Need to be able to configure ssh/sshd

[wgwoods]

Many users who build images need to be able to tweak ssh/sshd configuration. Some platforms (e.g. Microsoft Azure, Google Compute Engine) expect certain ssh/sshd settings, and in our own testing we've occasionally had to change things like which port sshd listens on.

osbuild should allow users to change (or replace) the image's ssh_config or sshd_config, so the image never has to come online with an "unsafe" or "unsupported" configuration.

Kickstart doesn't offer a command to configure sshd, so kickstart users handle this in %post scriptlets, like lorax-composer's google.ks. Ansible uses generic file-management modules for this (see examples using template, replace, blockinfile, assemble).

What needs to be configured?

Google's documentation on configuring custom images has the following recommendations:

• Disable root ssh login.
• Disable password authentication.
• Disable host-based authentication.
• Enable strict, host-key checking.
• Use ServerAliveInterval to keep connections open.

Microsoft's documentation on how to prepare a Red Hat-based virtual machine for Azure directs the user to

Modify /etc/ssh/sshd_config to include the following line:

ClientAliveInterval 180

So, to be compatible with lorax-composer and information provided by Amazon, Google and Microsoft osbuild should be able to specify at least the following sshd_config(5) settings:

• PasswordAuthentication
• PermitRootLogin
• PermitEmptyPasswords
• ClientAliveInterval
• PermitTunnel
• AllowTcpForwarding
• X11Forwarding
• LoginGraceTime
• SyslogFacility
• Ciphers
• MACs
• Port
• ListenAddress

Google also has recommended settings for these ssh_config(5) items:

• Host
• Protocol
• ForwardAgent
• ForwardX11
• HostbasedAuthentication
• StrictHostKeyChecking
• Ciphers
• Tunnel
• ServerAliveInterval

[msehnout]

What solution do you have in mind? General Ansible-like stage for file processing or specific sshd stage?

[wgwoods]

Short answer: we chatted a bit about that last week and @bcl and I prefer a generic ansible-like file manipulation stage, but @larskarlitski and @teg are.. not thrilled with the idea of having generic stages.

I'm going to file a separate issue to discuss what the general approach should be for these things but my feeling is that we'll end up with a specific "openssh" stage that uses an osbuild-provided tool/module for manipulating simple config files to actually make the changes. So I think it'd be okay to write a openssh-specific stage for now, and later we either port it to use osbuild's configtweak tool or we replace it with the generic configtweak stage.

[gicmo]

ClientAliveInterval and PasswordAuthentication has been done via #862 in a new org.osbuild.sshd.config stage.

[lavocatt]

Closing because this is outdated.