SSHD Service extensions

This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.

The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.

Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #1668543
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
(cherry picked from commit 5e14f95a4a46fcf88293f1b0fa93327566614d43)

diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml
index 03065c6..ec9af4a 100644 (file)
--- a/ci/environments/multinode-3nodes.yaml
+++ b/ci/environments/multinode-3nodes.yaml
@@ -55,6 +55,7 @@
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::NovaCompute
     - OS::TripleO::Services::NovaLibvirt
+    - OS::TripleO::Services::Sshd
 
 - name: Controller
   CountDefault: 1
@@ -76,3 +77,4 @@
     - OS::TripleO::Services::Timezone
     - OS::TripleO::Services::TripleoPackages
     - OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::Sshd

diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml
index c946ec8..daa2d6f 100644 (file)
--- a/ci/environments/multinode.yaml
+++ b/ci/environments/multinode.yaml
@@ -51,6 +51,7 @@ parameter_defaults:
     - OS::TripleO::Services::Timezone
     - OS::TripleO::Services::NovaCompute
     - OS::TripleO::Services::NovaLibvirt
+    - OS::TripleO::Services::Sshd
   ControllerExtraConfig:
     nova::compute::libvirt::services::libvirt_virt_type: qemu
     nova::compute::libvirt::libvirt_virt_type: qemu

diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml
index 2251cc0..a0f9b09 100644 (file)
--- a/ci/environments/multinode_major_upgrade.yaml
+++ b/ci/environments/multinode_major_upgrade.yaml
@@ -55,6 +55,7 @@ parameter_defaults:
     - OS::TripleO::Services::NovaLibvirt
     - OS::TripleO::Services::Pacemaker
     - OS::TripleO::Services::Horizon
+    - OS::TripleO::Services::Sshd
   ControllerExtraConfig:
     nova::compute::libvirt::services::libvirt_virt_type: qemu
     nova::compute::libvirt::libvirt_virt_type: qemu

diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml
index cbcfa9b..f53ec1f 100644 (file)
--- a/ci/environments/scenario002-multinode.yaml
+++ b/ci/environments/scenario002-multinode.yaml
@@ -60,6 +60,7 @@ parameter_defaults:
     - OS::TripleO::Services::Ec2Api
     - OS::TripleO::Services::TripleoPackages
     - OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::Sshd
   ControllerExtraConfig:
     nova::compute::libvirt::services::libvirt_virt_type: qemu
     nova::compute::libvirt::libvirt_virt_type: qemu

diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml
index 6e926f7..035f749 100644 (file)
--- a/ci/environments/scenario003-multinode.yaml
+++ b/ci/environments/scenario003-multinode.yaml
@@ -54,6 +54,7 @@ parameter_defaults:
     - OS::TripleO::Services::MistralExecutor
     - OS::TripleO::Services::TripleoPackages
     - OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::Sshd
   ControllerExtraConfig:
     nova::compute::libvirt::services::libvirt_virt_type: qemu
     nova::compute::libvirt::libvirt_virt_type: qemu

diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml
index 6751528..a914c97 100644 (file)
--- a/ci/environments/scenario004-multinode.yaml
+++ b/ci/environments/scenario004-multinode.yaml
@@ -65,6 +65,7 @@ parameter_defaults:
     - OS::TripleO::Services::NovaLibvirt
     - OS::TripleO::Services::TripleoPackages
     - OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::Sshd
   ControllerExtraConfig:
     nova::compute::libvirt::services::libvirt_virt_type: qemu
     nova::compute::libvirt::libvirt_virt_type: qemu

diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml
index 041c099..894bf1c 100644 (file)
--- a/environments/sshd-banner.yaml
+++ b/environments/sshd-banner.yaml
@@ -1,6 +1,3 @@
-resource_registry:
-  OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml
-
 parameter_defaults:
   BannerText: |
     ******************************************************************
@@ -11,3 +8,6 @@ parameter_defaults:
     * evidence of criminal activity, system personnel may provide    *
     * the evidence from such monitoring to law enforcement officials.*
     ******************************************************************
+  MessageOfTheDay: |
+    ALERT! You are entering into a secured area!
+    This service is restricted to authorized users only.

diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 65a727e..f05dd41 100644 (file)
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -173,7 +173,7 @@ resource_registry:
   OS::TripleO::Services::Memcached: puppet/services/memcached.yaml
   OS::TripleO::Services::SaharaApi: OS::Heat::None
   OS::TripleO::Services::SaharaEngine: OS::Heat::None
-  OS::TripleO::Services::Sshd: OS::Heat::None
+  OS::TripleO::Services::Sshd: puppet/services/sshd.yaml
   OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
   OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
   OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml

diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml
index 41e144a..e09a889 100644 (file)
--- a/puppet/services/sshd.yaml
+++ b/puppet/services/sshd.yaml
@@ -22,6 +22,33 @@ parameters:
     default: ''
     description: Configures Banner text in sshd_config
     type: string
+  MessageOfTheDay:
+    default: ''
+    description: Configures /etc/motd text
+    type: string
+  SshServerOptions:
+    default:
+      HostKey:
+        - '/etc/ssh/ssh_host_rsa_key'
+        - '/etc/ssh/ssh_host_ecdsa_key'
+        - '/etc/ssh/ssh_host_ed25519_key'
+      SyslogFacility: 'AUTHPRIV'
+      AuthorizedKeysFile: '.ssh/authorized_keys'
+      PasswordAuthentication: 'no'
+      ChallengeResponseAuthentication: 'no'
+      GSSAPIAuthentication: 'yes'
+      GSSAPICleanupCredentials: 'no'
+      UsePAM: 'yes'
+      X11Forwarding: 'yes'
+      UsePrivilegeSeparation: 'sandbox'
+      AcceptEnv:
+        - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
+        - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
+        - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
+        - 'XMODIFIERS'
+      Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
+    description: Mapping of sshd_config values
+    type: json
 
 outputs:
   role_data:
@@ -29,6 +56,8 @@ outputs:
     value:
       service_name: sshd
       config_settings:
-        BannerText: {get_param: BannerText}
+        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
       step_config: |
         include ::tripleo::profile::base::sshd

diff --git a/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml
new file mode 100644 (file)
index 0000000..4cc01df
--- /dev/null
+++ b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added ability to manage MOTD Banner
+    Enabled SSHD composible service by default. Puppet-ssh manages the sshd config.