opuppet/module-sshd
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
344 commits 2 branches 0 tags 297 KiB
Commit graph

91 commits

Author SHA1 Message Date
varac
d5f7c33df5 [feat] [feat] Support missing ubuntu releases 
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
 2015-11-03 13:53:56 +01:00
Jerome Charaoui
571373e081 Merge branch 'disable_debian_banner' into 'master' 
disable the debian/ubuntu package version from being sent to clients

dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.

See merge request !17
 2015-10-09 17:23:30 +00:00
Matt Taggart
8acb349e8b choose better MAC for squeeze and wheezy 
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
 2015-09-11 16:01:02 -07:00
Jerome Charaoui
abd504a5f4 Facter values changed in 2.x for XenServer 2015-06-08 14:08:59 -04:00
Matt Taggart
b682edaae3 disable the debian/ubuntu package version from being sent to clients 2015-05-22 16:37:03 -07:00
Antoine Beaupré
d00986b0e0 sync LoginGraceTime with debian defaults 2015-05-13 16:20:24 -04:00
Jerome Charaoui
ac6e09ecde Adjust variable lookup in templates to silence deprecation warnings, fixes #1 2015-05-07 11:34:07 -04:00
Micah Anderson
e4a9c15987 Implement enhanced MAC (Message Authentication Codes) according to 
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
 2015-05-04 15:42:26 -04:00
Micah Anderson
1402e67b21 Implement enhanced symmetric cipher selection, based on 
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
 2015-05-04 15:42:26 -04:00
Micah Anderson
430c48200e Implement KexAlgorithms settings, based on Key exchange section of 
https://stribika.github.io/2015/01/04/secure-secure-shell.html

Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
 2015-05-04 15:42:26 -04:00
Micah Anderson
fd82841c1f Change 'hardened_ssl' paramter to simply 'hardened', this makes more 
sense in general
 2015-05-04 15:42:26 -04:00
Micah Anderson
42d4597ca9 remove Debian Lenny support 2015-05-01 12:49:37 -04:00
Antoine Beaupré
e9596d0f6d Merge remote-tracking branch 'micah/remove_etch' into shared 
Conflicts:
	templates/sshd_config/Debian_etch.erb
 2015-04-17 14:47:03 -04:00
Antoine Beaupré
d4923b2c3a Merge branch 'hostkey_type' into 'master' 
Hostkey type

This is the pull request associated with: https://labs.riseup.net/code/issues/8285

See merge request !6
 2015-04-17 18:43:16 +00:00
Micah Anderson
e2cad38276 remove etch support 2015-04-17 13:58:03 -04:00
Jerome Charaoui
62fe7c25f4 Add RedHat_xenenterprise template symlink 2015-01-22 11:20:49 -05:00
Micah Anderson
d78749fd8f Add a $hostkey_type variable that allows you to set which hostkey 
types you want to support in your sshd_config.

We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.

Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
 2014-11-21 21:20:29 -05:00
Micah Anderson
ae9cf81188 Merge remote-tracking branch 'tails/feature/jessie-and-sid-templates' 2014-11-21 16:46:09 -05:00
Micah Anderson
4652fbcae0 Merge remote-tracking branch 'immerda/master' 2014-11-01 10:30:37 -04:00
Micah Anderson
37bd36fe06 Revert "get ecdsa host keys in Debian Wheezy" 
This reverts commit 1eabfe1b59.

