revansx
commented
1 year ago Our fix for this will be to update the the "meza deploy" command script to collect this preference from the user if the value is non-existent in /opt/con-meza/public/public.yml .. similar to the hostname and database password at the very start of the deploy.
I'll post here when that behavior is implemented. Thanks!
ndc-rkevans
Environment
VMware Red Hat Enterprise Linux release 8.8 (Ootpa) d103da8
Issue details
By default, executing 'meza deploy monolith' overwrites the /etc/ssh/sshd_config file. This could potentially prevent remote SSH logins for systems that have been configured to use PIV-SSH, with password and public key authorizations disabled. It also clobbers other settings that have been made to meet the NASA OpenSSH Security Configuration Specification (attached and located online at https://cset.nasa.gov/ascs/application/open-source-openssh/).
Before running 'meza deploy monolith' the first time, I save the /etc/ssh/sshd_config file. Then after deployment, I copy it back.
To prevent future overwrites, I must modify /opt/meza/config/defaults.yml and set: use_default_ssh_config: False
My first suggestion is to never completely overwrite /etc/ssh/sshd_config. If meza would like to modify a setting in /etc/ssh/sshd_config, then there should be a prompt to ask whether such a change can be made.
NASA OpenSSH Security Configuration Specification v1.4.pdf