incoming SSH restriction for *.debian.org

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

incoming SSH restriction for *.debian.org

Julien Cristau-6
Hi,

At the moment, most debian.org hosts accept incoming ssh connections from the
entire Internet.  In the future, DSA intends to change this and, by default,
only accept ssh connections from other debian.org machines.

The following classes of hosts will continue to accept ssh from everywhere:

    - upload hosts
    - master and people.debian.org
    - salsa.debian.org
    - dedicated ssh jumphosts {na,eu}.ssh.debian.org
    - porter boxes (maybe).

These changes will come into effect no sooner than mid December.  The following
snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all
debian.org hosts other than the jumphosts.

Host *.debian.org !*.ssh.debian.org !ssh.debian.org
    ProxyJump ssh.debian.org
    # (or {na,eu}.ssh.debian.org)

Our documentation at https://dsa.debian.org/doc/firewall/ will also be updated.

Cheers,
Julien, for DSA

signature.asc (849 bytes) Download Attachment