Commit Graph

9 Commits

Author SHA1 Message Date
Colleen Murphy 277e41829d Let sshd use ecdsa and ed25519 host keys
It seems that our nodepool is configured with the ecdsa and ed25519 host
keys from the nodepool nodes, but not the rsa or dsa keys. This is a
problem when we try to test our puppet SSH configuration in CI, because
the puppet module removes the ability for the Zuul executor to reach the
node and perform cleanup tasks after the tests have completed.

This patch adds back the HostKey settings that the nodepool images
started out with. This should not affect the puppetmaster's or a
rooter's ability to log into production servers that are already using
an rsa host key.

Change-Id: I150b76a632398d0a6f00d5b98ad7277c62377601
2018-07-10 12:18:08 +02:00
Paul Belanger fa71d35cab
Add @trusted_ssh_type for user to override
We need to expose the ability to override the type of match we want to
do. For example, we want to do match address 1.2.3.4 in sshd_config.

Change-Id: I28c5d71e62a62bd27f289a8bd70b235eac213e5c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-08-01 12:47:58 -04:00
Derek Higgins 5d55606789 Make sshd PermitRootLogin configurable
Make this configurable so that it can be enabled for images used
by nodepool.

Change-Id: I704453c6d3091a24e68509650c61efb638aea601
2016-07-08 23:46:57 +01:00
Monty Taylor b9370c3cea
Allow root logins from localhost
In order to have ansible be able to ssh in to itself, we need to enable
localhost ssh logins.

Change-Id: Iff9d7d72c4ca7848aa49a55d75ee5a2fdd313761
2016-05-03 08:46:58 -05:00
Fabien Boucher 50004931ee Add the trusted source as class parameter
Remove the hardcoded puppetmaster.openstack.org value
from the template but keep it as default parameter
value for ssh class.

Change-Id: I4b07f78ed455841cc2301227e42222ca96b24821
2015-03-25 15:05:54 +00:00
Jeremy Stanley 3d76cd02b4 Cease using ci-puppetmaster.openstack.org
Now that the migration to puppetmaster.openstack.org is complete,
remove duplicate references to ci-puppetmaster.openstack.org and
also take out the temporary Puppet v2 vs v3 compatibility code used
to choose between them.

Change-Id: I32d48e844ab1872391f9f2a4e233804b7a29feb5
2014-09-15 20:48:31 +00:00
Monty Taylor 34c7abd85d Fix the sshd config to for inbound ansible
The ssh keys were changed to not tie to a forced-command, but the
sshd config was missed.

Change-Id: I889f7983d0e7d0e1b48d825c7d63cf678782d169
2014-07-04 10:48:12 -07:00
Monty Taylor 1214c15a21 Add keys and script for puppet over ssh
In anticipation of driving puppet over ssh, we need keys on the hosts
and the scripts on the master. Don't turn them on yet, because we want
to be able to do some by-hand testing of the mechanism.

Change-Id: I2c353777e2f8fb5a2e733ce405ba40427ce901e5
2014-04-15 20:24:16 -07:00
Monty Taylor beb78ff787 Fix sftp access on CentOS machines
The sshd_config file that we put everywhere has an invalid value for
where the sftp command is. On RedHat, it's in /usr/libexec - which means
that it is not possible to use SFTP to interact with our CentOS
machines.

Replace the static file with a template so that we can substitute the
correct value based on which distro it is.

Change-Id: Ia9ba88199f4ff024a904431821926dbb26f35ad6
2014-04-07 22:19:40 -07:00