Fuel doesn't accept ssh connection

Bug #1557190 reported by Andrey Grebennikov on 2016-03-14
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Maksim Malchuk
8.0.x
High
Maksim Malchuk

Bug Description

Fuel 8.0 GA

When setting up networks during installation, I have eth0 to be responsible for bootstrap, and eth1 is my external interface.
When installation and deployment is finished, I can connect to UI using external IP, but I cannot ssh into. sshd is only listening on the IP address of eth0

tcp 0 0 10.20.0.2:22 0.0.0.0:* LISTEN 20439/sshd
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.122.154 netmask 255.255.255.0 broadcast 0.0.0.0
        inet6 fe80::5054:ff:fe69:4a36 prefixlen 64 scopeid 0x20<link>
        ether 52:54:00:69:4a:36 txqueuelen 1000 (Ethernet)
        RX packets 31280 bytes 255950510 (244.0 MiB)
        RX errors 0 dropped 2897 overruns 0 frame 0
        TX packets 17415 bytes 2403178 (2.2 MiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.20.0.2 netmask 255.255.255.0 broadcast 10.20.0.255
        inet6 fe80::5054:ff:fea6:8c45 prefixlen 64 scopeid 0x20<link>
        ether 52:54:00:a6:8c:45 txqueuelen 1000 (Ethernet)
        RX packets 69820 bytes 6837621 (6.5 MiB)
        RX errors 0 dropped 2891 overruns 0 frame 0
        TX packets 17399 bytes 844854577 (805.7 MiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

We need to have ListenAddress=0.0.0.0 in /etc/ssh/sshd_config

Alexander Saprykin (cutwater) wrote :

Hi, thank you for your report, but please provide diagnostic snapshot from the failed environment if it is possible.

Changed in fuel:
status: New → Incomplete
importance: Undecided → High
assignee: nobody → Fuel Library Team (fuel-library)
milestone: none → 8.0-updates
tags: added: area-library

This is expected. OpenSSH on master should listen only on interface that will be used for admin network.

Changed in fuel:
status: Incomplete → Invalid

@bpiotrowski what does it mean "it is expected"? How the user is supposed to log into Fuel node if it only allows to ssh into the node through PXE interface which most likety will be non-routable to outside?

Changed in fuel:
status: Invalid → Opinion
Andrew Woodward (xarses) wrote :

The operator must be given the option to allow this, SSH works only from Admin is not reasonable.

Changed in fuel:
status: Opinion → Confirmed
Matthew Mosesohn (raytrac3r) wrote :

Adding Adam Heczko to this bug. He originally requested this limitation in https://bugs.launchpad.net/fuel/+bug/1523445 (private security)

Maksim Malchuk (mmalchuk) wrote :

Adam didn't propose to restrict the admin interface only.

Solution proposal:
Allow SSHD incoming TCP connections only from local network segments defined during master node installation in Fuel menu stage.
Fuel menu allows to configure 2 network interfaces.
We should allow incoming SSH connections only from these defined networks.

Also his comment:
Thus iptables (L3) based restriction is being expected, which is not the case of proposed fix.

So we need enable SSHD on all interfaces and limit connections via iptables correctly.

Adam Heczko (aheczko-mirantis) wrote :

I actually never requested limiting listening on particular interface.
I proposed to
"Allow SSHD incoming TCP connections only from local network segments defined during master node installation in Fuel menu stage."
Which means that SSH should listen on both interfaces but should be restricted by iptables to local network segments. Or even better only restrict root for local network segments:
AllowUsers root@1.1.1.*

I'd suggest to refactor current sshd restriction and use one of mentioned here proposals.

This may not be completely valid as well - you never know what will be the subnet where all potential users are coming from. We are focused on working with enterprise, where they have very wide network, including different geographical regions.

Maksim Malchuk (mmalchuk) wrote :

The proposed fix consist of two parts:
1. fuelmenu - security settings (which can be extended for other services later).
2. fuel-library - bind ssh service on all interfaces, restrict only on provided network.

tags: added: team-bugfix
tags: added: feature
information type: Public → Public Security

Reviewed: https://review.openstack.org/293283
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=4ec6abd8b9d54202408fa1ade89f6f27a6df9128
Submitter: Jenkins
Branch: master

commit 4ec6abd8b9d54202408fa1ade89f6f27a6df9128
Author: Maksim Malchuk <email address hidden>
Date: Wed Mar 16 10:15:56 2016 +0300

    Add security module

    Initial commit wich adds the security module to the fuelmenu.

