Bug 1694471
Summary: | Restrict SSH access access to specific remote subnets | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Punit Kundal <pkundal> |
Component: | openstack-tripleo-heat-templates | Assignee: | Cédric Jeanneret <cjeanner> |
Status: | CLOSED ERRATA | QA Contact: | Sasha Smolyak <ssmolyak> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 13.0 (Queens) | CC: | cjeanner, hrybacki, mburns, moguimar, nkinder, rmascena |
Target Milestone: | zstream | Keywords: | TestOnly, Triaged, ZStream |
Target Release: | 13.0 (Queens) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-heat-templates-8.3.1-48.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-03 16:55:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1704589 |
Description
Punit Kundal
2019-03-31 16:58:58 UTC
Hello, sooo.. we did some changes in Master/OSP-15 about that open SSH a while back: https://review.openstack.org/#/c/631784/ It adds a new parameter allowing to open SSH to the world or not. Please note it might cut legitimate accesses, and would probably need some custom rules. This an be done by injecting rules in hiera: tripleo::sshd::firewall_rules: 'Accept sshd from XXX subnet': proto: tcp dport: 22 source: 'XXX' Just a small remark: iirc, there isn't any password for the users created by tripleo, meaning a brute force is nearly impossible (ppl have to generate the right SSH private key instead of password). Would the change I pointed be sufficient for your case? If so, we will investigate the backporting of that new patch, since it was made against master. Cheers, C. Hello Cedric, Thanks for getting back. Our request is that we should have the ability to limit the SSH access to specific required subnets only. If adding the above parameter addresses that requirement; then with the right set of supporting documentation to provide the correct advice on the subject matter should be enough. Regards, Punit Hello, I'm starting the LP creation as well as upstream backports. External trackers will be updated accordingly. Cheers, C. According to our records, this should be resolved by openstack-tripleo-heat-templates-8.3.1-54.el7ost. This build is available now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2624 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |