Skip to content

Comments

CNF-21326: RAN Hardening - SSHD (H3: PermitEmptyPasswords)#466

Open
sebrandon1 wants to merge 2 commits intoopenshift-kni:mainfrom
sebrandon1:top_5_high_combo
Open

CNF-21326: RAN Hardening - SSHD (H3: PermitEmptyPasswords)#466
sebrandon1 wants to merge 2 commits intoopenshift-kni:mainfrom
sebrandon1:top_5_high_combo

Conversation

@sebrandon1
Copy link
Contributor

@sebrandon1 sebrandon1 commented Nov 19, 2025
edited
Loading

Summary

SSHD hardening for HIGH severity compliance remediations only.

Remediation Group

SSHD Setting

Severity Setting Value Description
HIGH PermitEmptyPasswords no Prevent SSH login with empty passwords

Implementation

Uses drop-in file at /etc/ssh/sshd_config.d/75-hardening.conf

Scope Note

This PR focuses exclusively on HIGH severity SSHD compliance. MEDIUM and LOW severity SSHD settings (M1, L1) will be addressed in separate PRs.

Related

Test plan

  • Apply MachineConfig to test cluster
  • Verify: sshd -T | grep permitemptypasswords
  • Run Compliance Operator scan to verify check passes

Compliance Checks

  • rhcos4-e8-worker-sshd-disable-empty-passwords
  • rhcos4-e8-master-sshd-disable-empty-passwords

🤖 Generated with Claude Code

@openshift-ci openshift-ci bot requested review from lack and yuvalk November 19, 2025 21:38
@openshift-ci
Copy link

openshift-ci bot commented Nov 19, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign marsik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

This was referenced Nov 19, 2025
Closed
Closed
Closed
Closed
@sebrandon1 sebrandon1 changed the title RAN Hardening (SSHD) - High Severity CNF-19031: RAN Hardening (SSHD) - High Severity Nov 20, 2025
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Nov 20, 2025

@sebrandon1: This pull request references CNF-19031 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Based on reviews of #439

We'll have a single MachineConfig per path, per severity. Future high level severity flags will be added to this file and rebuilt with new comment and source key/values.

Security hardening for SSHD:

  • Added 75-sshd_config-high.yaml to disable direct root SSH access, disable password-based authentication (including empty passwords), implement a 5-minute session timeout, and enforce public key authentication for SSH access on worker nodes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sebrandon1 sebrandon1 force-pushed the top_5_high_combo branch 2 times, most recently from b304c42 to 4288f7f Compare December 8, 2025 20:18
@sebrandon1 sebrandon1 mentioned this pull request Jan 14, 2026
Closed
4 tasks
sebrandon1 added a commit to sebrandon1/telco-reference that referenced this pull request Jan 14, 2026
@sebrandon1 @claude
Remove SSHD config - consolidating into PR openshift-kni#466
ac3d010 
SSHD hardening settings (all severities) will be consolidated into
PR openshift-kni#466. This PR now focuses on non-SSHD HIGH severity items only:
- crypto-policy
- PAM auth (no empty passwords)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sebrandon1 @claude
Consolidate SSHD hardening with all CO severity levels
f1cf6c2 
Replace 75-sshd-config-high.yaml with 75-sshd-hardening.yaml that includes
all SSHD settings from Compliance Operator (E8/CIS):

HIGH severity:
- PermitEmptyPasswords no

MEDIUM severity:
- PermitRootLogin no
- GSSAPIAuthentication no
- IgnoreRhosts yes
- IgnoreUserKnownHosts yes
- PermitUserEnvironment no
- StrictModes yes
- PrintLastLog yes

LOW severity:
- LogLevel INFO

Also uses drop-in file at /etc/ssh/sshd_config.d/75-hardening.conf
instead of overwriting the main sshd_config.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sebrandon1 sebrandon1 changed the title CNF-19031: RAN Hardening (SSHD) - High Severity CNF-19031: RAN Hardening (SSHD) - Consolidated All Severity Levels Jan 14, 2026
@sebrandon1 sebrandon1 mentioned this pull request Jan 14, 2026
Open
4 tasks
@sebrandon1 sebrandon1 changed the title CNF-19031: RAN Hardening (SSHD) - Consolidated All Severity Levels CNF-19031: RAN Hardening (SSHD) - HIGH Severity Only Jan 14, 2026
@sebrandon1 sebrandon1 changed the title CNF-19031: RAN Hardening (SSHD) - HIGH Severity Only CNF-21326: RAN Hardening - SSHD (H3: PermitEmptyPasswords) Jan 20, 2026
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Jan 20, 2026

@sebrandon1: This pull request references CNF-21326 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

SSHD hardening for HIGH severity compliance remediations only.

Remediation Group

SSHD Setting

Severity Setting Value Description
HIGH PermitEmptyPasswords no Prevent SSH login with empty passwords

Implementation

Uses drop-in file at /etc/ssh/sshd_config.d/75-hardening.conf

Scope Note

This PR focuses exclusively on HIGH severity SSHD compliance. MEDIUM and LOW severity SSHD settings (M1, L1) will be addressed in separate PRs.

Related

Test plan

  • Apply MachineConfig to test cluster
  • Verify: sshd -T | grep permitemptypasswords
  • Run Compliance Operator scan to verify check passes

Compliance Checks

  • rhcos4-e8-worker-sshd-disable-empty-passwords
  • rhcos4-e8-master-sshd-disable-empty-passwords

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lack lack Awaiting requested review from lack

@yuvalk yuvalk Awaiting requested review from yuvalk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sebrandon1 @openshift-ci-robot