tripleo

Extend SSHD Management

Bug #1668543 reported by Luke Hinds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Oliver Walsh
tripleo pike-2 "pike-2"

Bug Description

Extend SSHD Composable service to allow the following values to be toggled / set:

SSH Protocol 2
GSSAPI Authentication
Kerberos Authentication
StictModes
Privilege Separation
Compression Or Set Compression to delayed
SSH Idle Timeout Interval
SSH Client Alive Count
SSH Support for .rhosts Files
Host-Based Authentication
Encrypted X11 Forwarding
SSH Root Login
Disable / Enable SSH Access via Empty Passwords
Disable / Enable Use Only Approved Ciphers
Disable / Enable FIPS Approved MACs
LogLevel
MaxAuthTries
IgnoreRhosts
Idle Timeout Interval
PermitUserEnvironment
LoginGraceTime
Ensure SSH access

See original description
Luke Hinds (lhinds)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/443113

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/443289

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Luke Hinds (<email address hidden>) on branch: master
Review: https://review.openstack.org/443289

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/444622

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/443113
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=b35bc80ac2acf18463e4c18c8360862749aa0964
Submitter: Jenkins
Branch: master

commit b35bc80ac2acf18463e4c18c8360862749aa0964
Author: lhinds <email address hidden>
Date: Wed Mar 8 12:32:57 2017 +0000

    SSHD Service extensions

    This change adds an `include` statement to bring in the extra
    functionality available from the existing puppet-ssh module in
    already available in RDO.

    By using puppet-ssh it provides a framework to allow the passing in of
    server options using just hiera values under ssh::server_options.
    For example, sshd_config banner can now be passed a server option, as
    well as all the new parameters outlined in the launchpad issue that
    the patch references for Closing. For this reason, the former augeas
    setting for `Banner /etc/issue` is now managed by the main puppet-ssh
    module instead.

    The change also allows population of MOTD text to `/etc/motd` as
    well as `issue.net`.

    $bannertext is refactored in accordance with patch [1]

    [1] https://review.openstack.org/#/c/442406/

    Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
    Closes-Bug: 1668543

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.0.0

This issue was fixed in the openstack/puppet-tripleo 7.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/455830

Oliver Walsh (owalsh)
Changed in tripleo:
status: Fix Released → In Progress
milestone: pike-1 → pike-2
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Luke Hinds (lhinds) → Oliver Walsh (owalsh)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/455830
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2a329d545d0e619c88c323148d5fe2098e70b4b1
Submitter: Jenkins
Branch: master

commit 2a329d545d0e619c88c323148d5fe2098e70b4b1
Author: Oliver Walsh <email address hidden>
Date: Tue Apr 11 21:42:44 2017 +0100

    Stop SSHD profile clobbering SSH client config

    Including the ::ssh manifest will manage both client and server config.
    Managing the client config was not intended and will clobber the OS
    default config with the puppet ssh moduled defaults.

    Follow up for https://review.openstack.org/443113 where I found the issue after
    the changes merged.

    Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
    Related-Bug: 1668543

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/457585

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/457585
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3c49f51c8f42472d0d1cb2986b46a6c96821293a
Submitter: Jenkins
Branch: master

commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a
Author: Oliver Walsh <email address hidden>
Date: Tue Apr 18 12:51:36 2017 +0100

    Refactor SSHD config to allow both SSHD options and banner/motd to be set

    In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
    are mutually exclusive. This patch, and the next patchset of that review,
    resolves the conflict.

    Related-Bug: 1668543

    Change-Id: I1d09530d69e42c0c36311789166554a889e46556

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/444622
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5e14f95a4a46fcf88293f1b0fa93327566614d43
Submitter: Jenkins
Branch: master

commit 5e14f95a4a46fcf88293f1b0fa93327566614d43
Author: Luke Hinds <email address hidden>
Date: Sun Mar 12 03:24:35 2017 +0000

    SSHD Service extensions

    This change implements a MOTD message and provides a hash of
    sshd config options which are sourced to the puppet-ssh module
    as a hash.

