Age | Commit message (Collapse) | Author |
|
Hostkey type
This is the pull request associated with: https://labs.riseup.net/code/issues/8285
See merge request !6
|
|
|
|
types you want to support in your sshd_config.
We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.
Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
|
|
|
|
|
|
This reverts commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6.
These shitty NIST curves are no good
|
|
Another option could be to symlink it, but the freeze is coming soon, so most
likely they'll start to diverge at some point.
|
|
shipped by the package.
|
|
|
|
Conflicts:
manifests/init.pp
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It is the only sshd_config template that didn't have this option, so
copy it from the other templates.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
Currently, this is a symlink to the Debian sid's one, which I've recently
resync'd. Once Wheezy is frozen, we'll want to fork its own template.
|
|
The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
|
|
|
|
|
|
sshd_use_strong_ciphers as sshd already does PFS
|
|
|
|
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
|
|
templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used
|
|
Currently, the only difference is LoginGraceTime, that defaults to 600 in sid.
|
|
|
|
|
|
Conflicts:
templates/sshd_config/Debian_squeeze.erb
|
|
Conflicts:
templates/sshd_config/Debian_squeeze.erb
I always picked the shared repository version when conflicts arose.
The only exception to this rule was:
I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order
to be consistent with existing Etch and Lenny templates.
This is not the default Debian setting, but I would find it weird if a host
had this setting changed by Puppet after upgrading to Squeeze.
The right way to proceed would probably be to make this configurable.
|
|
|
|
|
|
The sshd class currently has a mechanism to make resources for Ubuntu
similar to the ones for Debian, but the sshd::client class doesn't.
Also, There are no templates for sshd_config on Ubuntu so provide for
them. Since Ubuntu releases almost all use ssh versions that are as
recent as the Debian squeeze one, and the default sshd_config file is
usually the same as on Debian, add a default (Ubuntu.erb) template so
that it fits all Ubuntu releases.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
|
|
Debian's unstable branch currently has no template for sshd_config, and
thus cannot use the sshd class.
Add a template for Debian sid.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
|
|
This value was hardcoded in both the Debian lenny and etch templates.
The lenny template was fixed with commit 167cf532711ac88 but the etch
template was left out.
Fix the etch template so that the ChallengeResponseAuthentication
instruction is not overridden.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
|
|
Since there is no "catch-all" default configuration file for sshd, we
need to add for each OS.
Add a template for FreeBSD so that sshd can be configured on this OS.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
|
|
|
|
|
|
option, even though it is listed in the man page, and commented out in the default config file. I filed a bug with debian (#607238)
|
|
Lenny sshd_config template, even though we offer it as a variable. With this commit, the variable will actually work, rather than be overriden
|