[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

incoming SSH restriction for *.debian.org


At the moment, most debian.org hosts accept incoming ssh connections from the
entire Internet.  In the future, DSA intends to change this and, by default,
only accept ssh connections from other debian.org machines.

The following classes of hosts will continue to accept ssh from everywhere:

    - upload hosts
    - master and people.debian.org
    - salsa.debian.org
    - dedicated ssh jumphosts {na,eu}.ssh.debian.org
    - porter boxes (maybe).

These changes will come into effect no sooner than mid December.  The following
snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all
debian.org hosts other than the jumphosts.

Host *.debian.org !*.ssh.debian.org !ssh.debian.org
    ProxyJump ssh.debian.org
    # (or {na,eu}.ssh.debian.org)

Our documentation at https://dsa.debian.org/doc/firewall/ will also be updated.

Julien, for DSA

Attachment: signature.asc
Description: PGP signature

Reply to: