From c4369e76d0ea181f6e8e637f3704cb7356a9e104 Mon Sep 17 00:00:00 2001
From: dave kormann <davek@research.att.com>
Date: Wed, 16 Dec 2020 17:03:37 -0500
Subject: [PATCH] FIX: allow keystone to log in

Our playbooks depend on the keystone user being able to login,
but keystone isn't a member of the allowedgroups for ssh.  This
fixes that and optimistically adds ironic as well.

signed-off-by: dave kormann  <davek@research.att.com>
Change-Id: Ia20065deab4ae4087e3a5918e891a2b73f5cbbed
---
 roles/ssh_conf_hardening/tasks/main.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/ssh_conf_hardening/tasks/main.yaml b/roles/ssh_conf_hardening/tasks/main.yaml
index cfc4425..66d4bce 100644
--- a/roles/ssh_conf_hardening/tasks/main.yaml
+++ b/roles/ssh_conf_hardening/tasks/main.yaml
@@ -150,10 +150,10 @@
     regexp: '[\s]*ClientAliveCountMax'
     values: "ClientAliveCountMax 0\n"
 
-- name: "Limit logins to members of {{ users['admin_user_name'] }} group"
+- name: "Limit logins to members of admin, keystone, and ironic groups"
   ssh_conf:
     regexp: '[\s]*AllowGroups'
-    values: "AllowGroups {{ users['admin_user_name'] }}\n"
+    values: "AllowGroups {{ users['admin_user_name'] }} {{ keystone_system_group_name |default('keystone') }} {{ ironic_system_group_name | default('ironic') }}\n"
 
 - name: "Disable SSH Support for User Known Hosts"
   ssh_conf:
-- 
2.16.6