    The SSHD puppet service is enabled by default, as it is
    required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
    Also added the service to the CI roles.

    Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
    Depends-On: I1d09530d69e42c0c36311789166554a889e46556
    Closes-Bug: #1668543
    Co-Authored-By: Oliver Walsh <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/458827

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/458828

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/458830

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/458836

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/458827
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=0e991f99b4b239838b5f775468f25025b3ad170b
Submitter: Jenkins
Branch: stable/ocata

commit 0e991f99b4b239838b5f775468f25025b3ad170b
Author: lhinds <email address hidden>
Date: Wed Mar 8 12:32:57 2017 +0000

    SSHD Service extensions

    This change adds an `include` statement to bring in the extra
    functionality available from the existing puppet-ssh module in
    already available in RDO.

    By using puppet-ssh it provides a framework to allow the passing in of
    server options using just hiera values under ssh::server_options.
    For example, sshd_config banner can now be passed a server option, as
    well as all the new parameters outlined in the launchpad issue that
    the patch references for Closing. For this reason, the former augeas
    setting for `Banner /etc/issue` is now managed by the main puppet-ssh
    module instead.

    The change also allows population of MOTD text to `/etc/motd` as
    well as `issue.net`.

    $bannertext is refactored in accordance with patch [1]

    [1] https://review.openstack.org/#/c/442406/

    Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
    Related-Bug: 1668543
    (cherry picked from commit b35bc80ac2acf18463e4c18c8360862749aa0964)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/458828
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f01cef046df57d5257560d3f83bef2e91c3c722e
Submitter: Jenkins
Branch: stable/ocata

commit f01cef046df57d5257560d3f83bef2e91c3c722e
Author: Oliver Walsh <email address hidden>
Date: Tue Apr 11 21:42:44 2017 +0100

    Stop SSHD profile clobbering SSH client config

    Including the ::ssh manifest will manage both client and server config.
    Managing the client config was not intended and will clobber the OS
    default config with the puppet ssh moduled defaults.

    Follow up for https://review.openstack.org/443113 where I found the issue after
    the changes merged.

    Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
    Related-Bug: 1668543
    (cherry picked from commit 2a329d545d0e619c88c323148d5fe2098e70b4b1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/458830
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7d13719ab09a148aec7fac2930a0209c04611d8d
Submitter: Jenkins
Branch: stable/ocata

commit 7d13719ab09a148aec7fac2930a0209c04611d8d
Author: Oliver Walsh <email address hidden>
Date: Tue Apr 18 12:51:36 2017 +0100

    Refactor SSHD config to allow both SSHD options and banner/motd to be set

    In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
    are mutually exclusive. This patch, and the next patchset of that review,
    resolves the conflict.

    Related-Bug: 1668543

    Change-Id: I1d09530d69e42c0c36311789166554a889e46556
    (cherry picked from commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/ocata)

Reviewed: https://review.openstack.org/458836
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=cbf997e73771735d9c8536376b7de075bc8256e1
Submitter: Jenkins
Branch: stable/ocata

commit cbf997e73771735d9c8536376b7de075bc8256e1
Author: Luke Hinds <email address hidden>
Date: Sun Mar 12 03:24:35 2017 +0000

    SSHD Service extensions

    This change implements a MOTD message and provides a hash of
    sshd config options which are sourced to the puppet-ssh module
    as a hash.

    The SSHD puppet service is enabled by default, as it is
    required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
    Also added the service to the CI roles.

    Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
    Depends-On: I1d09530d69e42c0c36311789166554a889e46556
    Closes-Bug: #1668543
    Co-Authored-By: Oliver Walsh <email address hidden>
    (cherry picked from commit 5e14f95a4a46fcf88293f1b0fa93327566614d43)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.1.0

This issue was fixed in the openstack/tripleo-heat-templates 6.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/469410

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/469411

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/469412

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/469410
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=fc640d8c0ebe8ca415fee4ec0a973d6bc55b06b8
Submitter: Jenkins
Branch: stable/newton

commit fc640d8c0ebe8ca415fee4ec0a973d6bc55b06b8
Author: lhinds <email address hidden>
Date: Wed Mar 8 12:32:57 2017 +0000

    SSHD Service extensions

    This change adds an `include` statement to bring in the extra
    functionality available from the existing puppet-ssh module in
    already available in RDO.

    By using puppet-ssh it provides a framework to allow the passing in of
    server options using just hiera values under ssh::server_options.
    For example, sshd_config banner can now be passed a server option, as
    well as all the new parameters outlined in the launchpad issue that
    the patch references for Closing. For this reason, the former augeas
    setting for `Banner /etc/issue` is now managed by the main puppet-ssh
    module instead.

    The change also allows population of MOTD text to `/etc/motd` as
    well as `issue.net`.

    $bannertext is refactored in accordance with patch [1]

    [1] https://review.openstack.org/#/c/442406/

    Depends-On: Idefe9f0de47c5b0f29b7326642d697ed179e2eb8
    Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
    Related-Bug: 1668543
    (cherry picked from commit b35bc80ac2acf18463e4c18c8360862749aa0964)
    (cherry picked from commit 0e991f99b4b239838b5f775468f25025b3ad170b)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/469411
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3026e27aba2cfd8777b211fac19d8df677f1d026
Submitter: Jenkins
Branch: stable/newton

commit 3026e27aba2cfd8777b211fac19d8df677f1d026
Author: Oliver Walsh <email address hidden>
Date: Tue Apr 11 21:42:44 2017 +0100

    Stop SSHD profile clobbering SSH client config

    Including the ::ssh manifest will manage both client and server config.
    Managing the client config was not intended and will clobber the OS
    default config with the puppet ssh moduled defaults.

    Follow up for https://review.openstack.org/443113 where I found the issue after
    the changes merged.

    Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
    Related-Bug: 1668543
    (cherry picked from commit 2a329d545d0e619c88c323148d5fe2098e70b4b1)
    (cherry picked from commit f01cef046df57d5257560d3f83bef2e91c3c722e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/469412
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=0c8703811340f2acd00a515c8bf214c71bb4c4a3
Submitter: Jenkins
Branch: stable/newton

commit 0c8703811340f2acd00a515c8bf214c71bb4c4a3
Author: Oliver Walsh <email address hidden>
Date: Tue Apr 18 12:51:36 2017 +0100

    Refactor SSHD config to allow both SSHD options and banner/motd to be set

    In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
    are mutually exclusive. This patch, and the next patchset of that review,
    resolves the conflict.

    Related-Bug: 1668543

    Change-Id: I1d09530d69e42c0c36311789166554a889e46556
    (cherry picked from commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a)
    (cherry picked from commit 7d13719ab09a148aec7fac2930a0209c04611d8d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.0.0b2

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/494263

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/494263
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1542f516cc7bbc3a61731df42c98f55b853b0114
Submitter: Jenkins
Branch: stable/newton

commit 1542f516cc7bbc3a61731df42c98f55b853b0114
Author: Luke Hinds <email address hidden>
Date: Sun Mar 12 03:24:35 2017 +0000

    SSHD Service extensions

    This change implements a MOTD message and provides a hash of
    sshd config options which are sourced to the puppet-ssh module
    as a hash.

    The SSHD puppet service is enabled by default, as it is
    required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
    Also added the service to the CI roles.

    Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
    Depends-On: I1d09530d69e42c0c36311789166554a889e46556
    Closes-Bug: #1668543
    Co-Authored-By: Oliver Walsh <email address hidden>
    (cherry picked from commit 5e14f95a4a46fcf88293f1b0fa93327566614d43)
    (cherry picked from commit cbf997e73771735d9c8536376b7de075bc8256e1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.3.2

This issue was fixed in the openstack/tripleo-heat-templates 5.3.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.