From c21ec94066155d90bc2fbb432727351a3cf647be Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Fri, 4 Jul 2014 10:48:12 -0700
Subject: [PATCH] Fix the sshd config to for inbound ansible

The ssh keys were changed to not tie to a forced-command, but the
sshd config was missed.

Change-Id: I889f7983d0e7d0e1b48d825c7d63cf678782d169
---
 modules/ssh/templates/sshd_config.erb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index 104c4485bd..7c72024fd6 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -23,7 +23,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin forced-commands-only
+PermitRootLogin no
 StrictModes yes
 
 RSAAuthentication yes
@@ -84,3 +84,10 @@ Subsystem sftp <%= scope.lookupvar('::ssh::params::sftp_path') %>
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
+
+# allow ansible connections from puppetmaster host
+Match host ci-puppetmaster.openstack.org
+    PermitRootLogin without-password
+
+Match host puppetmaster.openstack.org
+    PermitRootLogin without-password