This change introduces support for the ListenAddress option in
sshd_config so that we can restrict the network addresses used by sshd.
This is useful for the nova migration target service which should be
available in only migration networks.
Change-Id: I897bbf114436a87d223602a393ad6cb524ec9c84
Now the sshd manifest is used to configure the nova migration target
service only, which does not require the customization of MOTD and
Banner.
Depends-on: https://review.opendev.org/838978
Change-Id: I02ed0afa327b8f954cd02f62bd947a9ab0b3f7d2
The hiera function is deprecated and does not work with the latest
hieradata version 5. It should be replaced by the new lookup
function[1].
[1] https://puppet.com/docs/puppet/7/hiera_automatic.html
With the lookup function, we can define value type and merge behavior,
but these are kept default at this moment to limit scope of this change
to just simple replacement. Adding value type might be useful to make
sure the value is in expected type (especially when a boolean value is
expected), but we will revisit that later.
example:
lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>])
Change-Id: I1c8402cc7a5edad14d8f8fc159f0b2aa1a350a77
... to avoid the duplicate declaration of the ssh::server class we've
seen since https://github.com/saz/puppet-ssh/pull/318 was merged.
There is an open PR[1] in puppet-ssh repo, which makes the server
class private. This change also works as pre-emptive fix for that
breaking change.
[1] https://github.com/saz/puppet-ssh/pull/325
Closes-bug: #1966625
Change-Id: I9c5b174e0c8377d50b9b306456d2b2147c5f38b8
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Allow to override the default PasswordAuthentication parameter (default
is 'no').
Change-Id: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9
Related-Bug: #1772519
Since DSA is deprecated, sshd doesn't generate it anymore, though it
still wants to load it at startup. Adding the HostKey options should
prevent that, and allow to get cleaner logs in the CI (and on deployed
openstack as well ;).
Change-Id: I5580fa86f8adef7d598b76836a0419b341a8bc9c
Closes-Bug: 1730351
In Ocata all live-migration over ssh is performed on the default ssh port (22).
In Pike the containerized live-migration over ssh is on port 2022 as the
docker host's sshd is using port 22.
To allow live migration during upgrade we need to temporarily pin the Pike
computes to port 22 and in the final converge we can switch over to port 2022.
This patch make the necessary puppet-tripleo change to allow this:
- Adds support in sshd profile for listening on multiple ports.
- Adds a profile to allow proxying to the containerized sshd from the
baremetal sshd
Change-Id: I0b80b81711f683be539939e7d084365ff63546d3
Related-bug: 1714171
In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.
Related-Bug: 1668543
Change-Id: I1d09530d69e42c0c36311789166554a889e46556
Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.
Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.
Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug: 1668543
This change adds an `include` statement to bring in the extra
functionality available from the existing puppet-ssh module in
already available in RDO.
By using puppet-ssh it provides a framework to allow the passing in of
server options using just hiera values under ssh::server_options.
For example, sshd_config banner can now be passed a server option, as
well as all the new parameters outlined in the launchpad issue that
the patch references for Closing. For this reason, the former augeas
setting for `Banner /etc/issue` is now managed by the main puppet-ssh
module instead.
The change also allows population of MOTD text to `/etc/motd` as
well as `issue.net`.
$bannertext is refactored in accordance with patch [1]
[1] https://review.openstack.org/#/c/442406/
Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
Closes-Bug: 1668543
A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG
If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file
Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306