[MediaWiki-commits] [Gerrit] Turn off sshd MAC and KEX hardening for gerrit replication t... - change (operations/puppet)

QChris (Code Review) Sun, 24 May 2015 02:42:03 -0700

Hello Dzahn,

I'd like you to do a code review.  Please visit


    https://gerrit.wikimedia.org/r/213216

to review the following change.

Change subject: Turn off sshd MAC and KEX hardening for gerrit replication 
targets
......................................................................

Turn off sshd MAC and KEX hardening for gerrit replication targets

Gerrit's replication plugin failed to negotiate the used algorithm on
machines that used the hardened sshd MAC and KEX setup and filled logs
with

  [2015-05-21 15:47:41,273] ERROR 
com.googlesource.gerrit.plugins.replication.ReplicationQueue : Cannot replicate 
to 
gerritsl...@gallium.wikimedia.org:/srv/ssd/gerrit/mediawiki/extensions/ConfirmEdit.git
  org.eclipse.jgit.errors.TransportException: 
gerritsl...@gallium.wikimedia.org:/srv/ssd/gerrit/mediawiki/extensions/ConfirmEdit.git:
 Algorithm negotiation fail

Hence, we now turn off those hardenings for gerrit replication
targets, to allow gerrit to replicate again.

Bug: T99990
Change-Id: I08d0a64d1902f161c66bd3ad80b8e85df5657e48
---
A hieradata/hosts/antimony.yaml
M hieradata/hosts/gallium.yaml
M hieradata/hosts/lanthanum.yaml
3 files changed, 6 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/16/213216/1

diff --git a/hieradata/hosts/antimony.yaml b/hieradata/hosts/antimony.yaml
new file mode 100644
index 0000000..80e96e7
--- /dev/null
+++ b/hieradata/hosts/antimony.yaml
@@ -0,0 +1,2 @@
+ssh::server::disable_nist_kex: false
+ssh::server::explicit_macs: false
diff --git a/hieradata/hosts/gallium.yaml b/hieradata/hosts/gallium.yaml
index de5b57b..2d7eeb5 100644
--- a/hieradata/hosts/gallium.yaml
+++ b/hieradata/hosts/gallium.yaml
@@ -2,3 +2,5 @@
   - contint-users
   - contint-admins
   - contint-roots
+ssh::server::disable_nist_kex: false
+ssh::server::explicit_macs: false
diff --git a/hieradata/hosts/lanthanum.yaml b/hieradata/hosts/lanthanum.yaml
index de5b57b..2d7eeb5 100644
--- a/hieradata/hosts/lanthanum.yaml
+++ b/hieradata/hosts/lanthanum.yaml
@@ -2,3 +2,5 @@
   - contint-users
   - contint-admins
   - contint-roots
+ssh::server::disable_nist_kex: false
+ssh::server::explicit_macs: false

-- 
To view, visit https://gerrit.wikimedia.org/r/213216
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I08d0a64d1902f161c66bd3ad80b8e85df5657e48
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: QChris <christ...@quelltextlich.at>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Turn off sshd MAC and KEX hardening for gerrit replication t... - change (operations/puppet)

Reply via email to