Bug 1568918 - RFE: Possibility to edit sshd config on the director node
Summary: RFE: Possibility to edit sshd config on the director node
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Alex Schultz
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-18 12:21 UTC by ojanas
Modified: 2022-08-16 09:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-18 19:43:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
example hieradata (728 bytes, text/x-vhdl)
2018-04-18 19:42 UTC, Alex Schultz
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-5039 0 None None None 2022-08-16 09:51:18 UTC

Description ojanas 2018-04-18 12:21:53 UTC
Description of problem:

Customer is looking for a way to edit/modify the sshd config on the director node with the condition that those changes would survive next # openstack undercloud upgrade. 

This is achievable for the overcloud nodes via the heat templates -> so customer is looking for a way how to achieve the same for the the director node (obviously not via heat templates)

For example these directives (just an example):

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AuthorizedKeysFile .ssh/authorized_keys    
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
LogLevel VERBOSE

Thank you.

Comment 1 Alex Schultz 2018-04-18 19:42:08 UTC
Created attachment 1423715 [details]
example hieradata

So this should already be possible using the hieradata_override option in the undercloud.conf. For example we have it documented[0] for tuning ssl ciphers, 

For the specific ssh options, you would need to configure tripleo::profile::base::sshd::options

This will require a similar structure to what is configured in the overcloud using the SshServerOptions[1] parameter.

See attached file as an example file that could be used with "hieradata_override = /home/stack/rhbz1568918.yaml"


[0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/director_installation_and_usage/appe-security_enhancements
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/sshd.yaml#L42-L62


Note You need to log in before you can comment on or make changes to this bug.