From 9810200d7874147465912b10ae9b73a505a61f19 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 31 Jan 2024 15:25:45 -0500 Subject: [PATCH] puppet: Stop writing custom sshd_config. The only relevant changes are `PasswordAuthentication no` (which is now the default) and `MaxStartups 40:50:60` (which is now unneccesary due to autossh tunnels. --- puppet/zulip_ops/files/sshd_config | 91 ---------------------- puppet/zulip_ops/manifests/profile/base.pp | 11 --- 2 files changed, 102 deletions(-) delete mode 100644 puppet/zulip_ops/files/sshd_config diff --git a/puppet/zulip_ops/files/sshd_config b/puppet/zulip_ops/files/sshd_config deleted file mode 100644 index de5b07f45f..0000000000 --- a/puppet/zulip_ops/files/sshd_config +++ /dev/null @@ -1,91 +0,0 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin prohibit-password -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -MaxStartups 40:50:60 -#Banner /etc/issue.net - -# Commented out to prevent use of client locales. This causes problems -# otherwise if our developers have a non-standard locale. -#AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes -UseDNS no -PasswordAuthentication no diff --git a/puppet/zulip_ops/manifests/profile/base.pp b/puppet/zulip_ops/manifests/profile/base.pp index fb595a41a2..b4c1db2a25 100644 --- a/puppet/zulip_ops/manifests/profile/base.pp +++ b/puppet/zulip_ops/manifests/profile/base.pp @@ -85,17 +85,6 @@ class zulip_ops::profile::base { ensure => running, } - file { '/etc/ssh/sshd_config': - ensure => file, - require => Package['openssh-server'], - source => 'puppet:///modules/zulip_ops/sshd_config', - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['ssh'], - } - - include zulip_ops::aws_tools if $is_ec2 {