mh [Mon, 28 Mar 2016 09:59:48 +0000 (11:59 +0200)]
future parser readyness
varac [Sun, 2 Apr 2017 22:43:11 +0000 (00:43 +0200)]
Merge remote-tracking branch 'shared/master' into leap_master
Micah [Mon, 23 Jan 2017 21:09:48 +0000 (21:09 +0000)]
Merge branch 'feature/stretch' into 'master'
Add sshd_config template for Debian Stretch.
See merge request !22
bertagaz [Sun, 20 Nov 2016 13:26:55 +0000 (14:26 +0100)]
Add sshd_config template for Debian Stretch.
ng [Sat, 21 Nov 2015 11:52:12 +0000 (11:52 +0000)]
Merge branch 'support_missing_ubuntu_releases' into 'master'
[feat] [feat] Support missing ubuntu releases
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
See merge request !20
varac [Mon, 9 Nov 2015 16:10:40 +0000 (17:10 +0100)]
Merge remote-tracking branch 'shared/master' into leap_master
varac [Mon, 9 Nov 2015 16:09:30 +0000 (17:09 +0100)]
[bug] Fix typo for including sshkey class
varac [Mon, 9 Nov 2015 15:51:13 +0000 (16:51 +0100)]
Merge remote-tracking branch 'shared/master' into leap_master
Micah [Mon, 9 Nov 2015 15:05:48 +0000 (15:05 +0000)]
Merge branch 'disable_stored_config' into 'master'
[feat] Optinally disable exported resources
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
See merge request !21
varac [Mon, 9 Nov 2015 09:22:58 +0000 (10:22 +0100)]
[feat] Optinally disable exported resources
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
varac [Sun, 8 Nov 2015 08:23:14 +0000 (09:23 +0100)]
Merge remote-tracking branch 'shared/master' into leap_master
varac [Tue, 3 Nov 2015 12:53:56 +0000 (13:53 +0100)]
[feat] [feat] Support missing ubuntu releases
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
Micah [Fri, 9 Oct 2015 19:02:41 +0000 (19:02 +0000)]
Merge branch 'autossh' into 'master'
autossh support
this series of commits adds support for autossh, to automatically create a tunnel with port forwarding.
we use this to login to *really* remote servers reliably, behind multiple NATs and satellite connexions.
it rocks.
See merge request !18
Jerome Charaoui [Fri, 9 Oct 2015 17:23:30 +0000 (17:23 +0000)]
Merge branch 'disable_debian_banner' into 'master'
disable the debian/ubuntu package version from being sent to clients
dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.
See merge request !17
Micah [Tue, 6 Oct 2015 17:53:48 +0000 (17:53 +0000)]
Merge branch 'master' into 'master'
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
See merge request !19
Matt Taggart [Fri, 11 Sep 2015 23:01:02 +0000 (16:01 -0700)]
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
Antoine Beaupré [Thu, 18 Jun 2015 21:01:01 +0000 (17:01 -0400)]
disable autossh control port
this is important to make it easier to guess the ssh port from the
central server.
we rely on ServerAliveInterval instead to reconnect when we lose the
server.
this was unintentionally removed in november 2012 in the isuma-autossh
package, saying it was "not supported everywhere" and due to some
confusion about the defaults (defaults are to *enable* the port). see
commit
ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
Antoine Beaupré [Thu, 18 Jun 2015 20:43:17 +0000 (16:43 -0400)]
make autossh fork properly
Antoine Beaupré [Thu, 18 Jun 2015 20:22:08 +0000 (16:22 -0400)]
implement autossh reload
not sure what this was for, but it was in the original implementation
Antoine Beaupré [Thu, 18 Jun 2015 20:21:49 +0000 (16:21 -0400)]
properly implement daemon
Antoine Beaupré [Thu, 18 Jun 2015 20:07:18 +0000 (16:07 -0400)]
allow customizing user
Antoine Beaupré [Thu, 18 Jun 2015 20:12:35 +0000 (16:12 -0400)]
try to avoid conflicting with the isuma-local-servers package
Antoine Beaupré [Thu, 18 Jun 2015 20:06:24 +0000 (16:06 -0400)]
rewrite autossh startup script with dh_make template
Antoine Beaupré [Thu, 18 Jun 2015 19:59:16 +0000 (15:59 -0400)]
remove traces of isuma vendor
Antoine Beaupré [Thu, 18 Jun 2015 19:58:51 +0000 (15:58 -0400)]
import from autossh package
Jerome Charaoui [Mon, 8 Jun 2015 18:08:47 +0000 (14:08 -0400)]
Facter values changed in 2.x for XenServer
Matt Taggart [Fri, 22 May 2015 23:37:03 +0000 (16:37 -0700)]
disable the debian/ubuntu package version from being sent to clients
Jerome Charaoui [Thu, 21 May 2015 17:20:38 +0000 (13:20 -0400)]
Add newline to ssh_authorized_key file content
Jerome Charaoui [Thu, 21 May 2015 17:19:40 +0000 (13:19 -0400)]
Simplify ssh_authorized_key
Jerome Charaoui [Thu, 21 May 2015 17:12:18 +0000 (13:12 -0400)]
Revert "Simplify ssh_authorized_key"
puppet-lint complains about "selector inside resource"
This reverts commit
f3c0115743cab9d4e6c08b654b67631566572d41.
Jerome Charaoui [Thu, 21 May 2015 14:29:03 +0000 (10:29 -0400)]
Simplify ssh_authorized_key
Jerome Charaoui [Thu, 21 May 2015 14:17:52 +0000 (10:17 -0400)]
Add header to ssh_authorized_key when override_builting = 1
Jerome Charaoui [Thu, 21 May 2015 13:56:59 +0000 (09:56 -0400)]
Fix invalid single quotes around variables
Jerome Charaoui [Wed, 20 May 2015 23:29:41 +0000 (23:29 +0000)]
Merge branch 'debian-login-grace' into 'master'
sync LoginGraceTime with debian defaults
for some reason this was 10 minutes in our module, yet 120s everywhere else.
and only in wheezy too, wtf...
See merge request !13
Jerome Charaoui [Wed, 20 May 2015 23:29:00 +0000 (23:29 +0000)]
Merge branch 'master' into 'master'
add override_builtin parameter to handle the common authorized_key directory case
riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code.
See merge request !15
Matt Taggart [Wed, 20 May 2015 21:55:09 +0000 (14:55 -0700)]
add override_builtin parameter to handle the common authorized_key directory case
Antoine Beaupré [Wed, 13 May 2015 20:20:24 +0000 (16:20 -0400)]
sync LoginGraceTime with debian defaults
Micah [Thu, 7 May 2015 16:46:22 +0000 (16:46 +0000)]
Merge branch 'fix_lookupvar' into 'master'
Adjust variable lookup in templates to silence deprecation warnings, fixes #1
See merge request !12
Jerome Charaoui [Thu, 7 May 2015 15:34:07 +0000 (11:34 -0400)]
Adjust variable lookup in templates to silence deprecation warnings, fixes #1
Jerome Charaoui [Thu, 7 May 2015 15:30:07 +0000 (15:30 +0000)]
Merge branch 'enhance_hardened' into 'master'
Enhance hardened
This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible
See merge request !10
Micah Anderson [Fri, 1 May 2015 18:00:56 +0000 (14:00 -0400)]
Implement enhanced MAC (Message Authentication Codes) according to
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
Micah Anderson [Fri, 1 May 2015 17:57:37 +0000 (13:57 -0400)]
Implement enhanced symmetric cipher selection, based on
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
Micah Anderson [Fri, 1 May 2015 17:48:19 +0000 (13:48 -0400)]
Implement KexAlgorithms settings, based on Key exchange section of
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
Micah Anderson [Fri, 1 May 2015 16:45:14 +0000 (12:45 -0400)]
Change 'hardened_ssl' paramter to simply 'hardened', this makes more
sense in general
Jerome Charaoui [Mon, 4 May 2015 17:34:16 +0000 (17:34 +0000)]
Merge branch 'remove_lenny' into 'master'
remove Debian Lenny support
See merge request !8
varac [Mon, 4 May 2015 12:03:50 +0000 (14:03 +0200)]
Merge remote-tracking branch 'shared/master' into leap_master
Conflicts:
templates/sshd_config/Debian_wheezy.erb
Micah Anderson [Fri, 1 May 2015 16:49:37 +0000 (12:49 -0400)]
remove Debian Lenny support
Antoine Beaupré [Fri, 17 Apr 2015 18:47:03 +0000 (14:47 -0400)]
Merge remote-tracking branch 'micah/remove_etch' into shared
Conflicts:
templates/sshd_config/Debian_etch.erb
Antoine Beaupré [Fri, 17 Apr 2015 18:43:16 +0000 (18:43 +0000)]
Merge branch 'hostkey_type' into 'master'
Hostkey type
This is the pull request associated with: https://labs.riseup.net/code/issues/8285
See merge request !6
Micah Anderson [Fri, 17 Apr 2015 17:58:03 +0000 (13:58 -0400)]
remove etch support
Micah Anderson [Fri, 17 Apr 2015 15:29:11 +0000 (11:29 -0400)]
Add GPLv3 license
Micah Anderson [Thu, 18 Dec 2014 16:50:32 +0000 (11:50 -0500)]
change the ssh_keygen function to use different methods depending on if
its puppet 3 or puppet 2
Micah Anderson [Fri, 27 Mar 2015 19:24:02 +0000 (15:24 -0400)]
Given that ssh -V prints the info we want on stderr, made it so we are 100% sure we are only parsing the expected string
Jerome Charaoui [Mon, 2 Mar 2015 15:37:03 +0000 (15:37 +0000)]
Merge branch 'document_nagios_custom_logic' into 'master'
Document nagios custom logic
Add some note for ppl who need to inject their own logic before creating nagios-related checks.
