incoming SSH restriction for *.debian.org

To: debian-devel-announce@lists.debian.org
Subject: incoming SSH restriction for *.debian.org
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 10 Nov 2018 15:59:36 +0100
Message-id: <[🔎] 20181110145936.44fzyvwxx6p2bvs2@betterave.cristau.org>
Reply-to: debian-admin@lists.debian.org

Hi,

At the moment, most debian.org hosts accept incoming ssh connections from the
entire Internet.  In the future, DSA intends to change this and, by default,
only accept ssh connections from other debian.org machines.

The following classes of hosts will continue to accept ssh from everywhere:

    - upload hosts
    - master and people.debian.org
    - salsa.debian.org
    - dedicated ssh jumphosts {na,eu}.ssh.debian.org
    - porter boxes (maybe).

These changes will come into effect no sooner than mid December.  The following
snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all
debian.org hosts other than the jumphosts.

Host *.debian.org !*.ssh.debian.org !ssh.debian.org
    ProxyJump ssh.debian.org
    # (or {na,eu}.ssh.debian.org)

Our documentation at https://dsa.debian.org/doc/firewall/ will also be updated.

Cheers,
Julien, for DSA

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bits from the Debian Anti-harassment team
Next by Date: CTTE decision on vendor-specific patch series (bug #904302)
Previous by thread: Bits from the Debian Anti-harassment team
Next by thread: CTTE decision on vendor-specific patch series (bug #904302)
Index(es):
- Date
- Thread