Re: incoming SSH restriction for *.debian.org
Hi Julien,
On Sat, Nov 10, 2018 at 03:59:36PM +0100, Julien Cristau wrote:
> Hi,
>
> At the moment, most debian.org hosts accept incoming ssh connections from the
> entire Internet. In the future, DSA intends to change this and, by default,
> only accept ssh connections from other debian.org machines.
>
> The following classes of hosts will continue to accept ssh from everywhere:
>
> - upload hosts
> - master and people.debian.org
> - salsa.debian.org
> - dedicated ssh jumphosts {na,eu}.ssh.debian.org
> - porter boxes (maybe).
>
> These changes will come into effect no sooner than mid December. The following
> snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all
> debian.org hosts other than the jumphosts.
>
> Host *.debian.org !*.ssh.debian.org !ssh.debian.org
> ProxyJump ssh.debian.org
> # (or {na,eu}.ssh.debian.org)
>
> Our documentation at https://dsa.debian.org/doc/firewall/ will also be updated.
I support this, but it would make uploading video content from debconf
to vittoria.d.o rather complicated and slow (we do rsync-over-SSH to
backup the raw recordings after debconf, which for a full debconf
usually racks up to about a terabyte; doing that via a jumphost seems
like a bad idea).
Can an exception be made for vittoria? If not, can this be done on a
case-by-case basis for the events where we would like to upload
something from? This would also include miniconfs etc.
Thanks,
--
To the thief who stole my anti-depressants: I hope you're happy
-- seen somewhere on the Internet on a photo of a billboard
Reply to: