3c9f7577c4
I89cff59947dda3f51482486c41a3d67c4aa36a3e broke SSH access on the Undercloud, we shouldn't be that restrictive by default for the undercloud and standalone (as deployed via tripleo deploy). This change adds a new parameter called SshFirewallAllowAll that can be used to include an allow all for ssh. By default it is disabled when deploying the overcloud but is used by the undercloud and standalone to allow access after installation. Change-Id: Ie548f7216610e15af24c96f65a58cc8de603235c Co-Authored-By: Alex Schultz <aschultz@redhat.com> Related-Bug: #1826829 (cherry picked from commit2b7cb19876) (cherry picked from commitcba7c22857)
90 lines
2.7 KiB
YAML
90 lines
2.7 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
Configure sshd_config
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BannerText:
|
|
default: ''
|
|
description: Configures Banner text in sshd_config
|
|
type: string
|
|
MessageOfTheDay:
|
|
default: ''
|
|
description: Configures /etc/motd text
|
|
type: string
|
|
SshServerOptions:
|
|
default:
|
|
HostKey:
|
|
- '/etc/ssh/ssh_host_rsa_key'
|
|
- '/etc/ssh/ssh_host_ecdsa_key'
|
|
- '/etc/ssh/ssh_host_ed25519_key'
|
|
SyslogFacility: 'AUTHPRIV'
|
|
AuthorizedKeysFile: '.ssh/authorized_keys'
|
|
PasswordAuthentication: 'no'
|
|
ChallengeResponseAuthentication: 'no'
|
|
GSSAPIAuthentication: 'yes'
|
|
GSSAPICleanupCredentials: 'no'
|
|
UsePAM: 'yes'
|
|
UseDNS: 'no'
|
|
X11Forwarding: 'yes'
|
|
UsePrivilegeSeparation: 'sandbox'
|
|
AcceptEnv:
|
|
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
|
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
|
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
|
- 'XMODIFIERS'
|
|
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
|
description: Mapping of sshd_config values
|
|
type: json
|
|
SshFirewallAllowAll:
|
|
default: false
|
|
description: Set this to true to open up ssh access from all sources.
|
|
type: boolean
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ssh
|
|
value:
|
|
service_name: sshd
|
|
config_settings:
|
|
map_merge:
|
|
- tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
|
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
|
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
|
- if:
|
|
- {get_param: SshFirewallAllowAll}
|
|
- tripleo::sshd::firewall_rules:
|
|
'003 accept ssh from all':
|
|
proto: 'tcp'
|
|
dport: 22
|
|
- null
|
|
|
|
step_config: |
|
|
include ::tripleo::profile::base::sshd
|