Tim Landscheidt has uploaded a new change for review.
https://gerrit.wikimedia.org/r/77144
Change subject: Tools: Allow bastions to access other hosts with HBA
......................................................................
Tools: Allow bastions to access other hosts with HBA
This sets HostbasedAuthentication and EnableSSHKeysign to yes in
/etc/ssh_config.
Change-Id: I42f9f55641d82beb0191924a0bc7657e4987d28e
---
A modules/toollabs/files/bastion-ssh_config
M modules/toollabs/manifests/bastion.pp
2 files changed, 65 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/44/77144/1
diff --git a/modules/toollabs/files/bastion-ssh_config
b/modules/toollabs/files/bastion-ssh_config
new file mode 100644
index 0000000..cf234e1
--- /dev/null
+++ b/modules/toollabs/files/bastion-ssh_config
@@ -0,0 +1,57 @@
+# This file is managed by puppet!
+
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+# ForwardAgent no
+# ForwardX11 no
+# ForwardX11Trusted yes
+# RhostsRSAAuthentication no
+# RSAAuthentication yes
+# PasswordAuthentication yes
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
+# BatchMode no
+# CheckHostIP yes
+# AddressFamily any
+# ConnectTimeout 0
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/identity
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# Port 22
+# Protocol 2,1
+# Cipher 3des
+# Ciphers
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160
+# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+ SendEnv LANG LC_*
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
+ GSSAPIDelegateCredentials no
+
+# Enable accessing other hosts with host-based authentication.
+HostbasedAuthentication yes
+EnableSSHKeysign yes
diff --git a/modules/toollabs/manifests/bastion.pp
b/modules/toollabs/manifests/bastion.pp
index 2e17bb0..07daef8 100644
--- a/modules/toollabs/manifests/bastion.pp
+++ b/modules/toollabs/manifests/bastion.pp
@@ -16,6 +16,14 @@
toollabs::exec_environ,
toollabs::dev_environ
+ file { "/etc/ssh/ssh_config":
+ ensure => file,
+ mode => "0444",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/toollabs/files/bastion-ssh_config",
+ }
+
class { 'gridengine::submit_host':
gridmaster => $gridmaster,
}
--
To view, visit https://gerrit.wikimedia.org/r/77144
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I42f9f55641d82beb0191924a0bc7657e4987d28e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
