Faidon Liambotis has submitted this change and it was merged. Change subject: ssh: configure ECDSA & ed25519 host keys ......................................................................
ssh: configure ECDSA & ed25519 host keys Ubuntu >= precise(!) is setting up ECDSA & ed25519 host keys but we were removing them from the configuration, sticking to what was lucid's default config(!). Reenable them as this makes us more secure (and also faster). Note that the remaining (3) lucid boxes will not get those keys but sshd works anyway (despite logging it can't find those two keys). Considering lucid is about to go away soon, don't place the setting under an os_version guard. While at it, also stick to some other (newer) upstream defaults, such as ServerKeyBits, which shouldn't matter at all. Change-Id: Ib6c5dc9e5d0a79d6e667de657aa1bd4873dff7ed --- M modules/ssh/templates/sshd_config.erb 1 file changed, 4 insertions(+), 2 deletions(-) Approvals: Giuseppe Lavagetto: Looks good to me, but someone else must approve Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index c00c5f8..ce8823b 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -1,6 +1,6 @@ # This file is managed by puppet! # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port <%= @listen_port %> @@ -15,12 +15,14 @@ # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH -- To view, visit https://gerrit.wikimedia.org/r/183500 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ib6c5dc9e5d0a79d6e667de657aa1bd4873dff7ed Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <[email protected]> Gerrit-Reviewer: Faidon Liambotis <[email protected]> Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
