Yuvipanda has submitted this change and it was merged. Change subject: ssh: Unify config between precise and trusty/jessie ......................................................................
ssh: Unify config between precise and trusty/jessie - sshd has been backported from trusty to precise - Use LDAP directly to verify public keys in labs, rather than the NFS mount. This removes a big NFS dependency. - Lucid support grumble grumble - No lucid in labs, so all the labs-conditionalled things need no Lucid support! Bug: T102401 Change-Id: I88d6ee3633a592c3dfeaa9613db311941c6485fd --- M modules/ldap/manifests/client.pp M modules/ssh/manifests/server.pp M modules/ssh/templates/sshd_config.erb 3 files changed, 32 insertions(+), 38 deletions(-) Approvals: Yuvipanda: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/ldap/manifests/client.pp b/modules/ldap/manifests/client.pp index 479b86a..c9fc481 100644 --- a/modules/ldap/manifests/client.pp +++ b/modules/ldap/manifests/client.pp @@ -176,33 +176,31 @@ } if $::realm == 'labs' { - if os_version('debian >= jessie || ubuntu >= trusty') { - # The 'ssh-key-ldap-lookup' tool is called during login ssh via AuthorizedKeysCommand. It - # returns public keys from ldap for the specified username. - # It is in /usr/sbin and not /usr/local/sbin because on Debian /usr/local is 0775 - # and sshd refuses to use anything under /usr/local because of the permissive group - # permission there (and group is set to 'staff', slightly different from root). - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392 - file { '/usr/sbin/ssh-key-ldap-lookup': - owner => 'root', - group => 'root', - mode => '0555', - source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup', - } - # For security purposes, sshd will only run ssh-key-ldap-lookup as the 'ssh-key-ldap-lookup' user. - user { 'ssh-key-ldap-lookup': - ensure => present, - system => true, - } + # The 'ssh-key-ldap-lookup' tool is called during login ssh via AuthorizedKeysCommand. It + # returns public keys from ldap for the specified username. + # It is in /usr/sbin and not /usr/local/sbin because on Debian /usr/local is 0775 + # and sshd refuses to use anything under /usr/local because of the permissive group + # permission there (and group is set to 'staff', slightly different from root). + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392 + file { '/usr/sbin/ssh-key-ldap-lookup': + owner => 'root', + group => 'root', + mode => '0555', + source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup', + } + # For security purposes, sshd will only run ssh-key-ldap-lookup as the 'ssh-key-ldap-lookup' user. + user { 'ssh-key-ldap-lookup': + ensure => present, + system => true, + } - # Old names for the script and user ^ - file { '/usr/local/sbin/ldapkeys': - ensure => absent, - } + # Old names for the script and user ^ + file { '/usr/local/sbin/ldapkeys': + ensure => absent, + } - user { 'ldapkeys': - ensure => absent, - } + user { 'ldapkeys': + ensure => absent, } } diff --git a/modules/ssh/manifests/server.pp b/modules/ssh/manifests/server.pp index b8e0994..6bb89b5 100644 --- a/modules/ssh/manifests/server.pp +++ b/modules/ssh/manifests/server.pp @@ -25,8 +25,6 @@ if $authorized_keys_file { $ssh_authorized_keys_file = $authorized_keys_file - } elsif ($::realm == 'labs' and os_version('ubuntu <= precise')) { - $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u /public/keys/%u/.ssh/authorized_keys' } else { $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u' } diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index ad100b0..2fd3446 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -21,10 +21,10 @@ UsePrivilegeSeparation yes <%- if @disable_nist_kex -%> -<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %> -KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 -<% elsif scope.function_os_version(['ubuntu == precise'])%> +<% if scope.function_os_version(['ubuntu == lucid']) %> KexAlgorithms diffie-hellman-group-exchange-sha256 +<% else %> +KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 <% end %> <%- end -%> @@ -46,19 +46,19 @@ <%- if @explicit_macs -%> # Message Authentication codes -<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %> -MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com -<% elsif scope.function_os_version(['ubuntu == precise'])%> +<% if scope.function_os_version(['ubuntu == lucid'])%> MACs hmac-sha2-512,hmac-sha2-256 +<% else %> +MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com <% end %> <%- end -%> StrictModes yes -<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %> -Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -<% else %> +<% if scope.function_os_version(['ubuntu == lucid']) %> Ciphers aes256-ctr,aes192-ctr,aes128-ctr +<% else %> +Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr <% end %> @@ -132,10 +132,8 @@ UsePAM yes <% if @realm == "labs" then %> -<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %> AuthorizedKeysCommand /usr/sbin/ssh-key-ldap-lookup AuthorizedKeysCommandUser ssh-key-ldap-lookup -<% end %> <% end %> <% if has_variable?("ssh_restrict_network") then %> -- To view, visit https://gerrit.wikimedia.org/r/218411 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I88d6ee3633a592c3dfeaa9613db311941c6485fd Gerrit-PatchSet: 7 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yuvipanda <yuvipa...@gmail.com> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: Tim Landscheidt <t...@tim-landscheidt.de> Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits