Age | Commit message (Collapse) | Author |
|
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
|
|
autossh support
this series of commits adds support for autossh, to automatically create a tunnel with port forwarding.
we use this to login to *really* remote servers reliably, behind multiple NATs and satellite connexions.
it rocks.
See merge request !18
|
|
disable the debian/ubuntu package version from being sent to clients
dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.
See merge request !17
|
|
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
See merge request !19
|
|
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
|
|
this is important to make it easier to guess the ssh port from the
central server.
we rely on ServerAliveInterval instead to reconnect when we lose the
server.
this was unintentionally removed in november 2012 in the isuma-autossh
package, saying it was "not supported everywhere" and due to some
confusion about the defaults (defaults are to *enable* the port). see
commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
|
|
|
|
not sure what this was for, but it was in the original implementation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
puppet-lint complains about "selector inside resource"
This reverts commit f3c0115743cab9d4e6c08b654b67631566572d41.
|
|
|
|
|
|
|
|
sync LoginGraceTime with debian defaults
for some reason this was 10 minutes in our module, yet 120s everywhere else.
and only in wheezy too, wtf...
See merge request !13
|
|
add override_builtin parameter to handle the common authorized_key directory case
riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code.
See merge request !15
|
|
case
|
|
|
|
Adjust variable lookup in templates to silence deprecation warnings, fixes #1
See merge request !12
|
|
|
|
Enhance hardened
This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible
See merge request !10
|
|
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
|
|
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
|
|
sense in general
|
|
remove Debian Lenny support
See merge request !8
|
|
|
|
Conflicts:
templates/sshd_config/Debian_etch.erb
|
|
Hostkey type
This is the pull request associated with: https://labs.riseup.net/code/issues/8285
See merge request !6
|
|
|
|
|
|
its puppet 3 or puppet 2
|
|
sure we are only parsing the expected string
|
|
Document nagios custom logic
Add some note for ppl who need to inject their own logic before creating nagios-related checks.
See merge request !5
|
|
Some people might want to inject their own logic before including nagios
resources. We can explain that since the nagios resources are in their
own part of the manifests, they can shortcut the module's automatic
handling of it, and call it manually from their own manifests.
|
|
|
|
Add RedHat_xenenterprise template symlink
See merge request !4
|
|
|
|
Fix for Debian squeeze and ssh_keygen for Puppet < 3 installs
Facter versions that are shipping in Debian squeeze and wheezy do not support the operatingsystemmajrelease core fact, which appears only from facter 1.7 onwards.
This isn't a big problem for wheezy since the openssh-server version it ships supports multiple AuthorizedKeysFile file paths,
On Debian squeeze, openssh-server does NOT support multuple AuthorizedKeysFile and will refuse to start with such a definition.
ALSO:
`ssh_keygen` is currently broken for Puppet 2.7.x clients. This commit should resolve the issue.
The fix was suggested by @ng in reference to https://github.com/duritong/puppet-sysctl/blob/master/lib/puppet/provider/sysctl_runtime/sysctl_runtime.rb#L16-L17
See merge request !3
|
|
|
|
(they ship facter 1.6.x)
|
|
types you want to support in your sshd_config.
We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.
Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
|