bfd97da0bf
When operator needs to change any options described in sshd_config, he/she should use the parameter named SshServerOptions to define the updated configuration. However the problem here is that he/she should define the whole content instead of the actual lines to be overridden, otherwise some of the lines defined in its default can be missing from configuration. This makes it difficutlt to properly update the parameter during update or upgrade, since operators always need to check whetehr any change has been made about the default of SshServerOptions. This change introduces a new parameter, SshServerOptionsOverride, which can be used to override specific line in SshServerOptions. Note that SshServerOptions should still be used if any of the lines in SshServerOptions needs to be removed. Change-Id: I8a018c8c7435a753c8ed5b5fa211d91d053f8d67
101 lines
3.1 KiB
YAML
101 lines
3.1 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Configure sshd_config
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BannerText:
|
|
default: ''
|
|
description: Configures Banner text in sshd_config
|
|
type: string
|
|
MessageOfTheDay:
|
|
default: ''
|
|
description: Configures /etc/motd text
|
|
type: string
|
|
SshServerOptions:
|
|
default:
|
|
HostKey:
|
|
- '/etc/ssh/ssh_host_rsa_key'
|
|
- '/etc/ssh/ssh_host_ecdsa_key'
|
|
- '/etc/ssh/ssh_host_ed25519_key'
|
|
SyslogFacility: 'AUTHPRIV'
|
|
AuthorizedKeysFile: '.ssh/authorized_keys'
|
|
ChallengeResponseAuthentication: 'no'
|
|
GSSAPIAuthentication: 'yes'
|
|
GSSAPICleanupCredentials: 'no'
|
|
UsePAM: 'yes'
|
|
UseDNS: 'no'
|
|
X11Forwarding: 'yes'
|
|
AcceptEnv:
|
|
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
|
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
|
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
|
- 'XMODIFIERS'
|
|
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
|
description: Mapping of sshd_config values
|
|
type: json
|
|
SshServerOptionsOverrides:
|
|
default: {}
|
|
description: Mapping of sshd_config values to override definitions in
|
|
SshServerOptions
|
|
type: json
|
|
PasswordAuthentication:
|
|
default: 'no'
|
|
description: Whether or not disable password authentication
|
|
type: string
|
|
SshFirewallAllowAll:
|
|
default: false
|
|
description: Set this to true to open up ssh access from all sources.
|
|
type: boolean
|
|
|
|
conditions:
|
|
ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ssh
|
|
value:
|
|
service_name: sshd
|
|
firewall_rules:
|
|
'003 accept ssh from all':
|
|
proto: 'tcp'
|
|
dport: 22
|
|
extras:
|
|
ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']}
|
|
config_settings:
|
|
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
|
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
|
tripleo::profile::base::sshd::options:
|
|
map_merge:
|
|
- {get_param: SshServerOptions}
|
|
- {get_param: SshServerOptionsOverrides}
|
|
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
|
step_config: |
|
|
include tripleo::profile::base::sshd
|