[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: incoming SSH restriction for *.debian.org

Hi Julien,

On Sat, Nov 10, 2018 at 03:59:36PM +0100, Julien Cristau wrote:
> Hi,
> At the moment, most debian.org hosts accept incoming ssh connections from the
> entire Internet.  In the future, DSA intends to change this and, by default,
> only accept ssh connections from other debian.org machines.
> The following classes of hosts will continue to accept ssh from everywhere:
>     - upload hosts
>     - master and people.debian.org
>     - salsa.debian.org
>     - dedicated ssh jumphosts {na,eu}.ssh.debian.org
>     - porter boxes (maybe).
> These changes will come into effect no sooner than mid December.  The following
> snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all
> debian.org hosts other than the jumphosts.
> Host *.debian.org !*.ssh.debian.org !ssh.debian.org
>     ProxyJump ssh.debian.org
>     # (or {na,eu}.ssh.debian.org)
> Our documentation at https://dsa.debian.org/doc/firewall/ will also be updated.

I support this, but it would make uploading video content from debconf
to vittoria.d.o rather complicated and slow (we do rsync-over-SSH to
backup the raw recordings after debconf, which for a full debconf
usually racks up to about a terabyte; doing that via a jumphost seems
like a bad idea).

Can an exception be made for vittoria? If not, can this be done on a
case-by-case basis for the events where we would like to upload
something from? This would also include miniconfs etc.


To the thief who stole my anti-depressants: I hope you're happy

  -- seen somewhere on the Internet on a photo of a billboard

Reply to: