Skip to content

CNF-19031: RAN Hardening (SSHD) - High Severity #466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CNF-19031: RAN Hardening (SSHD) - High Severity #466

wants to merge 1 commit into from

Conversation

@sebrandon1
Copy link
Contributor

@sebrandon1 sebrandon1 commented Nov 19, 2025

Based on reviews of #439

We'll have a single MachineConfig per path, per severity. Future high level severity flags will be added to this file and rebuilt with new comment and source key/values.

Security hardening for SSHD:

  • Added 75-sshd_config-high.yaml to disable direct root SSH access, disable password-based authentication (including empty passwords), implement a 5-minute session timeout, and enforce public key authentication for SSH access on worker nodes.

@openshift-ci openshift-ci bot requested review from lack and yuvalk November 19, 2025 21:38
@openshift-ci
Copy link

openshift-ci bot commented Nov 19, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign marsik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

This was referenced Nov 19, 2025
Closed
Closed
Closed
Closed
@sebrandon1 sebrandon1 changed the title RAN Hardening (SSHD) - High Severity CNF-19031: RAN Hardening (SSHD) - High Severity Nov 20, 2025
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Nov 20, 2025

@sebrandon1: This pull request references CNF-19031 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.21.0" version, but no target version was set.

In response to this:

Based on reviews of #439

We'll have a single MachineConfig per path, per severity. Future high level severity flags will be added to this file and rebuilt with new comment and source key/values.

Security hardening for SSHD:

  • Added 75-sshd_config-high.yaml to disable direct root SSH access, disable password-based authentication (including empty passwords), implement a 5-minute session timeout, and enforce public key authentication for SSH access on worker nodes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lack lack Awaiting requested review from lack

@yuvalk yuvalk Awaiting requested review from yuvalk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sebrandon1 @openshift-ci-robot