aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-11-09[feat] Optinally disable exported resourcesvarac
If run masterless, we cannot export resources, so we move them to an own class. Including it can be disabled by passing "use_storedconfig" to the sshd class.
2015-10-09Merge branch 'autossh' into 'master' Micah
autossh support this series of commits adds support for autossh, to automatically create a tunnel with port forwarding. we use this to login to *really* remote servers reliably, behind multiple NATs and satellite connexions. it rocks. See merge request !18
2015-10-09Merge branch 'disable_debian_banner' into 'master' Jerome Charaoui
disable the debian/ubuntu package version from being sent to clients dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros. See merge request !17
2015-10-06Merge branch 'master' into 'master' Micah
choose better MAC for squeeze and wheezy both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more. See merge request !19
2015-09-11choose better MAC for squeeze and wheezyMatt Taggart
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
2015-06-18disable autossh control portAntoine Beaupré
this is important to make it easier to guess the ssh port from the central server. we rely on ServerAliveInterval instead to reconnect when we lose the server. this was unintentionally removed in november 2012 in the isuma-autossh package, saying it was "not supported everywhere" and due to some confusion about the defaults (defaults are to *enable* the port). see commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
2015-06-18make autossh fork properlyAntoine Beaupré
2015-06-18implement autossh reloadAntoine Beaupré
not sure what this was for, but it was in the original implementation
2015-06-18properly implement daemonAntoine Beaupré
2015-06-18allow customizing userAntoine Beaupré
2015-06-18try to avoid conflicting with the isuma-local-servers packageAntoine Beaupré
2015-06-18rewrite autossh startup script with dh_make templateAntoine Beaupré
2015-06-18remove traces of isuma vendorAntoine Beaupré
2015-06-18import from autossh packageAntoine Beaupré
2015-06-08Facter values changed in 2.x for XenServerJerome Charaoui
2015-05-22disable the debian/ubuntu package version from being sent to clientsMatt Taggart
2015-05-21Add newline to ssh_authorized_key file contentJerome Charaoui
2015-05-21Simplify ssh_authorized_keyJerome Charaoui
2015-05-21Revert "Simplify ssh_authorized_key"Jerome Charaoui
puppet-lint complains about "selector inside resource" This reverts commit f3c0115743cab9d4e6c08b654b67631566572d41.
2015-05-21Simplify ssh_authorized_keyJerome Charaoui
2015-05-21Add header to ssh_authorized_key when override_builting = 1Jerome Charaoui
2015-05-21Fix invalid single quotes around variablesJerome Charaoui
2015-05-20Merge branch 'debian-login-grace' into 'master'Jerome Charaoui
sync LoginGraceTime with debian defaults for some reason this was 10 minutes in our module, yet 120s everywhere else. and only in wheezy too, wtf... See merge request !13
2015-05-20Merge branch 'master' into 'master'Jerome Charaoui
add override_builtin parameter to handle the common authorized_key directory case riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code. See merge request !15
2015-05-20add override_builtin parameter to handle the common authorized_key directory ↵Matt Taggart
case
2015-05-13sync LoginGraceTime with debian defaultsAntoine Beaupré
2015-05-07Merge branch 'fix_lookupvar' into 'master'Micah
Adjust variable lookup in templates to silence deprecation warnings, fixes #1 See merge request !12
2015-05-07Adjust variable lookup in templates to silence deprecation warnings, fixes #1Jerome Charaoui
2015-05-07Merge branch 'enhance_hardened' into 'master'Jerome Charaoui
Enhance hardened This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible See merge request !10
2015-05-04Implement enhanced MAC (Message Authentication Codes) according toMicah Anderson
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
2015-05-04Implement enhanced symmetric cipher selection, based onMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed
2015-05-04Implement KexAlgorithms settings, based on Key exchange section ofMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them.
2015-05-04Change 'hardened_ssl' paramter to simply 'hardened', this makes moreMicah Anderson
sense in general
2015-05-04Merge branch 'remove_lenny' into 'master'Jerome Charaoui
remove Debian Lenny support See merge request !8
2015-05-01remove Debian Lenny supportMicah Anderson
2015-04-17Merge remote-tracking branch 'micah/remove_etch' into sharedAntoine Beaupré
Conflicts: templates/sshd_config/Debian_etch.erb
2015-04-17Merge branch 'hostkey_type' into 'master'Antoine Beaupré
Hostkey type This is the pull request associated with: https://labs.riseup.net/code/issues/8285 See merge request !6
2015-04-17remove etch supportMicah Anderson
2015-04-17Add GPLv3 licenseMicah Anderson
2015-03-27change the ssh_keygen function to use different methods depending on ifMicah Anderson
its puppet 3 or puppet 2
2015-03-27Given that ssh -V prints the info we want on stderr, made it so we are 100% ↵Micah Anderson
sure we are only parsing the expected string
2015-03-02Merge branch 'document_nagios_custom_logic' into 'master'Jerome Charaoui
Document nagios custom logic Add some note for ppl who need to inject their own logic before creating nagios-related checks. See merge request !5
2015-02-20README: mention how one could reuse nagios resources with their own logicGabriel Filion
Some people might want to inject their own logic before including nagios resources. We can explain that since the nagios resources are in their own part of the manifests, they can shortcut the module's automatic handling of it, and call it manually from their own manifests.
2015-02-20README: Change project URL to point at the new oneGabriel Filion
2015-02-20Merge branch 'master' into 'master'LeLutin
Add RedHat_xenenterprise template symlink See merge request !4
2015-01-22Add RedHat_xenenterprise template symlinkJerome Charaoui
2015-01-17Merge branch 'master' into 'master'ng
Fix for Debian squeeze and ssh_keygen for Puppet < 3 installs Facter versions that are shipping in Debian squeeze and wheezy do not support the operatingsystemmajrelease core fact, which appears only from facter 1.7 onwards. This isn't a big problem for wheezy since the openssh-server version it ships supports multiple AuthorizedKeysFile file paths, On Debian squeeze, openssh-server does NOT support multuple AuthorizedKeysFile and will refuse to start with such a definition. ALSO: `ssh_keygen` is currently broken for Puppet 2.7.x clients. This commit should resolve the issue. The fix was suggested by @ng in reference to https://github.com/duritong/puppet-sysctl/blob/master/lib/puppet/provider/sysctl_runtime/sysctl_runtime.rb#L16-L17 See merge request !3
2015-01-15Fix ssh_keygen for Puppet < 3 installsJerome Charaoui
2015-01-15Debian squeeze and wheezy do not support the operatingsystemmajrelease fact ↵Jerome Charaoui
(they ship facter 1.6.x)
2014-11-21Add a $hostkey_type variable that allows you to set which hostkeyMicah Anderson
types you want to support in your sshd_config. We use the ssh_version fact to determine the default hostkey types. Only enable rsa and ed25519 for ssh versions greater or equal to 6.5, otherwise enable rsa and dsa. Some distributions, such as debian, also enable ecdsa as a hostkey type, but this is a known bad NIST curve, so we do not enable that by default (thus deviating from the stock sshd config)