These shitty NIST curves are no good
 2014-11-01 10:29:48 -04:00
intrigeri
254d2361f5 Copy the Debian sid template to a new one for Jessie. 
Another option could be to symlink it, but the freeze is coming soon, so most
likely they'll start to diverge at some point.
 2014-09-17 20:44:12 +00:00
intrigeri
75117dd042 Resynchronize Debian sid template with the configuration file currently shipped by the package. 2014-09-17 20:43:45 +00:00
mh
1f6f568930 move to os release number on centos for selection 2014-08-15 10:22:40 +02:00
mh
cd783ad5eb Merge remote-tracking branch 'shared/master' 
Conflicts:
	manifests/init.pp
 2014-06-10 11:25:16 +02:00
mh
19218d6b02 unify centos sshd config and update it to latest upstream 2013-11-29 11:17:31 +01:00
kwadronaut
1eabfe1b59 get ecdsa host keys in Debian Wheezy 2013-11-08 21:59:25 +01:00
mh
ef73d094dc Merge commit '42fce2a4576dd97a270d4d875531b39920655edb' 2013-01-02 16:02:48 +01:00
mh
483ba331f3 Merge remote-tracking branch 'shared/master' 2013-01-02 15:53:41 +01:00
nadir
42fce2a457 added Ubuntu precise support 2012-11-07 18:17:27 +01:00
mh
ce47b742e2 fix variable name 2012-08-26 19:10:26 +02:00
mh
5b86606d59 correct variable naming 2012-06-18 17:43:48 -03:00
mh
8aab254eaa recmkdir is gone 2012-06-08 13:17:23 -03:00
mh
2204eb01f6 new style for 2.7 2012-06-05 18:23:03 -03:00
Silvio Rhatto
bd2e283ab5 Adding sshd_config for oneiric 2012-02-03 15:10:42 -02:00
Silvio Rhatto
0e9e1b6f2c Adding PrintMotd parameter to all templates and setting per-distro default value 2011-07-21 11:01:33 -03:00
Gabriel Filion
a5312442b6 Enable $ssh_hardened_ssl for FreeBSD 
It is the only sshd_config template that didn't have this option, so
copy it from the other templates.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
 2011-07-16 23:45:24 -04:00
Silvio Rhatto
b221570654 Updating FreeBSD template for new sshd_ports variable 2011-07-14 13:15:27 -03:00
Silvio Rhatto
57d8883d48 Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the job 2011-07-13 18:41:59 -03:00
Silvio Rhatto
99928cd61e Merge branch 'master' of git://labs.riseup.net/shared-sshd 2011-07-13 18:39:18 -03:00
Micah Anderson
779d27e0ae Merge remote-tracking branch 'lelutin/freebsd' 2011-06-21 11:46:42 -04:00
intrigeri
bbfc7c04ba Merge branch 'feature/debian_wheezy' 2011-06-21 00:28:44 +02:00
intrigeri
005baf59c5 Add sshd_config template for Debian Wheezy. 
Currently, this is a symlink to the Debian sid's one, which I've recently
resync'd. Once Wheezy is frozen, we'll want to fork its own template.
 2011-06-21 00:28:37 +02:00
intrigeri
34863e959f New opt-in support to only use strong SSL ciphers and MACs. 
The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
 2011-06-21 00:27:55 +02:00
Silvio Rhatto
4d73d3784e Changing strong cipher to aes128-crt 2011-02-23 14:46:20 -03:00
Silvio Rhatto
75105d66d8 Adding sshd_use_strong_ciphers to all sshd_config templates 2011-02-23 14:40:02 -03:00
Silvio Rhatto
9ac4697eb5 Changing parameter name sshd_perfect_forward_secrecy to sshd_use_strong_ciphers as sshd already does PFS 2011-02-23 14:25:18 -03:00
Micah Anderson
af76f6cfe7 Merge remote-tracking branch 'lelutin/ubuntu' 2011-02-22 16:11:36 -05:00
Gabriel Filion
95bf6e032b FreeBSD: Use variables for the Kerberos options 
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
 2011-02-21 15:18:14 -05:00
Micah Anderson
ac240412cc remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used 2011-02-21 12:45:49 -05:00
intrigeri
c99ff17b1f Resync Debian sid template with the Squeeze's one. 
Currently, the only difference is LoginGraceTime, that defaults to 600 in sid.
 2011-02-21 18:29:25 +01:00