Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/364682 )
Change subject: Remove sshd options specific to SSH protocol 1 ...................................................................... Remove sshd options specific to SSH protocol 1 These options are currently not used anyway (we only use SSH protocol 2), but they've been removed in the openssh release present in stretch, so they're logging errors there: Quoting from the sshd_config manpage: RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is “no”. This option applies to protocol version 1 only. RSAAuthentication Specifies whether pure RSA authentication is allowed. The default is “yes”. This option applies to protocol version 1 only. ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). The purpose of regeneration is to prevent decrypting captured sessions by later breaking into the machine and stealing the keys. The key is never stored anywhere. If the value is 0, the key is never regenerated. The default is 3600 (seconds). Bug: T170298 Change-Id: I8ec75aa59dc1395f5cf4436f7c8d597ed6172409 --- M modules/ssh/templates/sshd_config.erb 1 file changed, 0 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/82/364682/1 diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 51fda6e..e46e72c 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -24,10 +24,6 @@ KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 <%- end -%> -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - # Logging SyslogFacility AUTH LogLevel VERBOSE @@ -49,7 +45,6 @@ Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys <% if @ssh_authorized_keys_file then %> @@ -58,8 +53,6 @@ # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no <% if @enable_hba %> HostbasedAuthentication yes -- To view, visit https://gerrit.wikimedia.org/r/364682 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I8ec75aa59dc1395f5cf4436f7c8d597ed6172409 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
