coren has uploaded a new change for review.
https://gerrit.wikimedia.org/r/50913
Change subject: Add ssh_hba variable to turn on HBA for sshd
......................................................................
Add ssh_hba variable to turn on HBA for sshd
Gridengine (including OGS) requires host-based authentication
to use SSH rather than RSH for communication between the master
and the execution nodes.
This simply adds a variable 'ssh_hba' which can be set on 'yes'
in puppet to turn on HBA in sshd_config.
Key management will come in a different change.
Change-Id: Ibb49e71663fe2df2dd823b23f658e80a360c8a67
---
M templates/ssh/sshd_config.erb
1 file changed, 7 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/13/50913/1
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 21f5a69..8c9ef0f 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -41,10 +41,14 @@
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
-# similar for protocol version 2
+
+<% if has_variable?("ssh_hba") then %>
+HostbasedAuthentication <%= ssh_hba %>
+HostbasedUsesNameFromPacketOnly no
+<% else %>
HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
+<% end %>
+IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
--
To view, visit https://gerrit.wikimedia.org/r/50913
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibb49e71663fe2df2dd823b23f658e80a360c8a67
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
