70901ab69a
We don't expect our operators to have SSH keys setup on the undercloud node, so we don't want to block the PasswordAuthentication in sshd_config. Depends-On: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9 Change-Id: I10b112e8bffff30879606ddd970dfd3ec67fd9c7 Closes-Bug: #1772519
81 lines
2.5 KiB
YAML
81 lines
2.5 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Configure sshd_config
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BannerText:
|
|
default: ''
|
|
description: Configures Banner text in sshd_config
|
|
type: string
|
|
MessageOfTheDay:
|
|
default: ''
|
|
description: Configures /etc/motd text
|
|
type: string
|
|
SshServerOptions:
|
|
default:
|
|
HostKey:
|
|
- '/etc/ssh/ssh_host_rsa_key'
|
|
- '/etc/ssh/ssh_host_ecdsa_key'
|
|
- '/etc/ssh/ssh_host_ed25519_key'
|
|
SyslogFacility: 'AUTHPRIV'
|
|
AuthorizedKeysFile: '.ssh/authorized_keys'
|
|
ChallengeResponseAuthentication: 'no'
|
|
GSSAPIAuthentication: 'yes'
|
|
GSSAPICleanupCredentials: 'no'
|
|
UsePAM: 'yes'
|
|
UseDNS: 'no'
|
|
X11Forwarding: 'yes'
|
|
UsePrivilegeSeparation: 'sandbox'
|
|
AcceptEnv:
|
|
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
|
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
|
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
|
- 'XMODIFIERS'
|
|
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
|
description: Mapping of sshd_config values
|
|
type: json
|
|
PasswordAuthentication:
|
|
default: 'no'
|
|
description: Whether or not disable password authentication
|
|
type: string
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ssh
|
|
value:
|
|
service_name: sshd
|
|
config_settings:
|
|
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
|
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
|
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
|
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
|
step_config: |
|
|
include ::tripleo::profile::base::sshd
|