We need this in order to be able to use them as jumphosts with ssh.
Without it, there's no easy way to get to any internal machines.
Just enable it here and leave the default off.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This should largely have no effect, but makes things easiler to
follow/read. We have 0 rhel7 instances left so removing all those
conditionals.
Also, rename the sshd_config teplate to be .j2 like all our other
templates.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.
I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```
Then I went through all the changes and removed the ones that wasn't
expected to be changed.
Fixes https://pagure.io/fedora-infrastructure/issue/12391
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
fix 1900 failures of the following case issue:
`name[casing]: All names should start with an uppercase letter.`
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
I have probably made this a bit wordy but I have found long jinja2
logic statements to be a bit hard to debug or go off the rails. So I
copied the section for Red Hat and used it for Fedora.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This reverts commit 3437042944.
This doesn't work on rhel8 machines:
/etc/crypto-policies/back-ends/opensshserver.config: line 1: Bad configuration option: CRYPTO_POLICY
/etc/crypto-policies/back-ends/opensshserver.config: terminating, 1 bad configuration options
EL6 and EL7 have a limited set of algorithms, but EL8 and Fedora use
system configs set in a different file. Added an elif to better try
and show this.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
In the past we only enabled sftp on servers where we needed it.
(ones using sshfs, ones that users might need to sftp to, etc).
However, now days the openssh scp client uses sftp, so we might as well
just enable it globally so people don't need to use 'scp -O' (which
has it use the old scp protocol, which will be removed someday).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
For newer ssh (in fedora) we need to have certs that are not using
sha-1. So, we need to regenerate the certs signed by our CA with sha256.
While we are at it, enable the ed25519 host keys as rsa keys are
increasingly in disfavor.
So, old ssh will use the old rsa host certs that are sha1 for now, but
new ssh will use the sha256 signed ed25519 certs. If everything works
fine for a while, we can resign the rsa host keys also and totally get
rid of the sha1 certs.
Since both host keys are signed by our CA, they should still be just as
trusted as before. If you are asked to approve a new host key for
something, make sure you have our CA in your known_hosts file:
https://admin.fedoraproject.org/ssh_known_hosts
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
