On Sat, Jan 28, 2017 at 4:34 AM James Beedy <[email protected]> wrote:
> A default SG rule generated for every model allows 22 from 0.0.0.0/0, I'm > guessing this is because we are trying to facilitate the use case for juju > deployed on a public cloud, and instances being ssh accessed from the > internet and not from behind VPN in the same address space. > > A functionality which would allow users who don't want ssh open to the > world to close it, either completely, or limit to a private address space, > would be very helpful (especially because Juju reverts any changes made to > the SG, > I created a bug about that a while back: https://bugs.launchpad.net/juju-core/+bug/1420996 As per the last change there, it was targeted for 2.1.0 until just recently. > so I couldn't even lock down port 22 if I wanted to). > > Is it possible to introduce a model config param that we could use to tell > juju where to allow ssh traffic from? > Again, an older bug, but I'd be keen to see that not just for 22/ssh, but in general when exposing services: https://bugs.launchpad.net/bugs/1401358 but that may not fit the new juju2 models since the bug was written. > > Quick fix: Introduce an 'ssh-allow' param that could be used to open and > close port 22 on the SG generated for the model? > > Better fix: Introduce a config param 'ssh-access', where default value is > 0.0.0.0/0, which could then be modified to an address space that fits the > users security needs. > > How do others feel about this? > -- > Juju mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju >
-- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
