Merge "nova-migration-target: Restrict access to the core sshd"

2022-07-02 19:32:38 +00:00 · 2022-07-02 19:32:38 +00:00 · 30142f0a6b
parent 585e3ba9d1 e89088784a
commit 30142f0a6b
1 changed files with 3 additions and 3 deletions
--- a/deployment/nova/nova-migration-target-container-puppet.yaml
+++ b/deployment/nova/nova-migration-target-container-puppet.yaml
@ -125,25 +125,25 @@ outputs:
          - 22
        tripleo::profile::base::sshd::password_authentication: 'no'
        tripleo::profile::base::sshd::options:
-          # NOTE(tkajinam): Thse values inherits the default sshd options
          HostKey:
            - '/etc/ssh/ssh_host_rsa_key'
            - '/etc/ssh/ssh_host_ecdsa_key'
            - '/etc/ssh/ssh_host_ed25519_key'
          SyslogFacility: 'AUTHPRIV'
+          AllowUsers: 'nova_migration'
          AuthorizedKeysFile: '.ssh/authorized_keys'
          ChallengeResponseAuthentication: 'no'
          GSSAPIAuthentication: 'no'
          GSSAPICleanupCredentials: 'no'
          UsePAM: 'yes'
          UseDNS: 'no'
-          X11Forwarding: 'yes'
+          AllowTcpForwarding: 'no'
+          X11Forwarding: 'no'
          AcceptEnv:
            - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
            - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
            - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
            - 'XMODIFIERS'
-          Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
      puppet_config:
        config_volume: nova_libvirt
        step_config: