Skip to content

Commit

Permalink
Merge pull request #367 from lsst-it/IT-1657/no_authorized_keys
Browse files Browse the repository at this point in the history 
disable .ssh/authorized_keys by default; whitelist root & foreman users
  • Loading branch information
@jhoblitt
jhoblitt committed Aug 3, 2021
2 parents b330ca0 + 63282d1 commit d93f400
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 0 deletions.
13 changes: 13 additions & 0 deletions hieradata/org/lsst.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ lookup_options:
sssd::domains:
merge:
strategy: "deep"
ssh::server::match_block:
merge:
strategy: "deep"
profile::core::systemd::tmpfile:
merge:
strategy: "deep"
Expand Down Expand Up @@ -88,6 +91,16 @@ ssh::server_options:
KerberosAuthentication: "no"
AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys"
AuthorizedKeysCommandUser: "nobody"
AuthorizedKeysFile: "none"
ssh::server::match_block:
root: &authorized_keys
type: "user"
options:
AuthorizedKeysFile: ".ssh/authorized_keys"
hreinking_b:
<<: *authorized_keys
jhoblitt_b:
<<: *authorized_keys

# easy_ipa server options
# defines the uid/gid of the admin user
Expand Down
5 changes: 5 additions & 0 deletions hieradata/org/lsst/role/hypervisor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,8 @@ files:
owner: "root"
group: "root"
mode: "0644"
ssh::server::match_block:
foreman:
type: "user"
options:
AuthorizedKeysFile: ".ssh/authorized_keys"
7 changes: 7 additions & 0 deletions site/profile/manifests/ccs/common.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,11 @@

Class['java_artisanal']
-> Class['ccs_software']

ssh::server::match_block { 'ccs':
type => 'User',
options => {
'AuthorizedKeysFile' => '.ssh/authorized_keys',
}
}
}

0 comments on commit d93f400

Please sign in to comment.