)]}'
{"diskimage_builder/elements/openssh-server/README.rst":[{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"924e6de4b68b598760a9a5296330aaf00bcf2cfc","unresolved":false,"context_lines":[{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":"This element ensures that openssh server is installed and enabled during boot."},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"To enforce sshd configuration, you have to set ``DIB_ENFORCE_SSHD`` to 0."},{"line_number":7,"context_line":"This option will configure KexAlgorithms, Ciphers and MAC following good"},{"line_number":8,"context_line":"pratices on https://infosec.mozilla.org/guidelines/openssh"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ffb9cba7_6e9079ee","line":6,"updated":"2019-04-29 02:00:24.000000000","message":"This is inconsistent with almost everything else where we set to \"1\" to enable something.  so i\u0027d like to see this reversed for consistency.\n\nwhen turning up security options, I feel like \"hardening\" is a pretty common term.  also i feel it\u0027s helpful to have the element referenced in the var; so maybe DIB_OPENSSH_SERVER_HARDENING\u003d\u003c0|1\u003e is better?\n\nprobably a strong argument to have this default to 1 and be on in the usual case, and set it to 0 to disable it.  i think that would be fine along with a release note to call it out.","commit_id":"89bf274c0715ab35f681854c29381e42792a3ffd"},{"author":{"_account_id":11810,"name":"Nicolas Hicher","email":"nhicher@redhat.com","username":"atarakt"},"change_message_id":"dd0735413aee88fde0bef08b5256239f6d922e4e","unresolved":false,"context_lines":[{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":"This element ensures that openssh server is installed and enabled during boot."},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"To enforce sshd configuration, you have to set ``DIB_ENFORCE_SSHD`` to 0."},{"line_number":7,"context_line":"This option will configure KexAlgorithms, Ciphers and MAC following good"},{"line_number":8,"context_line":"pratices on https://infosec.mozilla.org/guidelines/openssh"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ffb9cba7_f9741138","line":6,"in_reply_to":"ffb9cba7_6e9079ee","updated":"2019-05-01 15:21:18.000000000","message":"Hello, thanks for the review. I will change the variable name and set the default to activate this hardening step.","commit_id":"89bf274c0715ab35f681854c29381e42792a3ffd"}],"diskimage_builder/elements/openssh-server/post-install.d/99-enforce-sshd-config":[{"author":{"_account_id":1955,"name":"Alan Pevec","email":"alan.pevec@redhat.com","username":"apevec"},"change_message_id":"8174a1432c15352d2d1364047f21a32827c9da25","unresolved":false,"context_lines":[{"line_number":10,"context_line":"    sed -i \u0027/# Ciphers and keying/a KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256\u0027 /etc/ssh/sshd_config"},{"line_number":11,"context_line":"    sed -i \u0027/# Ciphers and keying/a Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\u0027 /etc/ssh/sshd_config"},{"line_number":12,"context_line":"    sed -i \u0027/# Ciphers and keying/a MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\u0027 /etc/ssh/sshd_config"},{"line_number":13,"context_line":"fi"},{"line_number":14,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"3fce034c_c0d4c7eb","line":13,"updated":"2019-04-19 12:32:01.000000000","message":"What about using Augeas?\nThere\u0027s augeas module https://galaxy.ansible.com/paluh/augeas","commit_id":"656e3f1d4d3246dd8f4c1fa3afc9c2b07e7b562b"},{"author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"change_message_id":"d1ac47ee08176e5e63b2624290702c986b7198de","unresolved":false,"context_lines":[{"line_number":10,"context_line":"    sed -i \u0027/# Ciphers and keying/a KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256\u0027 /etc/ssh/sshd_config"},{"line_number":11,"context_line":"    sed -i \u0027/# Ciphers and keying/a Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\u0027 /etc/ssh/sshd_config"},{"line_number":12,"context_line":"    sed -i \u0027/# Ciphers and keying/a MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\u0027 /etc/ssh/sshd_config"},{"line_number":13,"context_line":"fi"},{"line_number":14,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"ffb9cba7_8ae1a0d3","line":13,"in_reply_to":"3fce034c_c0d4c7eb","updated":"2019-04-21 23:37:58.000000000","message":"IIUC, dib post-install are executed from within the target image, and Ansible or Augeas may not be available.","commit_id":"656e3f1d4d3246dd8f4c1fa3afc9c2b07e7b562b"},{"author":{"_account_id":4162,"name":"Paul Belanger","email":"pabelanger@redhat.com","username":"pabelanger"},"change_message_id":"832fc0b7226f3d75b522b969afd2e48b0b7acff9","unresolved":false,"context_lines":[{"line_number":5,"context_line":"set -eu"},{"line_number":6,"context_line":"set -o pipefail"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"if ! grep -qE \u0027^Macs\u0027 /etc/ssh/sshd_config; then"},{"line_number":9,"context_line":"    sed -i \u0027/# Ciphers and keying/a MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\u0027 /etc/ssh/sshd_config"},{"line_number":10,"context_line":"fi"},{"line_number":11,"context_line":"if ! grep -qE \u0027^Ciphers\u0027 /etc/ssh/sshd_config; then"}],"source_content_type":"application/x-shellscript","patch_set":2,"id":"ffb9cba7_baae0fe5","line":8,"updated":"2019-04-23 14:01:19.000000000","message":"For backwards comparability we should add a configuration setting for this (disabled by default).\n\nFor the most part we tend not to do cfgmgmt directly in diskimage-builder, as each deployment is different, but I could see us enabling this in opendev/project-config for all images used by opendev.","commit_id":"928bea8b29bbc9a044e28c0510b463288a102b19"},{"author":{"_account_id":11810,"name":"Nicolas Hicher","email":"nhicher@redhat.com","username":"atarakt"},"change_message_id":"1442d1a2484be0d7806657ead6e3a272d258b188","unresolved":false,"context_lines":[{"line_number":5,"context_line":"set -eu"},{"line_number":6,"context_line":"set -o pipefail"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"if ! grep -qE \u0027^Macs\u0027 /etc/ssh/sshd_config; then"},{"line_number":9,"context_line":"    sed -i \u0027/# Ciphers and keying/a MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\u0027 /etc/ssh/sshd_config"},{"line_number":10,"context_line":"fi"},{"line_number":11,"context_line":"if ! grep -qE \u0027^Ciphers\u0027 /etc/ssh/sshd_config; then"}],"source_content_type":"application/x-shellscript","patch_set":2,"id":"ffb9cba7_7b32d6f3","line":8,"in_reply_to":"ffb9cba7_baae0fe5","updated":"2019-04-23 22:35:23.000000000","message":"Done","commit_id":"928bea8b29bbc9a044e28c0510b463288a102b19"}]}