13ec67a3aa
Change Ie548f7216610e15af24c96f65a58cc8de603235c introduced a new parameter, SshFirewallAllowAll, set to True by default. This parameter allows to add a generic firewall rule allowing, as its name states, world access to the SSH service. Until now, if someone changes his mind and decides to deactivate this opening, the rule will not be removed, although the operator sets the variable to False. This patch intends to reflect the operator will regarding ssh access. Change-Id: I1b4e23b602cf9c41ce6f9a1b602359d7aa7224c0
99 lines
3.0 KiB
YAML
99 lines
3.0 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Configure sshd_config
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BannerText:
|
|
default: ''
|
|
description: Configures Banner text in sshd_config
|
|
type: string
|
|
MessageOfTheDay:
|
|
default: ''
|
|
description: Configures /etc/motd text
|
|
type: string
|
|
SshServerOptions:
|
|
default:
|
|
HostKey:
|
|
- '/etc/ssh/ssh_host_rsa_key'
|
|
- '/etc/ssh/ssh_host_ecdsa_key'
|
|
- '/etc/ssh/ssh_host_ed25519_key'
|
|
SyslogFacility: 'AUTHPRIV'
|
|
AuthorizedKeysFile: '.ssh/authorized_keys'
|
|
ChallengeResponseAuthentication: 'no'
|
|
GSSAPIAuthentication: 'yes'
|
|
GSSAPICleanupCredentials: 'no'
|
|
UsePAM: 'yes'
|
|
UseDNS: 'no'
|
|
X11Forwarding: 'yes'
|
|
UsePrivilegeSeparation: 'sandbox'
|
|
AcceptEnv:
|
|
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
|
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
|
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
|
- 'XMODIFIERS'
|
|
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
|
description: Mapping of sshd_config values
|
|
type: json
|
|
PasswordAuthentication:
|
|
default: 'no'
|
|
description: Whether or not disable password authentication
|
|
type: string
|
|
SshFirewallAllowAll:
|
|
default: false
|
|
description: Set this to true to open up ssh access from all sources.
|
|
type: boolean
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ssh
|
|
value:
|
|
service_name: sshd
|
|
config_settings:
|
|
map_merge:
|
|
- tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
|
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
|
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
|
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
|
- if:
|
|
- {get_param: SshFirewallAllowAll}
|
|
- tripleo::sshd::firewall_rules:
|
|
'003 accept ssh from all':
|
|
proto: 'tcp'
|
|
dport: 22
|
|
- tripleo::sshd::firewall_rules:
|
|
'003 accept ssh from all':
|
|
proto: 'tcp'
|
|
dport: 22
|
|
extras:
|
|
ensure: 'absent'
|
|
|
|
step_config: |
|
|
include ::tripleo::profile::base::sshd
|