A default SG rule generated for every model allows 22 from 0.0.0.0/0, I'm guessing this is because we are trying to facilitate the use case for juju deployed on a public cloud, and instances being ssh accessed from the internet and not from behind VPN in the same address space.
A functionality which would allow users who don't want ssh open to the world to close it, either completely, or limit to a private address space, would be very helpful (especially because Juju reverts any changes made to the SG, so I couldn't even lock down port 22 if I wanted to). Is it possible to introduce a model config param that we could use to tell juju where to allow ssh traffic from? Quick fix: Introduce an 'ssh-allow' param that could be used to open and close port 22 on the SG generated for the model? Better fix: Introduce a config param 'ssh-access', where default value is 0.0.0.0/0, which could then be modified to an address space that fits the users security needs. How do others feel about this?
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
