Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
Add sshd_config template for Debian Stretch.
See merge request !22
|
|
|
|
masterless setup
|
|
|
|
|
|
Conflicts:
README
templates/sshd_config/CentOS.erb
templates/sshd_config/CentOS_Final.erb
templates/sshd_config/Debian_etch.erb
templates/sshd_config/Debian_jessie.erb
templates/sshd_config/Debian_sid.erb
templates/sshd_config/Debian_squeeze.erb
templates/sshd_config/Debian_wheezy.erb
templates/sshd_config/Ubuntu_trusty.erb
|
|
[feat] [feat] Support missing ubuntu releases
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
See merge request !20
|
|
|
|
[feat] Optinally disable exported resources
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
See merge request !21
|
|
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
|
|
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
|
|
|
|
autossh support
this series of commits adds support for autossh, to automatically create a tunnel with port forwarding.
we use this to login to *really* remote servers reliably, behind multiple NATs and satellite connexions.
it rocks.
See merge request !18
|
|
disable the debian/ubuntu package version from being sent to clients
dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.
See merge request !17
|
|
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
See merge request !19
|
|
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
|
|
this is important to make it easier to guess the ssh port from the
central server.
we rely on ServerAliveInterval instead to reconnect when we lose the
server.
this was unintentionally removed in november 2012 in the isuma-autossh
package, saying it was "not supported everywhere" and due to some
confusion about the defaults (defaults are to *enable* the port). see
commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
|
|
|
|
not sure what this was for, but it was in the original implementation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
puppet-lint complains about "selector inside resource"
This reverts commit f3c0115743cab9d4e6c08b654b67631566572d41.
|
|
|
|
|
|
|
|
sync LoginGraceTime with debian defaults
for some reason this was 10 minutes in our module, yet 120s everywhere else.
and only in wheezy too, wtf...
See merge request !13
|
|
add override_builtin parameter to handle the common authorized_key directory case
riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code.
See merge request !15
|
|
case
|
|
|
|
|
|
Adjust variable lookup in templates to silence deprecation warnings, fixes #1
See merge request !12
|
|
|
|
Enhance hardened
This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible
See merge request !10
|
|
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
|
|
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
|
|
sense in general
|
|
remove Debian Lenny support
See merge request !8
|
|
|