    DocImpact
    Change-Id: I2d1149a7596d596f581b7628de7089ac375772f6
    Partial-Bug: #1557190

Reviewed: https://review.openstack.org/293284
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=583bf0bf6ef7ba5a6613d2a25f52ed48b4f23eb1
Submitter: Jenkins
Branch: master

commit 583bf0bf6ef7ba5a6613d2a25f52ed48b4f23eb1
Author: Maksim Malchuk <email address hidden>
Date: Wed Mar 16 01:50:43 2016 +0300

    Restrict SSH according the security settings

    * Bind SSH service on the all interfaces by default
    * Restrict SSH access only on ssh_network from the fuelmenu

    Change-Id: I3c5f7e931669d9d28f59d9f64b4d407b2f37215e
    Depends-on: I2d1149a7596d596f581b7628de7089ac375772f6
    Depends-on: I6518923c089a0f602566394bc4502a57c4306eb7
    Depends-on: I9609003d892875b0bbe00d24fe8365edb1f3c57e
    Closes-Bug: #1557190

Changed in fuel:
status: In Progress → Fix Committed
Maksim Malchuk (mmalchuk) wrote :

Won't Fix in 8.0 due to feature status.

Reviewed: https://review.openstack.org/303523
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=537c10fbbe58b4a922541633cf6646e7afbe2554
Submitter: Jenkins
Branch: master

commit 537c10fbbe58b4a922541633cf6646e7afbe2554
Author: Maksim Malchuk <email address hidden>
Date: Fri Apr 8 18:59:09 2016 +0300

    Pass 'ssh_network' to 'astute.yaml' during save-only

    The correct 'astute.yaml' should be saved for automated deployments.

    Change-Id: I06161e8d819e40bc5827b3fda7f614c0ea5d4fd3
    Partial-Bug: #1557190
    Partial-Bug: #1540073
    Signed-off-by: Maksim Malchuk <email address hidden>

Reviewed: https://review.openstack.org/304007
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=acb168f2dfc66ccfce80f5ff2a8823423930e11f
Submitter: Jenkins
Branch: stable/mitaka

commit acb168f2dfc66ccfce80f5ff2a8823423930e11f
Author: Maksim Malchuk <email address hidden>
Date: Fri Apr 8 18:59:09 2016 +0300

    Pass 'ssh_network' to 'astute.yaml' during save-only

    The correct 'astute.yaml' should be saved for automated deployments.

    Change-Id: I06161e8d819e40bc5827b3fda7f614c0ea5d4fd3
    Partial-Bug: #1557190
    Partial-Bug: #1540073
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit 537c10fbbe58b4a922541633cf6646e7afbe2554)

tags: added: in-stable-mitaka
DongDan (dongdan39) wrote :

So this feature will only be available in Fuel 9.0(OpenStack Mitaka)?

Cheers,
Dan

Maksim Malchuk (mmalchuk) wrote :

in the Fuel 9.0, 10.0(Mitaka) and later versions.

Maksim Malchuk (mmalchuk) wrote :

steps to verify:

1. install Fuel (via fuel-virtualbox in this example)
2. check astute.yaml (it should contain ssh_network key/value)
[root@fuel ~]# grep ssh /etc/fuel/astute.yaml
  "ssh_network": "10.20.0.0/24"
[root@fuel ~]#
3. check the firewall rules (should contain the correct rule)
[root@fuel ~]# iptables -nv -L INPUT | grep ssh
   91 5800 ACCEPT tcp -- * * 10.20.0.0/24 0.0.0.0/0 multiport dports 22 /* 010 ssh */ state NEW
[root@fuel ~]#

this example show the correct rule which contain stars for in/out interfaces and ssh_network from the astute.yaml as a source.

Maksym Strukov (unbelll) wrote :

Verified as fixed in 9.0-mos-490

Maksym Strukov (unbelll) on 2016-06-21
Changed in fuel:
status: Fix Committed → Fix Released

Related fix proposed to branch: master
Change author: Olena Logvinova <email address hidden>
Review: https://review.fuel-infra.org/23221

tags: added: release-notes

Related fix proposed to branch: stable/9.0
Change author: Olena Logvinova <email address hidden>
Review: https://review.fuel-infra.org/23238

no longer affects: fuel/mitaka

Reviewed: https://review.fuel-infra.org/23221
Submitter: Mariia Zlatkova <email address hidden>
Branch: master

Commit: 9df422f5d8aac038a702c1f3daccb6a88d7bce97
Author: Olena Logvinova <email address hidden>
Date: Thu Jul 14 12:25:22 2016

[RN] Add note about SSH restriction access feature

This patch adds one more Fuel new feature to the
list of New features section in RN 9.0.

Change-Id: I799b280d49825c9582db6a514ab3ab59a86d181c
Closes-Bug: #1602354
Related-Bug: #1557190

Reviewed: https://review.fuel-infra.org/23238
Submitter: Mariia Zlatkova <email address hidden>
Branch: stable/9.0

Commit: b0077866f9fa87208a5dc3611b836b1385ac200a
Author: Olena Logvinova <email address hidden>
Date: Thu Jul 14 12:28:55 2016

[RN] Add note about SSH restriction access feature

This patch adds one more Fuel new feature to the
list of New features section in RN 9.0.

Change-Id: I799b280d49825c9582db6a514ab3ab59a86d181c
Closes-Bug: #1602354
Related-Bug: #1557190

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers