Automation of hostname settings, SSH configuration, and root access on SONiC

[matofeder]

In addition to the general configuration and FRR configuration, certain aspects of the system require automated configuration, including:

• Setting the hostname
• Managing authorized SSH keys for the root user (or creating, updating, and deleting dedicated users with SSH keys)
• Configuring the root password
• Implementing SSH hardening (e.g., disabling password login)

Investigate the best approach for managing these configurations. Should they be managed through NetBox, automated using Ansible, or handled by another solution?

[matofeder]

After reviewing public discussions (SONiC matrix channel) and SONiC documentation, I found that different approaches are used for automating these configurations:

1. Ansible & ZTP: Users automate tasks like managing SSH and user configurations using Ansible. Some also leverage Zero Touch Provisioning (ZTP) for initial configurations of SSHD, followed by Ansible for ongoing user management.

2. NetBox: This tool is generally not used for such tasks, as its primary use cases differ from direct configuration management.

3. RADIUS or TACACS+: A more robust approach involves integrating with RADIUS or TACACS+ for Authentication, Authorization, and Accounting (AAA). SONiC supports both protocols, making it possible to manage SSH access through a centralized RADIUS or TACACS+ server. This setup could include SSH access using username/password, or even public-private key pairs when combined with LDAP or Active Directory (AD) integration.

Proposal: While the RADIUS/TACACS+ approach offers a more centralized solution, it introduces additional dependencies like setting up RADIUS or TACACS+ servers (and possibly LDAP/AD). A more straightforward initial approach might be to use Ansible, potentially alongside ZTP, for automating the configuration process.

[scoopex]

I also think that an initial configuration would still be within the scope of Netbox, but the management of the life cycle of users would be better not realized in Netbox as this can be done better by Ansible, for example.

I suggest the following as initial provisioning within ZTP:

• Set the password of “admin” to a defined hash
• Add a defined list of public keys to the root user
• Deactivate the login via SSH password completely
• Set one or more DNS servers
• Set hostname (happens with DHCP anyway, but maybe not everyone uses DHCP and i thing it is a good idea to do that in a explicit way)

In my opinion, this is actually a missing feature in SONiC that cannot be mapped into the system via JSON configuration. But I think that this is not in the scope of our project (maybe this would be worth a Feature request)