[Git][qa/jenkins.debian.net][master] hosts/common: Configure sshd defaults in sshd_config.d and use a

Vagrant Cascadian (@vagrant) gitlab at salsa.debian.org
Thu Feb 8 21:09:59 GMT 2024 


Vagrant Cascadian pushed to branch master at Debian QA / jenkins.debian.net


Commits:
7d8a99cb by Vagrant Cascadian at 2024-02-08T13:07:21-08:00
hosts/common: Configure sshd defaults in sshd_config.d and use a
near-default bookworm sshd_config.

- - - - -


2 changed files:

- hosts/common/etc/ssh/sshd_config
- + hosts/common/etc/ssh/sshd_config.d/jdn.defaults.conf


Changes:

=====================================
hosts/common/etc/ssh/sshd_config
=====================================
@@ -1,16 +1,27 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
 
-# What ports, IPs and protocols we listen for
-Port 22
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
 #AddressFamily any
-#ListenAddress ::
 #ListenAddress 0.0.0.0
+#ListenAddress ::
 
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
 
+# Ciphers and keying
+#RekeyLimit default none
 
 # Logging
 #SyslogFacility AUTH
@@ -18,39 +29,37 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Authentication:
 
-#LoginGraceTime 2n
-PermitRootLogin prohibit-password
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 
-PubkeyAuthentication yes
+#PubkeyAuthentication yes
 
-AuthorizedKeysFile /var/lib/misc/userkeys/%u %h/.ssh/authorized_keys
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
 
 #AuthorizedPrincipalsFile none
 
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 
-# For this to work you will also need host keys in /etc/ssh_known_hosts
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
+#IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication no
+#PasswordAuthentication yes
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -66,32 +75,32 @@ PasswordAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-X11Forwarding no
+# Commented out X11Forwarding to disable it: https://bugs.debian.org/1063488
+#X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
@@ -104,4 +113,11 @@ PrintMotd no
 AcceptEnv LANG LC_*
 
 # override default of no subsystems
-Subsystem       sftp    /usr/lib/openssh/sftp-server
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server


=====================================
hosts/common/etc/ssh/sshd_config.d/jdn.defaults.conf
=====================================
@@ -0,0 +1,3 @@
+Port 22
+ChallengeResponseAuthentication no
+X11Forwarding no



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7d8a99cb57b6a6977da69029cbf8f26bbcb9d5ef

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7d8a99cb57b6a6977da69029cbf8f26bbcb9d5ef
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20240208/b7ec7e86/attachment-0001.htm>

More information about the Qa-jenkins-scm mailing list