Make handling of ssh host keys configurable for Cinder

Registered by Jay Bryant on 2014-06-17

To address concerns of weak SSH security in Cinder, the way that
ssh host keys are handled by Cinder should be configurable, allowing
system administrators to choose how secure they wish their SSH connections
to be.

This blueprint proposes making the way that SSH
host keys are handled configurable, allowing system administrators
to make a conscious decision about the level of security they need
on their system.

The solution would require two new configuration items as well as
a change to the current default behavior. First, there would need
to a 'strict_ssh_host_key_policy' configuration option with possible
settings of 'false' (default) or 'true'. When this option is set to
'false' it will automatically accept the host key on the first connection
and then will throw an exception if the host key changes in the future.
This is where the default behavior changes from the current functionality.

In the case that 'strict_ssh_host_key_policy' is set to 'true' then a
second option 'ssh_host_keys_file' must be configured. When the strict
configuration is used it is assumed that the administrator is going to
have pre-configured ssh host keys and any deviation from those expected
keys will be handled with an exception.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Low
Drafter:
Jay Bryant
Direction:
Needs approval
Assignee:
Jay Bryant
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Jay Bryant on 2014-08-14
Completed by
Jay Bryant on 2014-09-04

Related branches

Sprints

Whiteboard

jsbryant - 6/24/2014
Need to also make note here that this Blueprint will address changes not just for the volume drivers but also for the zoneanager drivers. I will need to investigate how to implement this but hopefully we can just update those drivers to use cinder/utils.py to get the right ssh behavior. Also hope that they can then get the needed configuration options from cinder.conf for consistency. I am not as familiar with that code, so I will need to investigate that further.

Gerrit topic: https://review.openstack.org/#q,topic:bp/for,n,z

Addressed by: https://review.openstack.org/100697
    Add blueprint for configurable ssh host key policy

tkelsey - 06/27/2014
Please also take a look at the related OSSN for this issue. https://review.openstack.org/#/c/100945/ even in the case that 'strict_ssh_host_key_policy' is not being used, some form of known hosts list should be maintained, this could initally be empty though.

Gerrit topic: https://review.openstack.org/#q,topic:bp/configurable-ssh-host-key-policy,n,z

Addressed by: https://review.openstack.org/114336
    Make ssh-host-key-policy configurable

jsbryant - 8/14/2014
I have made good progress on the code and, as you can see above, do have a patch up for review. There are some slight changes from the originally discussed design. With the way that the code used to run, it would just blindly accept all connections by default and would not save any host information. Obviously not secure at all.

This one compromises by allowing the user to either require that the host key be pre configured 'strict_ssh_host_key_policy = True' or if that is set to False it will allow the first connection of a host (if we don't see it in the host keys file) to connect and we save the key. Future connections must use the same key.

The trick here, is that we need to set a known_hosts file to use which is a new requirement. I default to using ~cinder/.ssh/known_hosts but the user can specify a different location for known hosts if they prefer.

Addressed by: https://review.openstack.org/118492
    HP 3PAR configurable ssh-host-key-policy

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.