Micah [Mon, 9 Nov 2015 15:05:48 +0000 (15:05 +0000)]
Merge branch 'disable_stored_config' into 'master'
[feat] Optinally disable exported resources
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
varac [Mon, 9 Nov 2015 09:22:58 +0000 (10:22 +0100)]
[feat] Optinally disable exported resources
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
Jerome Charaoui [Fri, 9 Oct 2015 17:23:30 +0000 (17:23 +0000)]
Merge branch 'disable_debian_banner' into 'master'
disable the debian/ubuntu package version from being sent to clients
dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.
Micah [Tue, 6 Oct 2015 17:53:48 +0000 (17:53 +0000)]
Merge branch 'master' into 'master'
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
Matt Taggart [Fri, 11 Sep 2015 23:01:02 +0000 (16:01 -0700)]
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
Antoine Beaupré [Thu, 18 Jun 2015 21:01:01 +0000 (17:01 -0400)]
disable autossh control port
this is important to make it easier to guess the ssh port from the
central server.
we rely on ServerAliveInterval instead to reconnect when we lose the
server.
this was unintentionally removed in november 2012 in the isuma-autossh
package, saying it was "not supported everywhere" and due to some
confusion about the defaults (defaults are to *enable* the port). see
commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
Jerome Charaoui [Wed, 20 May 2015 23:29:00 +0000 (23:29 +0000)]
Merge branch 'master' into 'master'
add override_builtin parameter to handle the common authorized_key directory case
riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code.
Micah Anderson [Fri, 1 May 2015 18:00:56 +0000 (14:00 -0400)]
Implement enhanced MAC (Message Authentication Codes) according to
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
Micah Anderson [Fri, 1 May 2015 17:57:37 +0000 (13:57 -0400)]
Implement enhanced symmetric cipher selection, based on
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
Micah Anderson [Fri, 1 May 2015 17:48:19 +0000 (13:48 -0400)]
Implement KexAlgorithms settings, based on Key exchange section of
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
Gabriel Filion [Fri, 20 Feb 2015 22:27:06 +0000 (17:27 -0500)]
README: mention how one could reuse nagios resources with their own logic
Some people might want to inject their own logic before including nagios
resources. We can explain that since the nagios resources are in their
own part of the manifests, they can shortcut the module's automatic
handling of it, and call it manually from their own manifests.
ng [Sat, 17 Jan 2015 09:52:07 +0000 (09:52 +0000)]
Merge branch 'master' into 'master'
Fix for Debian squeeze and ssh_keygen for Puppet < 3 installs
Facter versions that are shipping in Debian squeeze and wheezy do not support the operatingsystemmajrelease core fact, which appears only from facter 1.7 onwards.
This isn't a big problem for wheezy since the openssh-server version it ships supports multiple AuthorizedKeysFile file paths,
On Debian squeeze, openssh-server does NOT support multuple AuthorizedKeysFile and will refuse to start with such a definition.
ALSO:
`ssh_keygen` is currently broken for Puppet 2.7.x clients. This commit should resolve the issue.
The fix was suggested by @ng in reference to https://github.com/duritong/puppet-sysctl/blob/master/lib/puppet/provider/sysctl_runtime/sysctl_runtime.rb#L16-L17
Micah Anderson [Fri, 21 Nov 2014 23:19:07 +0000 (18:19 -0500)]
Add a $hostkey_type variable that allows you to set which hostkey
types you want to support in your sshd_config.
We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.
Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
projects / puppet-sshd.git / log