[MediaWiki-commits] [Gerrit] ssh: Unify config between precise and trusty/jessie - change (operations/puppet)

Thu, 25 Jun 2015 04:27:08 -0700 

Yuvipanda has submitted this change and it was merged.

Change subject: ssh: Unify config between precise and trusty/jessie
......................................................................


ssh: Unify config between precise and trusty/jessie

- sshd has been backported from trusty to precise
- Use LDAP directly to verify public keys in labs, rather
  than the NFS mount. This removes a big NFS dependency.
- Lucid support grumble grumble
- No lucid in labs, so all the labs-conditionalled things need
  no Lucid support!

Bug: T102401
Change-Id: I88d6ee3633a592c3dfeaa9613db311941c6485fd
---
M modules/ldap/manifests/client.pp
M modules/ssh/manifests/server.pp
M modules/ssh/templates/sshd_config.erb
3 files changed, 32 insertions(+), 38 deletions(-)

Approvals:
  Yuvipanda: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/ldap/manifests/client.pp b/modules/ldap/manifests/client.pp
index 479b86a..c9fc481 100644
--- a/modules/ldap/manifests/client.pp
+++ b/modules/ldap/manifests/client.pp
@@ -176,33 +176,31 @@
     }
 
     if $::realm == 'labs' {
-        if os_version('debian >= jessie || ubuntu >= trusty') {
-            # The 'ssh-key-ldap-lookup' tool is called during login ssh via 
AuthorizedKeysCommand.  It
-            #  returns public keys from ldap for the specified username.
-            # It is in /usr/sbin and not /usr/local/sbin because on Debian 
/usr/local is 0775
-            # and sshd refuses to use anything under /usr/local because of the 
permissive group
-            # permission there (and group is set to 'staff', slightly 
different from root).
-            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
-            file { '/usr/sbin/ssh-key-ldap-lookup':
-                owner  => 'root',
-                group  => 'root',
-                mode   => '0555',
-                source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup',
-            }
-            # For security purposes, sshd will only run ssh-key-ldap-lookup as 
the 'ssh-key-ldap-lookup' user.
-            user { 'ssh-key-ldap-lookup':
-                ensure => present,
-                system => true,
-            }
+        # The 'ssh-key-ldap-lookup' tool is called during login ssh via 
AuthorizedKeysCommand.  It
+        #  returns public keys from ldap for the specified username.
+        # It is in /usr/sbin and not /usr/local/sbin because on Debian 
/usr/local is 0775
+        # and sshd refuses to use anything under /usr/local because of the 
permissive group
+        # permission there (and group is set to 'staff', slightly different 
from root).
+        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
+        file { '/usr/sbin/ssh-key-ldap-lookup':
+            owner  => 'root',
+            group  => 'root',
+            mode   => '0555',
+            source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup',
+        }
+        # For security purposes, sshd will only run ssh-key-ldap-lookup as the 
'ssh-key-ldap-lookup' user.
+        user { 'ssh-key-ldap-lookup':
+            ensure => present,
+            system => true,
+        }
 
-            # Old names for the script and user ^
-            file { '/usr/local/sbin/ldapkeys':
-                ensure => absent,
-            }
+        # Old names for the script and user ^
+        file { '/usr/local/sbin/ldapkeys':
+            ensure => absent,
+        }
 
-            user { 'ldapkeys':
-                ensure => absent,
-            }
+        user { 'ldapkeys':
+            ensure => absent,
         }
     }
 
diff --git a/modules/ssh/manifests/server.pp b/modules/ssh/manifests/server.pp
index b8e0994..6bb89b5 100644
--- a/modules/ssh/manifests/server.pp
+++ b/modules/ssh/manifests/server.pp
@@ -25,8 +25,6 @@
 
     if $authorized_keys_file {
         $ssh_authorized_keys_file = $authorized_keys_file
-    } elsif ($::realm == 'labs' and os_version('ubuntu <= precise')) {
-        $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u 
/public/keys/%u/.ssh/authorized_keys'
     } else {
         $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u'
     }
diff --git a/modules/ssh/templates/sshd_config.erb 
b/modules/ssh/templates/sshd_config.erb
index ad100b0..2fd3446 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -21,10 +21,10 @@
 UsePrivilegeSeparation yes
 
 <%- if @disable_nist_kex -%>
-<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %>
-KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256
-<% elsif scope.function_os_version(['ubuntu == precise'])%>
+<% if scope.function_os_version(['ubuntu == lucid']) %>
 KexAlgorithms diffie-hellman-group-exchange-sha256
+<% else %>
+KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256
 <% end %>
 <%- end -%>
 
@@ -46,19 +46,19 @@
 
 <%- if @explicit_macs -%>
 # Message Authentication codes
-<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %>
-MACs 
hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com
-<% elsif scope.function_os_version(['ubuntu == precise'])%>
+<% if scope.function_os_version(['ubuntu == lucid'])%>
 MACs hmac-sha2-512,hmac-sha2-256
+<% else %>
+MACs 
hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com
 <% end %>
 <%- end -%>
 
 StrictModes yes
 
-<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %>
-Ciphers 
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-<% else %>
+<% if scope.function_os_version(['ubuntu == lucid']) %>
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+<% else %>
+Ciphers 
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 <% end %>
 
 
@@ -132,10 +132,8 @@
 UsePAM yes
 
 <% if @realm == "labs" then %>
-<% if scope.function_os_version(['debian >= jessie || ubuntu >= trusty']) %>
 AuthorizedKeysCommand /usr/sbin/ssh-key-ldap-lookup
 AuthorizedKeysCommandUser ssh-key-ldap-lookup
-<% end %>
 <% end %>
 
 <% if has_variable?("ssh_restrict_network") then %>

-- 
To view, visit https://gerrit.wikimedia.org/r/218411
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I88d6ee3633a592c3dfeaa9613db311941c6485fd
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@gmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Tim Landscheidt <t...@tim-landscheidt.de>
Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to