From 8398aec0293f68c59058edd897820062a2acba24 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 29 Jun 2022 14:14:43 -0700 Subject: [PATCH] basessh: enable internal sftp server globally. In the past we only enabled sftp on servers where we needed it. (ones using sshfs, ones that users might need to sftp to, etc). However, now days the openssh scp client uses sftp, so we might as well just enable it globally so people don't need to use 'scp -O' (which has it use the old scp protocol, which will be removed someday). Signed-off-by: Kevin Fenzi --- inventory/group_vars/all | 4 ---- inventory/group_vars/batcave | 1 - inventory/group_vars/people | 2 -- inventory/group_vars/secondary | 1 - inventory/host_vars/koji01.iad2.fedoraproject.org | 2 -- roles/basessh/templates/sshd_config | 4 ---- 6 files changed, 14 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 4348cc7ff3..9c4f3f737d 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -233,10 +233,6 @@ ssh_hostnames: [] sshd_keyhelper: false # Normal default sshd port is 22 sshd_port: 22 -# -# sshd can run a internal sftp server, we need this on some hosts, but -# not on most of them, so default to false -sshd_sftp: false tcp_ports: [] # example of ports for default iptables # tcp_ports: [ 22, 80, 443 ] diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index d05a84c54e..9f38aca0c7 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -71,6 +71,5 @@ nrpe_procs_crit: 1000 nrpe_procs_warn: 900 num_cpus: 10 primary_auth_source: ipa -sshd_sftp: true tcp_ports: [80, 443, 8442, 8443] vpn: true diff --git a/inventory/group_vars/people b/inventory/group_vars/people index b66614cce6..15ba3216ae 100644 --- a/inventory/group_vars/people +++ b/inventory/group_vars/people @@ -41,6 +41,4 @@ ipa_client_sudo_groups: ipa_host_group: people ipa_host_group_desc: A place for people to host things primary_auth_source: ipa -# enable sftp for cotributors. -sshd_sftp: true vpn: true diff --git a/inventory/group_vars/secondary b/inventory/group_vars/secondary index daf246297e..ec8bd98cda 100644 --- a/inventory/group_vars/secondary +++ b/inventory/group_vars/secondary @@ -22,5 +22,4 @@ nrpe_procs_crit: 1000 nrpe_procs_warn: 900 primary_auth_source: ipa rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}" -sshd_sftp: true tcp_ports: [80, 443, 873] diff --git a/inventory/host_vars/koji01.iad2.fedoraproject.org b/inventory/host_vars/koji01.iad2.fedoraproject.org index 7b6b595c31..f7c24d1a7c 100644 --- a/inventory/host_vars/koji01.iad2.fedoraproject.org +++ b/inventory/host_vars/koji01.iad2.fedoraproject.org @@ -10,8 +10,6 @@ ks_repo: http://10.3.163.35/pub/fedora/linux/releases/35/Server/x86_64/os/ ks_url: http://10.3.163.35/repo/rhel/ks/kvm-fedora nrpe_procs_crit: 1000 nrpe_procs_warn: 900 -# we need sftp here in order to support the sshfs mount on buildvm-s390x-01 -sshd_sftp: true virt_install_command: "{{ virt_install_command_one_nic }}" vmhost: bvmhost-x86-02.iad2.fedoraproject.org volgroup: /dev/vg_guests diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config index b54428d3ea..bd6f809365 100644 --- a/roles/basessh/templates/sshd_config +++ b/roles/basessh/templates/sshd_config @@ -62,8 +62,4 @@ AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f" AuthorizedKeysCommandUser nobody AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys {% endif %} - - -{% if sshd_sftp %} Subsystem sftp internal-sftp -{% endif %}