coren has uploaded a new change for review. https://gerrit.wikimedia.org/r/50913
Change subject: Add ssh_hba variable to turn on HBA for sshd ...................................................................... Add ssh_hba variable to turn on HBA for sshd Gridengine (including OGS) requires host-based authentication to use SSH rather than RSH for communication between the master and the execution nodes. This simply adds a variable 'ssh_hba' which can be set on 'yes' in puppet to turn on HBA in sshd_config. Key management will come in a different change. Change-Id: Ibb49e71663fe2df2dd823b23f658e80a360c8a67 --- M templates/ssh/sshd_config.erb 1 file changed, 7 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/13/50913/1 diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb index 21f5a69..8c9ef0f 100644 --- a/templates/ssh/sshd_config.erb +++ b/templates/ssh/sshd_config.erb @@ -41,10 +41,14 @@ IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no -# similar for protocol version 2 + +<% if has_variable?("ssh_hba") then %> +HostbasedAuthentication <%= ssh_hba %> +HostbasedUsesNameFromPacketOnly no +<% else %> HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +<% end %> +IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- To view, visit https://gerrit.wikimedia.org/r/50913 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibb49e71663fe2df2dd823b23f658e80a360c8a67 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: coren <m...@uberbox.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits