aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-06-05Changes for puppet 4 compatibilitySilvio Rhatto
2017-06-05Merge branch 'master' into developSilvio Rhatto
2017-06-05Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshdHEADmasterSilvio Rhatto
2017-01-23Merge branch 'feature/stretch' into 'master' Micah
Add sshd_config template for Debian Stretch. See merge request !22
2016-11-20Add sshd_config template for Debian Stretch.bertagaz
2016-03-22Move storedconfig code to separate files, trying to avoid warnings on ↵productionSilvio Rhatto
masterless setup
2016-03-21Fact ::ssh_version not being evaluated in templates at wheezy and trustySilvio Rhatto
2016-03-19Only collect ssh keys if storedconfigs are setSilvio Rhatto
2016-03-19Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshdSilvio Rhatto
Conflicts: README templates/sshd_config/CentOS.erb templates/sshd_config/CentOS_Final.erb templates/sshd_config/Debian_etch.erb templates/sshd_config/Debian_jessie.erb templates/sshd_config/Debian_sid.erb templates/sshd_config/Debian_squeeze.erb templates/sshd_config/Debian_wheezy.erb templates/sshd_config/Ubuntu_trusty.erb
2015-11-21Merge branch 'support_missing_ubuntu_releases' into 'master' ng
[feat] [feat] Support missing ubuntu releases Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release See merge request !20
2015-11-09[bug] Fix typo for including sshkey classvarac
2015-11-09Merge branch 'disable_stored_config' into 'master' Micah
[feat] Optinally disable exported resources If run masterless, we cannot export resources, so we move them to an own class. Including it can be disabled by passing "use_storedconfig" to the sshd class. See merge request !21
2015-11-09[feat] Optinally disable exported resourcesvarac
If run masterless, we cannot export resources, so we move them to an own class. Including it can be disabled by passing "use_storedconfig" to the sshd class.
2015-11-03[feat] [feat] Support missing ubuntu releasesvarac
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
2015-10-19Ubuntu trusty configSilvio Rhatto
2015-10-09Merge branch 'autossh' into 'master' Micah
autossh support this series of commits adds support for autossh, to automatically create a tunnel with port forwarding. we use this to login to *really* remote servers reliably, behind multiple NATs and satellite connexions. it rocks. See merge request !18
2015-10-09Merge branch 'disable_debian_banner' into 'master' Jerome Charaoui
disable the debian/ubuntu package version from being sent to clients dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros. See merge request !17
2015-10-06Merge branch 'master' into 'master' Micah
choose better MAC for squeeze and wheezy both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more. See merge request !19
2015-09-11choose better MAC for squeeze and wheezyMatt Taggart
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
2015-06-18disable autossh control portAntoine Beaupré
this is important to make it easier to guess the ssh port from the central server. we rely on ServerAliveInterval instead to reconnect when we lose the server. this was unintentionally removed in november 2012 in the isuma-autossh package, saying it was "not supported everywhere" and due to some confusion about the defaults (defaults are to *enable* the port). see commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
2015-06-18make autossh fork properlyAntoine Beaupré
2015-06-18implement autossh reloadAntoine Beaupré
not sure what this was for, but it was in the original implementation
2015-06-18properly implement daemonAntoine Beaupré
2015-06-18allow customizing userAntoine Beaupré
2015-06-18try to avoid conflicting with the isuma-local-servers packageAntoine Beaupré
2015-06-18rewrite autossh startup script with dh_make templateAntoine Beaupré
2015-06-18remove traces of isuma vendorAntoine Beaupré
2015-06-18import from autossh packageAntoine Beaupré
2015-06-08Facter values changed in 2.x for XenServerJerome Charaoui
2015-05-22disable the debian/ubuntu package version from being sent to clientsMatt Taggart
2015-05-21Add newline to ssh_authorized_key file contentJerome Charaoui
2015-05-21Simplify ssh_authorized_keyJerome Charaoui
2015-05-21Revert "Simplify ssh_authorized_key"Jerome Charaoui
puppet-lint complains about "selector inside resource" This reverts commit f3c0115743cab9d4e6c08b654b67631566572d41.
2015-05-21Simplify ssh_authorized_keyJerome Charaoui
2015-05-21Add header to ssh_authorized_key when override_builting = 1Jerome Charaoui
2015-05-21Fix invalid single quotes around variablesJerome Charaoui
2015-05-20Merge branch 'debian-login-grace' into 'master'Jerome Charaoui
sync LoginGraceTime with debian defaults for some reason this was 10 minutes in our module, yet 120s everywhere else. and only in wheezy too, wtf... See merge request !13
2015-05-20Merge branch 'master' into 'master'Jerome Charaoui
add override_builtin parameter to handle the common authorized_key directory case riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code. See merge request !15
2015-05-20add override_builtin parameter to handle the common authorized_key directory ↵Matt Taggart
case
2015-05-15add jessie config templatedb
2015-05-13sync LoginGraceTime with debian defaultsAntoine Beaupré
2015-05-07Merge branch 'fix_lookupvar' into 'master'Micah
Adjust variable lookup in templates to silence deprecation warnings, fixes #1 See merge request !12
2015-05-07Adjust variable lookup in templates to silence deprecation warnings, fixes #1Jerome Charaoui
2015-05-07Merge branch 'enhance_hardened' into 'master'Jerome Charaoui
Enhance hardened This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible See merge request !10
2015-05-04Implement enhanced MAC (Message Authentication Codes) according toMicah Anderson
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
2015-05-04Implement enhanced symmetric cipher selection, based onMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed
2015-05-04Implement KexAlgorithms settings, based on Key exchange section ofMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them.
2015-05-04Change 'hardened_ssl' paramter to simply 'hardened', this makes moreMicah Anderson
sense in general
2015-05-04Merge branch 'remove_lenny' into 'master'Jerome Charaoui
remove Debian Lenny support See merge request !8
2015-05-01remove Debian Lenny supportMicah Anderson