evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

SSH configuration not up to the evolix standard #23

New issue
Closed
opened 2019-09-18 16:12:58 +02:00 by Ghost · 6 comments
Ghost commented 2019-09-18 16:12:58 +02:00
Copy link

An access whitelist should be present, either based on AllowGroups or AllowUsers.

An access whitelist should be present, either based on AllowGroups or AllowUsers.
Ghost commented 2019-09-18 16:26:12 +02:00
Author
Copy link

That's right!

At first, it wasn't needed since on the OpenBSD machines the only Unix accounts were the system administrators one.

Now, some of the machines we're taking care of have other Unix accounts which are not supposed to connect through SSH.

That's right! At first, it wasn't needed since on the OpenBSD machines the only Unix accounts were the system administrators one. Now, some of the machines we're taking care of have other Unix accounts which are not supposed to connect through SSH.
Ghost commented 2019-09-18 16:30:27 +02:00
Author
Copy link

I will port the evolinux-users role. I have experience from optimising the linux version in evolix/ansible-roles#78.

I believe we only need to support adding new users to an existing AllowUsers statement, new groups to an existing AllowGroups statement or creating the AllowGroups statement. I do not think there is a case where we would want to create an AllowUsers statement if one is not already in use, am I right ?

I will port the evolinux-users role. I have experience from optimising the linux version in https://gitea.evolix.org/evolix/ansible-roles/pulls/78. I believe we only need to support adding new users to an existing AllowUsers statement, new groups to an existing AllowGroups statement or creating the AllowGroups statement. I do not think there is a case where we would want to create an AllowUsers statement if one is not already in use, am I right ?
Ghost commented 2019-09-19 15:33:18 +02:00
Author
Copy link

Good to know! I didn't look over the changes you made though.

I agree with you, but I'm not even sure we should add an AllowGroups statement on a system already in production unless we're sure it won't cause unpredicted side effects. For instance on the Evolix firewalls/routers.

Good to know! I didn't look over the changes you made though. I agree with you, but I'm not even sure we should add an AllowGroups statement on a system already in production unless we're sure it won't cause unpredicted side effects. For instance on the Evolix firewalls/routers.
Ghost commented 2019-09-20 14:03:36 +02:00
Author
Copy link

We dont generally run the evolixisation playbook on production systems though ? And tags make it possible to ignore certain tasks if we ever need to.

We dont generally run the evolixisation playbook on production systems though ? And tags make it possible to ignore certain tasks if we ever need to.
Ghost commented 2019-09-20 14:03:56 +02:00
Author
Copy link

See pull request #26

See pull request #26
Ghost commented 2020-04-23 17:23:33 +02:00
Author
Copy link

This should be closed by #26

This should be closed by #26
Ghost closed this issue 2020-04-23 17:23:33 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
master
d481cf2b11e7c875525c3757ef24ae76d06b35ea
6.9.0
6.8.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: evolix/EvoBSD#23
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?