See merge request !5
Gabriel Filion [Fri, 20 Feb 2015 22:27:06 +0000 (17:27 -0500)]
README: mention how one could reuse nagios resources with their own logic
Some people might want to inject their own logic before including nagios
resources. We can explain that since the nagios resources are in their
own part of the manifests, they can shortcut the module's automatic
handling of it, and call it manually from their own manifests.
Gabriel Filion [Fri, 20 Feb 2015 22:24:12 +0000 (17:24 -0500)]
README: Change project URL to point at the new one
LeLutin [Fri, 20 Feb 2015 16:53:13 +0000 (16:53 +0000)]
Merge branch 'master' into 'master'
Add RedHat_xenenterprise template symlink
See merge request !4
Jerome Charaoui [Thu, 22 Jan 2015 16:20:49 +0000 (11:20 -0500)]
Add RedHat_xenenterprise template symlink
ng [Sat, 17 Jan 2015 09:52:07 +0000 (09:52 +0000)]
Merge branch 'master' into 'master'
Fix for Debian squeeze and ssh_keygen for Puppet < 3 installs
Facter versions that are shipping in Debian squeeze and wheezy do not support the operatingsystemmajrelease core fact, which appears only from facter 1.7 onwards.
This isn't a big problem for wheezy since the openssh-server version it ships supports multiple AuthorizedKeysFile file paths,
On Debian squeeze, openssh-server does NOT support multuple AuthorizedKeysFile and will refuse to start with such a definition.
ALSO:
`ssh_keygen` is currently broken for Puppet 2.7.x clients. This commit should resolve the issue.
The fix was suggested by @ng in reference to https://github.com/duritong/puppet-sysctl/blob/master/lib/puppet/provider/sysctl_runtime/sysctl_runtime.rb#L16-L17
See merge request !3
Jerome Charaoui [Thu, 15 Jan 2015 22:09:56 +0000 (17:09 -0500)]
Fix ssh_keygen for Puppet < 3 installs
Jerome Charaoui [Thu, 15 Jan 2015 21:49:35 +0000 (16:49 -0500)]
Debian squeeze and wheezy do not support the operatingsystemmajrelease fact (they ship facter 1.6.x)
Micah Anderson [Fri, 21 Nov 2014 23:19:07 +0000 (18:19 -0500)]
Add a $hostkey_type variable that allows you to set which hostkey
types you want to support in your sshd_config.
We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.
Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
Micah Anderson [Fri, 21 Nov 2014 23:18:15 +0000 (18:18 -0500)]
add custom fact, providing ssh_version
Micah Anderson [Fri, 21 Nov 2014 21:46:09 +0000 (16:46 -0500)]
Merge remote-tracking branch 'tails/feature/jessie-and-sid-templates'
Micah Anderson [Wed, 5 Nov 2014 01:41:49 +0000 (20:41 -0500)]
Revert "Revert "get ecdsa host keys in Debian Wheezy""
This reverts commit
37bd36fe06c0fafb353a01672d29cf4bffdc9e4a.
We need to transition in a smoother way. Simply making this change
is too rough. See #6319
Micah Anderson [Sat, 1 Nov 2014 14:30:37 +0000 (10:30 -0400)]
Merge remote-tracking branch 'immerda/master'
Micah Anderson [Sat, 1 Nov 2014 14:29:48 +0000 (10:29 -0400)]
Revert "get ecdsa host keys in Debian Wheezy"
This reverts commit
1eabfe1b590f6663c2558f949408a08fc5f58fa6.
