tripleo-heat-templates/puppet/services/sshd.yaml
Emilien Macchi 70901ab69a ssh: enable PasswordAuthentication for containerized undercloud
We don't expect our operators to have SSH keys setup on the undercloud
node, so we don't want to block the PasswordAuthentication in
sshd_config.

Depends-On: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9
Change-Id: I10b112e8bffff30879606ddd970dfd3ec67fd9c7
Closes-Bug: #1772519
2018-06-03 01:49:26 +00:00

81 lines
2.5 KiB
YAML

heat_template_version: rocky
description: >
Configure sshd_config
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
BannerText:
default: ''
description: Configures Banner text in sshd_config
type: string
MessageOfTheDay:
default: ''
description: Configures /etc/motd text
type: string
SshServerOptions:
default:
HostKey:
- '/etc/ssh/ssh_host_rsa_key'
- '/etc/ssh/ssh_host_ecdsa_key'
- '/etc/ssh/ssh_host_ed25519_key'
SyslogFacility: 'AUTHPRIV'
AuthorizedKeysFile: '.ssh/authorized_keys'
ChallengeResponseAuthentication: 'no'
GSSAPIAuthentication: 'yes'
GSSAPICleanupCredentials: 'no'
UsePAM: 'yes'
UseDNS: 'no'
X11Forwarding: 'yes'
UsePrivilegeSeparation: 'sandbox'
AcceptEnv:
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
- 'XMODIFIERS'
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
description: Mapping of sshd_config values
type: json
PasswordAuthentication:
default: 'no'
description: Whether or not disable password authentication
type: string
outputs:
role_data:
description: Role data for the ssh
value:
service_name: sshd
config_settings:
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
step_config: |
include ::tripleo::profile::base::sshd