coren has uploaded a new change for review.
https://gerrit.wikimedia.org/r/57447
Change subject: Add ssh_restrict_network variable to SSH
......................................................................
Add ssh_restrict_network variable to SSH
Setting ssh_restrict_network allows disabling all forms
of authentication for users matching the address pattern
specified.
(viz. ssh_config(1) for syntax)
See Leslie for further rationale.
Change-Id: I9a67dfcd7be79240f39ed882bf66b99bee7d2f3c
---
M templates/ssh/sshd_config.erb
1 file changed, 17 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/47/57447/1
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 8c9ef0f..a893fde 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -97,3 +97,20 @@
<% if realm == "labs" then %>
Banner /etc/ssh/sshd_banner
<% end %>
+
+<% if has_variable?("ssh_restrict_network") then %>
+Match Address <%= ssh_restrict_network %>
+ HostbasedAuthentication no
+ GSSAPIAuthentication no
+ PasswordAuthentication no
+ KerberosAuthentication no
+ KbdInteractiveAuthentication no
+ PermitRootLogin no
+ PubkeyAuthentication no
+ RhostsRSAAuthentication no
+ RSAAuthentication no
+<% end %>
+##
+## Anything below this point must start with a match declaration
+## or will only apply to the previous Matches above.
+##
--
To view, visit https://gerrit.wikimedia.org/r/57447
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9a67dfcd7be79240f39ed882bf66b99bee7d2f3c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