These shitty NIST curves are no good
intrigeri [Wed, 17 Sep 2014 20:44:12 +0000 (20:44 +0000)]
Copy the Debian sid template to a new one for Jessie.
Another option could be to symlink it, but the freeze is coming soon, so most
likely they'll start to diverge at some point.
intrigeri [Wed, 17 Sep 2014 20:43:45 +0000 (20:43 +0000)]
Resynchronize Debian sid template with the configuration file currently shipped by the package.
mh [Fri, 15 Aug 2014 08:22:40 +0000 (10:22 +0200)]
move to os release number on centos for selection
mh [Tue, 10 Jun 2014 17:41:50 +0000 (19:41 +0200)]
Openbsd also does not yet have it
mh [Tue, 10 Jun 2014 17:28:19 +0000 (19:28 +0200)]
EL 6 also does not have this option yet
mh [Tue, 10 Jun 2014 16:31:11 +0000 (18:31 +0200)]
lintig a document
mh [Tue, 10 Jun 2014 16:29:47 +0000 (18:29 +0200)]
not all versions support the new default
mh [Tue, 10 Jun 2014 09:25:16 +0000 (11:25 +0200)]
Merge remote-tracking branch 'shared/master'
Conflicts:
manifests/init.pp
Micah Anderson [Tue, 27 May 2014 20:43:47 +0000 (16:43 -0400)]
update $authorized_keys_file variable default to be the default is
documented by sshd_config(5)
Micah Anderson [Tue, 27 May 2014 20:42:59 +0000 (16:42 -0400)]
add the ability to override the automatic inclusion of the sshd_client
mh [Fri, 14 Mar 2014 09:36:24 +0000 (10:36 +0100)]
linting
mh [Fri, 14 Mar 2014 09:35:02 +0000 (10:35 +0100)]
remove unnecessary param
Tomas Barton [Fri, 21 Feb 2014 13:37:55 +0000 (14:37 +0100)]
renamed ipaddress_fact to sshkey_ipaddres
Tomas Barton [Fri, 14 Feb 2014 00:48:40 +0000 (01:48 +0100)]
too tired to type
Tomas Barton [Fri, 14 Feb 2014 00:44:54 +0000 (01:44 +0100)]
fixed variable name
Tomas Barton [Fri, 14 Feb 2014 00:24:15 +0000 (01:24 +0100)]
custom ip address fact
mh [Wed, 5 Feb 2014 22:21:36 +0000 (23:21 +0100)]
add test for options
mh [Wed, 5 Feb 2014 22:17:36 +0000 (23:17 +0100)]
wording
Tomas Barton [Sun, 2 Feb 2014 16:48:24 +0000 (17:48 +0100)]
tests for ssh authorized key
duritong [Sat, 1 Feb 2014 14:52:23 +0000 (06:52 -0800)]
Merge pull request #7 from deric/more-tests
More tests
Tomas Barton [Sun, 26 Jan 2014 23:16:27 +0000 (00:16 +0100)]
validate parameters
Tomas Barton [Sun, 26 Jan 2014 23:14:34 +0000 (00:14 +0100)]
removed lsb-release package
Tomas Barton [Sun, 26 Jan 2014 23:04:33 +0000 (00:04 +0100)]
removed special no-restart status for etch
Tomas Barton [Sun, 26 Jan 2014 17:35:44 +0000 (18:35 +0100)]
using fixtures.yml for linking folders
Tomas Barton [Sun, 26 Jan 2014 10:59:34 +0000 (11:59 +0100)]
test changing port
Tomas Barton [Sun, 26 Jan 2014 10:33:41 +0000 (11:33 +0100)]
client spec
Tomas Barton [Sun, 26 Jan 2014 10:25:11 +0000 (11:25 +0100)]
ruby 1.8.7 compatibility
Tomas Barton [Sun, 26 Jan 2014 10:21:47 +0000 (11:21 +0100)]
removed shared-common from dependencies
Tomas Barton [Sun, 26 Jan 2014 10:19:11 +0000 (11:19 +0100)]
basic init class specs
Tomas Barton [Sun, 26 Jan 2014 08:36:35 +0000 (09:36 +0100)]
replaces shared-lsb by puppetlabs/stdlib
mh [Sun, 26 Jan 2014 14:33:18 +0000 (15:33 +0100)]
adjust readme
mh [Sun, 26 Jan 2014 14:25:48 +0000 (15:25 +0100)]
fix broken tests
These tests were broken before, because they didn't mock the right
method.
Tomas Barton [Sat, 25 Jan 2014 18:08:49 +0000 (19:08 +0100)]
removed files directory