOptions: + default: + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + PasswordAuthentication: 'no' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'yes' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + X11Forwarding: 'yes' + UsePrivilegeSeparation: 'sandbox' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' + description: Mapping of sshd_config values + type: json outputs: role_data: @@ -29,6 +56,8 @@ outputs: value: service_name: sshd config_settings: - BannerText: {get_param: BannerText} + tripleo::profile::base::sshd::bannertext: {get_param: BannerText} + tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} + tripleo::profile::base::sshd::options: {get_param: SshServerOptions} step_config: | include ::tripleo::profile::base::sshd diff --git a/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml new file mode 100644 index 00000000..4cc01df8 --- /dev/null +++ b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added ability to manage MOTD Banner + Enabled SSHD composible service by default. Puppet-ssh manages the sshd config. -- cgit 1.2.3-korg