Tim Landscheidt has uploaded a new change for review. https://gerrit.wikimedia.org/r/77144
Change subject: Tools: Allow bastions to access other hosts with HBA ...................................................................... Tools: Allow bastions to access other hosts with HBA This sets HostbasedAuthentication and EnableSSHKeysign to yes in /etc/ssh_config. Change-Id: I42f9f55641d82beb0191924a0bc7657e4987d28e --- A modules/toollabs/files/bastion-ssh_config M modules/toollabs/manifests/bastion.pp 2 files changed, 65 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/44/77144/1 diff --git a/modules/toollabs/files/bastion-ssh_config b/modules/toollabs/files/bastion-ssh_config new file mode 100644 index 0000000..cf234e1 --- /dev/null +++ b/modules/toollabs/files/bastion-ssh_config @@ -0,0 +1,57 @@ +# This file is managed by puppet! + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no + +# Enable accessing other hosts with host-based authentication. +HostbasedAuthentication yes +EnableSSHKeysign yes diff --git a/modules/toollabs/manifests/bastion.pp b/modules/toollabs/manifests/bastion.pp index 2e17bb0..07daef8 100644 --- a/modules/toollabs/manifests/bastion.pp +++ b/modules/toollabs/manifests/bastion.pp @@ -16,6 +16,14 @@ toollabs::exec_environ, toollabs::dev_environ + file { "/etc/ssh/ssh_config": + ensure => file, + mode => "0444", + owner => "root", + group => "root", + source => "puppet:///modules/toollabs/files/bastion-ssh_config", + } + class { 'gridengine::submit_host': gridmaster => $gridmaster, } -- To view, visit https://gerrit.wikimedia.org/r/77144 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I42f9f55641d82beb0191924a0bc7657e4987d28e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits