Configure SSH hardening for cephadm
Configure SSH hardening to control how cephadm connects to hosts and runs commands.
Before you begin
Ensure that the cluster is deployed and hosts are added. Configure a non-root user with passwordless sudo access on each host.
About this task
SSH hardening improves security by restricting how cephadm runs commands on hosts. When enabled, cephadm does not run commands directly. Instead, it uses the cephadm_invoker.py script.
The invoker script verifies the cephadm binary before execution and allows only approved operations. This helps prevent unauthorized command execution.
SSH hardening restricts sudo access for non-root users. When a host is prepared for SSH hardening, the sudoers configuration is updated to limit the commands that can be run with sudo. This helps prevent unauthorized command execution while still allowing required cephadm operations.
The sudoers configuration allows passwordless access only to the cephadm_invoker.py, providing a controlled and secure execution environment.