I have probably made this a bit wordy but I have found long jinja2
logic statements to be a bit hard to debug or go off the rails. So I
copied the section for Red Hat and used it for Fedora.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This reverts commit 3437042944.
This doesn't work on rhel8 machines:
/etc/crypto-policies/back-ends/opensshserver.config: line 1: Bad configuration option: CRYPTO_POLICY
/etc/crypto-policies/back-ends/opensshserver.config: terminating, 1 bad configuration options
EL6 and EL7 have a limited set of algorithms, but EL8 and Fedora use
system configs set in a different file. Added an elif to better try
and show this.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
In the past we only enabled sftp on servers where we needed it.
(ones using sshfs, ones that users might need to sftp to, etc).
However, now days the openssh scp client uses sftp, so we might as well
just enable it globally so people don't need to use 'scp -O' (which
has it use the old scp protocol, which will be removed someday).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
For newer ssh (in fedora) we need to have certs that are not using
sha-1. So, we need to regenerate the certs signed by our CA with sha256.
While we are at it, enable the ed25519 host keys as rsa keys are
increasingly in disfavor.
So, old ssh will use the old rsa host certs that are sha1 for now, but
new ssh will use the sha256 signed ed25519 certs. If everything works
fine for a while, we can resign the rsa host keys also and totally get
rid of the sha1 certs.
Since both host keys are signed by our CA, they should still be just as
trusted as before. If you are asked to approve a new host key for
something, make sure you have our CA in your known_hosts file:
https://admin.fedoraproject.org/ssh_known_hosts
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
download: mod_limitipconn isn't used anyone, dropped the entire line.
transient_cloud: just dropped the dnf part and use 'package' entirely.
sshd_config: UsePrivilegeSeparation isn't used in Fedora at all.
koji_hub: no fedora or rhel8 hubs yet, so just 7 is fine for now.
openvpn: changes look ok
packages3: Should get cverna to review, packages is using fedora now.
varnish: no rhel8 varnish servers yet.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
