[Git][qa/jenkins.debian.net][master] hosts/common: Configure sshd defaults in sshd_config.d and use a
Vagrant Cascadian (@vagrant)
gitlab at salsa.debian.org
Thu Feb 8 21:09:59 GMT 2024
Vagrant Cascadian pushed to branch master at Debian QA / jenkins.debian.net
Commits:
7d8a99cb by Vagrant Cascadian at 2024-02-08T13:07:21-08:00
hosts/common: Configure sshd defaults in sshd_config.d and use a
near-default bookworm sshd_config.
- - - - -
2 changed files:
- hosts/common/etc/ssh/sshd_config
- + hosts/common/etc/ssh/sshd_config.d/jdn.defaults.conf
Changes:
=====================================
hosts/common/etc/ssh/sshd_config
=====================================
@@ -1,16 +1,27 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-# What ports, IPs and protocols we listen for
-Port 22
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
#AddressFamily any
-#ListenAddress ::
#ListenAddress 0.0.0.0
+#ListenAddress ::
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+# Ciphers and keying
+#RekeyLimit default none
# Logging
#SyslogFacility AUTH
@@ -18,39 +29,37 @@ HostKey /etc/ssh/ssh_host_ed25519_key
# Authentication:
-#LoginGraceTime 2n
-PermitRootLogin prohibit-password
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-PubkeyAuthentication yes
+#PubkeyAuthentication yes
-AuthorizedKeysFile /var/lib/misc/userkeys/%u %h/.ssh/authorized_keys
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
-# For this to work you will also need host keys in /etc/ssh_known_hosts
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
+#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication no
+#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
+KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -66,32 +75,32 @@ PasswordAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-X11Forwarding no
+# Commented out X11Forwarding to disable it: https://bugs.debian.org/1063488
+#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
-#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
@@ -104,4 +113,11 @@ PrintMotd no
AcceptEnv LANG LC_*
# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
=====================================
hosts/common/etc/ssh/sshd_config.d/jdn.defaults.conf
=====================================
@@ -0,0 +1,3 @@
+Port 22
+ChallengeResponseAuthentication no
+X11Forwarding no
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7d8a99cb57b6a6977da69029cbf8f26bbcb9d5ef
--
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7d8a99cb57b6a6977da69029cbf8f26bbcb9d5ef
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20240208/b7ec7e86/attachment-0001.htm>
More information about the Qa-jenkins-scm
mailing list