aboutsummaryrefslogtreecommitdiff
path: root/templates/sshd_config
AgeCommit message (Collapse)Author
2016-11-20Add sshd_config template for Debian Stretch.bertagaz
2015-11-03[feat] [feat] Support missing ubuntu releasesvarac
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
2015-10-09Merge branch 'disable_debian_banner' into 'master' Jerome Charaoui
disable the debian/ubuntu package version from being sent to clients dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros. See merge request !17
2015-09-11choose better MAC for squeeze and wheezyMatt Taggart
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
2015-06-08Facter values changed in 2.x for XenServerJerome Charaoui
2015-05-22disable the debian/ubuntu package version from being sent to clientsMatt Taggart
2015-05-13sync LoginGraceTime with debian defaultsAntoine Beaupré
2015-05-07Adjust variable lookup in templates to silence deprecation warnings, fixes #1Jerome Charaoui
2015-05-04Implement enhanced MAC (Message Authentication Codes) according toMicah Anderson
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
2015-05-04Implement enhanced symmetric cipher selection, based onMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed
2015-05-04Implement KexAlgorithms settings, based on Key exchange section ofMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them.
2015-05-04Change 'hardened_ssl' paramter to simply 'hardened', this makes moreMicah Anderson
sense in general
2015-05-01remove Debian Lenny supportMicah Anderson
2015-04-17Merge remote-tracking branch 'micah/remove_etch' into sharedAntoine Beaupré
Conflicts: templates/sshd_config/Debian_etch.erb
2015-04-17Merge branch 'hostkey_type' into 'master'Antoine Beaupré
Hostkey type This is the pull request associated with: https://labs.riseup.net/code/issues/8285 See merge request !6
2015-04-17remove etch supportMicah Anderson
2015-01-22Add RedHat_xenenterprise template symlinkJerome Charaoui
2014-11-21Add a $hostkey_type variable that allows you to set which hostkeyMicah Anderson
types you want to support in your sshd_config. We use the ssh_version fact to determine the default hostkey types. Only enable rsa and ed25519 for ssh versions greater or equal to 6.5, otherwise enable rsa and dsa. Some distributions, such as debian, also enable ecdsa as a hostkey type, but this is a known bad NIST curve, so we do not enable that by default (thus deviating from the stock sshd config)
2014-11-21Merge remote-tracking branch 'tails/feature/jessie-and-sid-templates'Micah Anderson
2014-11-01Merge remote-tracking branch 'immerda/master'Micah Anderson
2014-11-01Revert "get ecdsa host keys in Debian Wheezy"Micah Anderson
This reverts commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6. These shitty NIST curves are no good
2014-09-17Copy the Debian sid template to a new one for Jessie.intrigeri
Another option could be to symlink it, but the freeze is coming soon, so most likely they'll start to diverge at some point.
2014-09-17Resynchronize Debian sid template with the configuration file currently ↵intrigeri
shipped by the package.
2014-08-15move to os release number on centos for selectionmh
2014-06-10Merge remote-tracking branch 'shared/master'mh
Conflicts: manifests/init.pp
2013-11-29unify centos sshd config and update it to latest upstreammh
2013-11-08get ecdsa host keys in Debian Wheezykwadronaut
2013-01-02Merge commit '42fce2a4576dd97a270d4d875531b39920655edb'mh
2013-01-02Merge remote-tracking branch 'shared/master'mh
2012-11-07added Ubuntu precise supportnadir
2012-08-26fix variable namemh
2012-06-18correct variable namingmh
2012-06-08recmkdir is gonemh
2012-06-05new style for 2.7mh
2012-02-03Adding sshd_config for oneiricSilvio Rhatto
2011-07-21Adding PrintMotd parameter to all templates and setting per-distro default valueSilvio Rhatto
2011-07-16Enable $ssh_hardened_ssl for FreeBSDGabriel Filion
It is the only sshd_config template that didn't have this option, so copy it from the other templates. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-14Updating FreeBSD template for new sshd_ports variableSilvio Rhatto
2011-07-13Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the jobSilvio Rhatto
2011-07-13Merge branch 'master' of git://labs.riseup.net/shared-sshdSilvio Rhatto
2011-06-21Merge remote-tracking branch 'lelutin/freebsd'Micah Anderson
2011-06-21Merge branch 'feature/debian_wheezy'intrigeri
2011-06-21Add sshd_config template for Debian Wheezy.intrigeri
Currently, this is a symlink to the Debian sid's one, which I've recently resync'd. Once Wheezy is frozen, we'll want to fork its own template.
2011-06-21New opt-in support to only use strong SSL ciphers and MACs.intrigeri
The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git.
2011-02-23Changing strong cipher to aes128-crtSilvio Rhatto
2011-02-23Adding sshd_use_strong_ciphers to all sshd_config templatesSilvio Rhatto
2011-02-23Changing parameter name sshd_perfect_forward_secrecy to ↵Silvio Rhatto
sshd_use_strong_ciphers as sshd already does PFS
2011-02-22Merge remote-tracking branch 'lelutin/ubuntu'Micah Anderson
2011-02-21FreeBSD: Use variables for the Kerberos optionsGabriel Filion
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-02-21remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config ↵Micah Anderson
templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used