[Qa-jenkins-scm] [jenkins.debian.net] 07/07: Add a sshd_config, based on stretch but with our config

Mattia Rizzolo mattia at debian.org
Sat Apr 7 14:55:36 UTC 2018 

This is an automated email from the git hooks/post-receive script.

mattia pushed a commit to branch master
in repository jenkins.debian.net.

commit bb559740baac88dc98f9f41176cd1fbecda3faf4
Author: Mattia Rizzolo <mattia at debian.org>
Date:   Sat Apr 7 16:51:34 2018 +0200

    Add a sshd_config, based on stretch but with our config
    
    while on it also drop the manual `sed` we were doing to change our
    config.
    
    Also, this drops the use of DSA host key, and reject all password
    authentications that were in use in some hosts.
    In jenkins.d.n (the oldest node), it also enables ECC keys (I manually
    generated them).
    
    Signed-off-by: Mattia Rizzolo <mattia at debian.org>
---
 TODO4stretch-host-upgrades.txt   |  5 ---
 hosts/common/etc/ssh/sshd_config | 82 ++++++++++++++++++++++++++++++++++++++++
 update_jdn.sh                    | 11 ------
 3 files changed, 82 insertions(+), 16 deletions(-)

diff --git a/TODO4stretch-host-upgrades.txt b/TODO4stretch-host-upgrades.txt
index 42a6f45..482c017 100644
--- a/TODO4stretch-host-upgrades.txt
+++ b/TODO4stretch-host-upgrades.txt
@@ -14,8 +14,3 @@ because of:
 #866314: linux-image-4.9.0-3-686-pae: 100+ times slower disk writes on 4.x+/i386/16+RAM, compared to 3.x
 amd64 kernel was manually installed with multiarch, should go into update_jdn
 also on pb3+4+9 I had to do: sudo apt install linux-image-amd64
-
-
-to be done once all hosts run stretch: sshd_config
---------------------------------------------------
-/etc/ssh/sshd_config - the currently running one is the one from jessie, we should update_jdn to the one from stretch
diff --git a/hosts/common/etc/ssh/sshd_config b/hosts/common/etc/ssh/sshd_config
new file mode 100644
index 0000000..a362ad4
--- /dev/null
+++ b/hosts/common/etc/ssh/sshd_config
@@ -0,0 +1,82 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+#AddressFamily any
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthorizedKeysFile /var/lib/misc/userkeys/%u %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
diff --git a/update_jdn.sh b/update_jdn.sh
index 179236e..2f6b4b3 100755
--- a/update_jdn.sh
+++ b/update_jdn.sh
@@ -165,17 +165,6 @@ users=$(for i in ${!user_host_groups[@]}; do echo ${i%,*} ; done | sort -u)
 	fi
 done
 
-# change defaults
-$UP2DATE || grep -q '^AuthorizedKeysFile' /etc/ssh/sshd_config || {
-	sudo sh -c "echo 'AuthorizedKeysFile /var/lib/misc/userkeys/%u %h/.ssh/authorized_keys' >> /etc/ssh/sshd_config"
-	sudo service ssh reload
-}
-# change vagrants manual configuration on some armhf hosts
-$UP2DATE || grep -q '/var/lib/misc/userkeys' /etc/ssh/sshd_config || {
-	sudo sed -i "s#/var/lib/monkeysphere/authorized_keys/#/var/lib/misc/userkeys/#g" /etc/ssh/sshd_config
-	sudo service ssh reload
-}
-
 sudo mkdir -p /srv/workspace
 [ -d /srv/schroots ] || sudo mkdir -p /srv/schroots
 [ -h /chroots ] || sudo ln -s /srv/workspace/chroots /chroots

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/qa/jenkins.debian.net.git

More information about the Qa-jenkins-scm mailing list