Chad has uploaded a new change for review. https://gerrit.wikimedia.org/r/199936
Change subject: [sshd] Disable agent forwarding ...................................................................... [sshd] Disable agent forwarding Since deployments no longer require a forwarded key to production (for either pulling/pushing to git or scap & co) there is no reason for people to forward their keys anymore. It's poor security practice, and we discourage it heavily in default configurations and examples. Per sshd_config(5) this can't stop a malicious shell user but if you're malicious you're already violating the server agreement and will get your access stripped. So don't work around it ;-) Change-Id: I283eb516c4b87118328ca5d0374d9437531b64d6 --- M modules/ssh/templates/sshd_config.erb 1 file changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/36/199936/1 diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 2e76f0a..2bd6a08 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -68,6 +68,9 @@ # Globally deny logon via password, only allow SSH-key login. PasswordAuthentication no +# Don't allow people to forward their agents either. +AllowAgentForwarding no + # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no -- To view, visit https://gerrit.wikimedia.org/r/199936 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I283eb516c4b87118328ca5d0374d9437531b64d6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chad <ch...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits