Lcarr has submitted this change and it was merged.
Change subject: Add ssh_restrict_network variable to SSH
......................................................................
Add ssh_restrict_network variable to SSH
Setting ssh_restrict_network allows disabling all forms
of authentication for users matching the pattern specified.
(viz. ssh_config(1) for syntax in section PATTERNS)
See Leslie for further rationale.
Change-Id: I9a67dfcd7be79240f39ed882bf66b99bee7d2f3c
---
M templates/ssh/sshd_config.erb
1 file changed, 17 insertions(+), 0 deletions(-)
Approvals:
Lcarr: Looks good to me, approved
jenkins-bot: Verified
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 8c9ef0f..ca24cd8 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -97,3 +97,20 @@
<% if realm == "labs" then %>
Banner /etc/ssh/sshd_banner
<% end %>
+
+<% if has_variable?("ssh_restrict_network") then %>
+Match <%= ssh_restrict_network %>
+ HostbasedAuthentication no
+ GSSAPIAuthentication no
+ PasswordAuthentication no
+ KerberosAuthentication no
+ KbdInteractiveAuthentication no
+ PermitRootLogin no
+ PubkeyAuthentication no
+ RhostsRSAAuthentication no
+ RSAAuthentication no
+<% end %>
+##
+## Anything below this point must start with a match declaration
+## or will only apply to the previous Matches above.
+##
--
To view, visit https://gerrit.wikimedia.org/r/57447
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I9a67dfcd7be79240f39ed882bf66b99bee7d2f3c
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <[email protected]>
Gerrit-Reviewer: Lcarr <[email protected]>
Gerrit-Reviewer: Ryan Lane <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
