d6b2cfce61
From https://www.openssh.com/releasenotes.html: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. Since master only targets CentOS 8 and onwards which has openssh-8.0p1-4.el8 or later, we can safely remove this and get rid of the following warning: May 18 10:50:02 underCloud.localDomain sshd[131346]: rexec line 21: Deprecated option UsePrivilegeSeparation Change-Id: Idff6074d8f01d6a5a784c42521f0cf9d7c6dfbf1
93 lines
2.8 KiB
YAML
93 lines
2.8 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Configure sshd_config
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BannerText:
|
|
default: ''
|
|
description: Configures Banner text in sshd_config
|
|
type: string
|
|
MessageOfTheDay:
|
|
default: ''
|
|
description: Configures /etc/motd text
|
|
type: string
|
|
SshServerOptions:
|
|
default:
|
|
HostKey:
|
|
- '/etc/ssh/ssh_host_rsa_key'
|
|
- '/etc/ssh/ssh_host_ecdsa_key'
|
|
- '/etc/ssh/ssh_host_ed25519_key'
|
|
SyslogFacility: 'AUTHPRIV'
|
|
AuthorizedKeysFile: '.ssh/authorized_keys'
|
|
ChallengeResponseAuthentication: 'no'
|
|
GSSAPIAuthentication: 'yes'
|
|
GSSAPICleanupCredentials: 'no'
|
|
UsePAM: 'yes'
|
|
UseDNS: 'no'
|
|
X11Forwarding: 'yes'
|
|
AcceptEnv:
|
|
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
|
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
|
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
|
- 'XMODIFIERS'
|
|
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
|
description: Mapping of sshd_config values
|
|
type: json
|
|
PasswordAuthentication:
|
|
default: 'no'
|
|
description: Whether or not disable password authentication
|
|
type: string
|
|
SshFirewallAllowAll:
|
|
default: false
|
|
description: Set this to true to open up ssh access from all sources.
|
|
type: boolean
|
|
|
|
conditions:
|
|
ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ssh
|
|
value:
|
|
service_name: sshd
|
|
firewall_rules:
|
|
'003 accept ssh from all':
|
|
proto: 'tcp'
|
|
dport: 22
|
|
extras:
|
|
ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']}
|
|
config_settings:
|
|
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
|
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
|
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
|
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
|
step_config: |
|
|
include tripleo::profile::base::sshd
|