Faidon Liambotis has uploaded a new change for review. https://gerrit.wikimedia.org/r/183500
Change subject: ssh: configure ECDSA & ed25519 host keys ...................................................................... ssh: configure ECDSA & ed25519 host keys Ubuntu >= precise(!) is setting up ECDSA & ed25519 host keys but we were removing them from the configuration, sticking to what was lucid's default config(!). Reenable them as this makes us more secure (and also faster). Note that the remaining (3) lucid boxes will not get those keys but sshd works anyway (despite logging it can't find those two keys). Considering lucid is about to go away soon, don't place the setting under an os_version guard. While at it, also stick to some other (newer) upstream defaults, such as ServerKeyBits, which shouldn't matter at all. Change-Id: Ib6c5dc9e5d0a79d6e667de657aa1bd4873dff7ed --- M modules/ssh/templates/sshd_config.erb 1 file changed, 5 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/00/183500/1 diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index c00c5f8..d793964 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -1,6 +1,6 @@ # This file is managed by puppet! # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port <%= @listen_port %> @@ -15,16 +15,18 @@ # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH -LogLevel VERBOSE +LogLevel INFO # Authentication: LoginGraceTime 120 -- To view, visit https://gerrit.wikimedia.org/r/183500 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib6c5dc9e5d0a79d6e667de657aa1bd4873dff7ed Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
