Configure SSH hardening for cephadm

Configure SSH hardening to control how cephadm connects to hosts and runs commands.

Before you begin

Ensure that the cluster is deployed and hosts are added. Configure a non-root user with passwordless sudo access on each host.

About this task

SSH hardening improves security by restricting how cephadm runs commands on hosts. When enabled, cephadm does not run commands directly. Instead, it uses the cephadm_invoker.py script.

The invoker script verifies the cephadm binary before execution and allows only approved operations. This helps prevent unauthorized command execution.

SSH hardening restricts sudo access for non-root users. When a host is prepared for SSH hardening, the sudoers configuration is updated to limit the commands that can be run with sudo. This helps prevent unauthorized command execution while still allowing required cephadm operations.

The sudoers configuration allows passwordless access only to the cephadm_invoker.py, providing a controlled and secure execution environment.

Procedure

  • Enable SSH hardening for the cluster.
    ceph cephadm prepare-host-and-enable-ssh-hardening --ssh-user <user>

    SSH hardening is enabled for the cluster. cephadm now runs commands through the invoker script and uses a non-root user with restricted sudo access.

    Additional actions performed:

    • Installs or updates the cephadm package with the invoker script.
    • Configures restricted sudo access for the specified user.
    • Copies the cluster SSH key to hosts.
    • Enables SSH hardening for the cluster.

    How the workflow changes:

    1. Add the cluster SSH key to the user's authorized_keys file before adding hosts.
    2. Ensure that the user has passwordless sudo access. The configuration updates the /etc/sudoers.d/<username> file with the following entry:
      <username> ALL=(root) NOPASSWD: /usr/libexec/cephadm_invoker.py
    3. cephadm runs commands through the invoker script instead of direct execution.
    4. The invoker validates the cephadm binary before running commands.
    Note: SSH hardening restricts cephadm operations to the cephadm_invoker.py script. However, it does not remove or validate existing sudo permissions that are defined in /etc/sudoers, other sudoers files, or group memberships. It updates only the /etc/sudoers.d/<username> file. Review and remove any additional sudo permissions if stricter access control is required.
  • Manually prepare a host.
    cephadm prepare-host-ssh-hardening --ssh-user <user> --ssh-pub-key <key>
  • Disable SSH hardening.
    ceph config set mgr mgr/cephadm/sudo_hardening false

    Disabling SSH hardening does not remove the configuration changes on hosts. The /etc/sudoers.d/<username> file and its restrictions remain in place. You must review and update the sudoers configuration manually if required.