Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330227 )
Change subject: Enable enhanced sandbox privilege separation for sshd ...................................................................... Enable enhanced sandbox privilege separation for sshd If 'UsePrivilegeSeparation' is set to "sandbox", it additonally enables a seccomp-based restriction for the (unprivileged) pre-auth process. This feature has been introduced in openssh 5.9, so even trusty supports it (but we're using a trusty backport in precise-wikimedia anyway) Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a --- M modules/ssh/templates/sshd_config.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/27/330227/1 diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 184523d..1a6ba21 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -18,7 +18,7 @@ HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security -UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox <%- if @disable_nist_kex -%> KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 -- To view, visit https://gerrit.wikimedia.org/r/330227 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits