From: root Date: Tue, 15 Mar 2016 06:22:54 +0000 (+0100) Subject: saving uncommitted changes in /etc prior to emerge run X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=569bcd72810d5d1b8936424452ccbb988959e0b1;p=config%2Fhelga%2Fetc.git saving uncommitted changes in /etc prior to emerge run --- diff --git a/.etckeeper b/.etckeeper index 7c17bf6..dca5e55 100755 --- a/.etckeeper +++ b/.etckeeper @@ -119,6 +119,7 @@ maybe chmod 0644 'apache2/info_users_passwd' maybe chmod 0644 'apache2/magic' maybe chmod 0755 'apache2/modules.d' maybe chmod 0755 'apache2/modules.d.old' +maybe chmod 0644 'apache2/modules.d/._mrg0000_00_mod_autoindex.conf' maybe chmod 0700 'apache2/modules.d/.rcs' maybe chmod 0444 'apache2/modules.d/.rcs/00_apache_manual.conf,v' maybe chmod 0444 'apache2/modules.d/.rcs/00_default_settings.conf,v' @@ -489,7 +490,9 @@ maybe chmod 0755 'config-archive/etc/apache2/modules.d' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf,v' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new' @@ -498,7 +501,9 @@ maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_languages.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_languages.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf,v' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new' @@ -514,6 +519,8 @@ maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.n maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fcgid.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fcgid.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/47_mod_dav_svn.conf' @@ -663,6 +670,9 @@ maybe chmod 0644 'config-archive/etc/dispatch-conf.conf.dist' maybe chmod 0755 'config-archive/etc/elinks' maybe chmod 0644 'config-archive/etc/elinks/elinks.conf,v' maybe chmod 0644 'config-archive/etc/etc-update.conf,v' +maybe chmod 0755 'config-archive/etc/etckeeper' +maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf' +maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist.new' maybe chmod 0755 'config-archive/etc/fonts' maybe chmod 0755 'config-archive/etc/fonts/conf.avail' maybe chmod 0644 'config-archive/etc/fonts/conf.avail/30-urw-aliases.conf,v' @@ -971,6 +981,7 @@ maybe chmod 0755 'config-archive/etc/ssh' maybe chmod 0644 'config-archive/etc/ssh/ssh_config' maybe chmod 0644 'config-archive/etc/ssh/ssh_config,v' maybe chmod 0644 'config-archive/etc/ssh/ssh_config.1' +maybe chmod 0644 'config-archive/etc/ssh/ssh_config.2' maybe chmod 0644 'config-archive/etc/ssh/ssh_config.dist' maybe chmod 0600 'config-archive/etc/ssh/sshd_config' maybe chmod 0644 'config-archive/etc/ssh/sshd_config,v' @@ -978,7 +989,9 @@ maybe chmod 0600 'config-archive/etc/ssh/sshd_config.1' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.2' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.3' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.4' +maybe chmod 0600 'config-archive/etc/ssh/sshd_config.5' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.dist' +maybe chmod 0600 'config-archive/etc/ssh/sshd_config.dist.new' maybe chmod 0755 'config-archive/etc/ssl' maybe chmod 0755 'config-archive/etc/ssl/certs' maybe chmod 0644 'config-archive/etc/ssl/certs/ca-certificates.crt,v' @@ -2809,6 +2822,7 @@ maybe chmod 0755 'smartd_warning.sh' maybe chmod 0755 'snmp' maybe chmod 0644 'snmp/snmpd.conf.example' maybe chmod 0755 'ssh' +maybe chmod 0600 'ssh/._mrg0000_sshd_config' maybe chmod 0644 'ssh/moduli' maybe chmod 0644 'ssh/ssh_config' maybe chmod 0600 'ssh/ssh_host_dsa_key' diff --git a/apache2/modules.d/._mrg0000_00_mod_autoindex.conf b/apache2/modules.d/._mrg0000_00_mod_autoindex.conf new file mode 100644 index 0000000..dedf060 --- /dev/null +++ b/apache2/modules.d/._mrg0000_00_mod_autoindex.conf @@ -0,0 +1,93 @@ + + + + +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. +Alias /icons/ "/usr/share/apache2/icons/" + + + Options Indexes MultiViews + AllowOverride None + Require all granted + + + +# Directives controlling the display of server-generated directory listings. +# +# To see the listing of a directory, the Options directive for the +# directory must include "Indexes", and the directory must not contain +# a file matching those listed in the DirectoryIndex directive. + +# IndexOptions: Controls the appearance of server-generated directory +# listings. +#IndexOptions FancyIndexing VersionSort +IndexOptions FancyIndexing VersionSort FoldersFirst HTMLTable IgnoreCase NameWidth=50 + +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (CDR,/icons/corel-document.png) image/x-coreldraw + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/corel-document.png .cdr + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +DefaultIcon /icons/unknown.gif + +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename + +AddDescription "GZIP-komprimiertes Tar-Archiv" .tar.gz +AddDescription "GZIP-komprimiertes Dokument" .gz +AddDescription "Tar-Archive" .tar +AddDescription "GZIP-komprimiertes Tar-Archiv" .tgz +AddDescription "PDF-Dokument" .pdf +AddDescription "CorelDraw-Zeichnung" .cdr + +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. + +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/httpd.conf.dist.new b/config-archive/etc/apache2/httpd.conf.dist.new index b354e4d..0494b0f 100644 --- a/config-archive/etc/apache2/httpd.conf.dist.new +++ b/config-archive/etc/apache2/httpd.conf.dist.new @@ -1,4 +1,4 @@ -# This is a modification of the default Apache 2.2 configuration file +# This is a modification of the default Apache 2.4 configuration file # for Gentoo Linux. # # Support: @@ -13,9 +13,9 @@ # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. -# See for detailed information. +# See for detailed information. # In particular, see -# +# # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding @@ -36,6 +36,7 @@ # ServerRoot at a non-local disk, be sure to point the LockFile directive # at a local disk. If you wish to share the same ServerRoot for multiple # httpd daemons, you will need to change at least LockFile and PidFile. +# Comment: The LockFile directive has been replaced by the Mutex directive ServerRoot "/usr/lib64/apache2" # Dynamic Shared Object (DSO) Support @@ -58,6 +59,7 @@ ServerRoot "/usr/lib64/apache2" # # Change these at your own risk! +LoadModule access_compat_module modules/mod_access_compat.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule asis_module modules/mod_asis.so @@ -65,17 +67,17 @@ LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so -LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so +LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_dbd_module modules/mod_authn_dbd.so LoadModule authn_dbm_module modules/mod_authn_dbm.so -LoadModule authn_default_module modules/mod_authn_default.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule authz_dbd_module modules/mod_authz_dbd.so LoadModule authz_dbm_module modules/mod_authz_dbm.so -LoadModule authz_default_module modules/mod_authz_default.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_owner_module modules/mod_authz_owner.so @@ -84,6 +86,9 @@ LoadModule autoindex_module modules/mod_autoindex.so LoadModule cache_module modules/mod_cache.so + +LoadModule cache_disk_module modules/mod_cache_disk.so + LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule cgi_module modules/mod_cgi.so LoadModule cgid_module modules/mod_cgid.so @@ -100,9 +105,6 @@ LoadModule dav_lock_module modules/mod_dav_lock.so LoadModule dbd_module modules/mod_dbd.so LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so - -LoadModule disk_cache_module modules/mod_disk_cache.so - LoadModule dumpio_module modules/mod_dumpio.so LoadModule env_module modules/mod_env.so LoadModule expires_module modules/mod_expires.so @@ -112,6 +114,9 @@ LoadModule file_cache_module modules/mod_file_cache.so LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so + +LoadModule http2_module modules/mod_http2.so + LoadModule ident_module modules/mod_ident.so LoadModule imagemap_module modules/mod_imagemap.so LoadModule include_module modules/mod_include.so @@ -124,9 +129,7 @@ LoadModule ldap_module modules/mod_ldap.so LoadModule log_config_module modules/mod_log_config.so LoadModule log_forensic_module modules/mod_log_forensic.so LoadModule logio_module modules/mod_logio.so - -LoadModule mem_cache_module modules/mod_mem_cache.so - +LoadModule macro_module modules/mod_macro.so LoadModule mime_module modules/mod_mime.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule negotiation_module modules/mod_negotiation.so @@ -143,15 +146,32 @@ LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_connect_module modules/mod_proxy_connect.so +LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so + + LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +LoadModule proxy_html_module modules/mod_proxy_html.so + + LoadModule proxy_http_module modules/mod_proxy_http.so + LoadModule proxy_scgi_module modules/mod_proxy_scgi.so + + +LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so + +LoadModule ratelimit_module modules/mod_ratelimit.so +LoadModule remoteip_module modules/mod_remoteip.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so +LoadModule slotmem_shm_module modules/mod_slotmem_shm.so + +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so + LoadModule speling_module modules/mod_speling.so LoadModule ssl_module modules/mod_ssl.so @@ -164,6 +184,7 @@ LoadModule substitute_module modules/mod_substitute.so LoadModule suexec_module modules/mod_suexec.so LoadModule unique_id_module modules/mod_unique_id.so +LoadModule unixd_module modules/mod_unixd.so LoadModule userdir_module modules/mod_userdir.so diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf b/config-archive/etc/apache2/modules.d/00_default_settings.conf index c548b5b..9d1862a 100644 --- a/config-archive/etc/apache2/modules.d/00_default_settings.conf +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf @@ -120,8 +120,7 @@ LogLevel info # negotiated documents. The MultiViews Options can be used for the # same purpose, but it is much slower. # -# To add files to that list use AddDirectoryIndex in a custom config -# file. Do not change this entry unless you know what you are doing. +# Do not change this entry unless you know what you are doing. DirectoryIndex index.html index.html.var index.shtml index.htm diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 b/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 new file mode 100644 index 0000000..c548b5b --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 @@ -0,0 +1,136 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Full + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP off +EnableSendfile off +#EnableMMAP On +#EnableSendfile On + +# FileEtag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileEtag INode MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error.log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel info + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# To add files to that list use AddDirectoryIndex in a custom config +# file. Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var index.shtml index.htm + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Order allow,deny + Deny from all + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new new file mode 100644 index 0000000..38635aa --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new @@ -0,0 +1,131 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Prod + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile Off + +# FileETag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileETag MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error_log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel warn + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Require all denied + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Require all denied + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new b/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new index 815668f..61479fa 100644 --- a/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new +++ b/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new @@ -30,8 +30,7 @@ Alias /error/ "/usr/share/apache2/error/" Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Order allow,deny - Allow from all + Require all granted LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf index 8e34554..f03f25c 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf @@ -1,4 +1,6 @@ + + # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. @@ -86,6 +88,7 @@ HeaderName HEADER.html # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 new file mode 100644 index 0000000..8e34554 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 @@ -0,0 +1,91 @@ + + +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. +Alias /icons/ "/usr/share/apache2/icons/" + + + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + + + +# Directives controlling the display of server-generated directory listings. +# +# To see the listing of a directory, the Options directive for the +# directory must include "Indexes", and the directory must not contain +# a file matching those listed in the DirectoryIndex directive. + +# IndexOptions: Controls the appearance of server-generated directory +# listings. +#IndexOptions FancyIndexing VersionSort +IndexOptions FancyIndexing VersionSort FoldersFirst HTMLTable IgnoreCase NameWidth=50 + +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (CDR,/icons/corel-document.png) image/x-coreldraw + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/corel-document.png .cdr + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +DefaultIcon /icons/unknown.gif + +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename + +AddDescription "GZIP-komprimiertes Tar-Archiv" .tar.gz +AddDescription "GZIP-komprimiertes Dokument" .gz +AddDescription "Tar-Archive" .tar +AddDescription "GZIP-komprimiertes Tar-Archiv" .tgz +AddDescription "PDF-Dokument" .pdf +AddDescription "CorelDraw-Zeichnung" .cdr + +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. + +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new new file mode 100644 index 0000000..10bf483 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new @@ -0,0 +1,85 @@ + + + + +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. +Alias /icons/ "/usr/share/apache2/icons/" + + + Options Indexes MultiViews + AllowOverride None + Require all granted + + + +# Directives controlling the display of server-generated directory listings. +# +# To see the listing of a directory, the Options directive for the +# directory must include "Indexes", and the directory must not contain +# a file matching those listed in the DirectoryIndex directive. + +# IndexOptions: Controls the appearance of server-generated directory +# listings. +IndexOptions FancyIndexing VersionSort + +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +DefaultIcon /icons/unknown.gif + +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename + +#AddDescription "GZIP compressed document" .gz +#AddDescription "tar archive" .tar +#AddDescription "GZIP compressed tar archive" .tgz + +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. + +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new index 809c223..2cd32c4 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new +++ b/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new @@ -3,9 +3,7 @@ # http://servername/server-info SetHandler server-info - Order deny,allow - Deny from all - Allow from 127.0.0.1 + Require local diff --git a/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new index 51f23d5..fb8a9a5 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new +++ b/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new @@ -1,12 +1,3 @@ -# DefaultType: the default MIME type the server will use for a document -# if it cannot otherwise determine one, such as from filename extensions. -# If your server contains mostly text or HTML documents, "text/plain" is -# a good value. If most of your content is binary, such as applications -# or images, you may want to use "application/octet-stream" instead to -# keep browsers from trying to display binary files as though they are -# text. -DefaultType text/plain - # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. diff --git a/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new index edd46a4..ed8b3c7 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new +++ b/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new @@ -3,9 +3,7 @@ # with the URL of http://servername/server-status SetHandler server-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 + Require local # ExtendedStatus controls whether Apache will generate "full" status diff --git a/config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new index 20effa9..bcb9b6b 100644 --- a/config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new +++ b/config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new @@ -4,10 +4,10 @@ # identification number when it starts. # # DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING -PidFile /var/run/apache2.pid +PidFile /run/apache2.pid # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -#LockFile /var/run/apache2.lock +# Mutex file:/run/apache_mpm_mutex # Only one of the below sections will be relevant on your # installed httpd. Use "/usr/sbin/apache2 -l" to find out the @@ -17,9 +17,9 @@ PidFile /var/run/apache2.pid # These configuration directives apply to all MPMs # # StartServers: Number of child server processes created at startup -# MaxClients: Maximum number of child processes to serve requests -# MaxRequestsPerChild: Limit on the number of requests that an individual child -# server will handle during its life +# MaxRequestWorkers: Maximum number of child processes to serve requests +# MaxConnectionsPerChild: Limit on the number of connections that an individual +# child server will handle during its life # prefork MPM @@ -31,8 +31,8 @@ PidFile /var/run/apache2.pid StartServers 5 MinSpareServers 5 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # worker MPM @@ -46,8 +46,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # event MPM @@ -60,8 +60,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # peruser MPM @@ -76,8 +76,8 @@ PidFile /var/run/apache2.pid MinSpareProcessors 2 MinProcessors 2 MaxProcessors 10 - MaxClients 150 - MaxRequestsPerChild 1000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 1000 ExpireTimeout 1800 Multiplexer nobody nobody @@ -92,8 +92,8 @@ PidFile /var/run/apache2.pid StartServers 5 MinSpareServers 5 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf b/config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf new file mode 100644 index 0000000..4541fa6 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf @@ -0,0 +1,8 @@ + + LoadModule fastcgi_module modules/mod_fastcgi.so + AddHandler fastcgi-script fcg fcgi fpl + FastCgiExternalServer /tmp/frbr_books_app.fcgi -socket /tmp/frbr_books_app.sock + #FastCgiServer /var/www/books/script/frbr_books_fastcgi.pl -processes 2 + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf.dist.new b/config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf.dist.new new file mode 100644 index 0000000..583524b --- /dev/null +++ b/config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf.dist.new @@ -0,0 +1,6 @@ + +LoadModule fastcgi_module modules/mod_fastcgi.so +AddHandler fastcgi-script fcg fcgi fpl + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new index 9fa425a..b9766b5 100644 --- a/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new +++ b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new @@ -6,7 +6,7 @@ # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# +# # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host @@ -25,9 +25,6 @@ #Listen 12.34.56.78:80 Listen 80 -# Use name-based virtual hosting. -NameVirtualHost *:80 - # When virtual hosts are enabled, the main host defined in the default # httpd.conf configuration will go away. We redefine it here so that it is # still available. diff --git a/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new b/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new index 6d45888..af6ece8 100644 --- a/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new +++ b/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new @@ -21,7 +21,7 @@ DocumentRoot "/var/www/localhost/htdocs" # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.2/mod/core.html#options + # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. Options Indexes FollowSymLinks @@ -31,8 +31,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride All # Controls who can get stuff from this server. - Order allow,deny - Allow from all + Require all granted @@ -66,8 +65,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride None Options None - Order allow,deny - Allow from all + Require all granted # vim: ts=4 filetype=apache diff --git a/config-archive/etc/etckeeper/etckeeper.conf b/config-archive/etc/etckeeper/etckeeper.conf new file mode 100644 index 0000000..a5983d9 --- /dev/null +++ b/config-archive/etc/etckeeper/etckeeper.conf @@ -0,0 +1,44 @@ +# The VCS to use. +#VCS="hg" +VCS="git" +#VCS="bzr" +#VCS="darcs" + +# Options passed to git commit when run by etckeeper. +GIT_COMMIT_OPTIONS="" + +# Options passed to hg commit when run by etckeeper. +HG_COMMIT_OPTIONS="" + +# Options passed to bzr commit when run by etckeeper. +BZR_COMMIT_OPTIONS="" + +# Options passed to darcs record when run by etckeeper. +DARCS_COMMIT_OPTIONS="-a" + +# Uncomment to avoid etckeeper committing existing changes +# to /etc automatically once per day. +#AVOID_DAILY_AUTOCOMMITS=1 + +# Uncomment the following to avoid special file warning +# (the option is enabled automatically by cronjob regardless). +#AVOID_SPECIAL_FILE_WARNING=1 + +# Uncomment to avoid etckeeper committing existing changes to +# /etc before installation. It will cancel the installation, +# so you can commit the changes by hand. +#AVOID_COMMIT_BEFORE_INSTALL=1 + +# The high-level package manager that's being used. +# (apt, pacman-g2, yum, zypper etc) +# For gentoo this is emerge +HIGHLEVEL_PACKAGE_MANAGER=emerge + +# The low-level package manager that's being used. +# (dpkg, rpm, pacman, pacman-g2, etc) +# For gentoo this is qlist +LOWLEVEL_PACKAGE_MANAGER=qlist + +# To push each commit to a remote, put the name of the remote here. +# (eg, "origin" for git). +PUSH_REMOTE="origin" diff --git a/config-archive/etc/etckeeper/etckeeper.conf.dist.new b/config-archive/etc/etckeeper/etckeeper.conf.dist.new new file mode 100644 index 0000000..0a9c88b --- /dev/null +++ b/config-archive/etc/etckeeper/etckeeper.conf.dist.new @@ -0,0 +1,53 @@ +# The VCS to use. +#VCS="hg" +VCS="git" +#VCS="bzr" +#VCS="darcs" + +# Options passed to git commit when run by etckeeper. +GIT_COMMIT_OPTIONS="" + +# Options passed to hg commit when run by etckeeper. +HG_COMMIT_OPTIONS="" + +# Options passed to bzr commit when run by etckeeper. +BZR_COMMIT_OPTIONS="" + +# Options passed to darcs record when run by etckeeper. +DARCS_COMMIT_OPTIONS="-a" + +# Uncomment to avoid etckeeper committing existing changes +# to /etc automatically once per day. +#AVOID_DAILY_AUTOCOMMITS=1 + +# Uncomment the following to avoid special file warning +# (the option is enabled automatically by cronjob regardless). +#AVOID_SPECIAL_FILE_WARNING=1 + +# Uncomment to avoid etckeeper committing existing changes to +# /etc before installation. It will cancel the installation, +# so you can commit the changes by hand. +#AVOID_COMMIT_BEFORE_INSTALL=1 + +# The high-level package manager that's being used. +# (apt, pacman-g2, yum, dnf, zypper etc) +#HIGHLEVEL_PACKAGE_MANAGER=apt + +# Gentoo specific: +# For portage this is emerge +# For paludis this is cave +HIGHLEVEL_PACKAGE_MANAGER=emerge + +# The low-level package manager that's being used. +# (dpkg, rpm, pacman, pacman-g2, etc) +#LOWLEVEL_PACKAGE_MANAGER=dpkg + +# Gentoo specific: +# For portage this is qlist +# For paludis this is cave +LOWLEVEL_PACKAGE_MANAGER=qlist + +# To push each commit to a remote, put the name of the remote here. +# (eg, "origin" for git). Space-separated lists of multiple remotes +# also work (eg, "origin gitlab github" for git). +PUSH_REMOTE="" diff --git a/config-archive/etc/ssh/ssh_config b/config-archive/etc/ssh/ssh_config index 1d4aedc..f6f0346 100644 --- a/config-archive/etc/ssh/ssh_config +++ b/config-archive/etc/ssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -41,17 +41,6 @@ ForwardAgent yes # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ -# AllowedCertPurpose sslserver -# MandatoryCRL no -# CACertificateFile /etc/ssh/ca/ca-bundle.crt -# CACertificatePath /etc/ssh/ca/crt -# CARevocationFile /etc/ssh/ca/ca-bundle.crl -# CARevocationPath /etc/ssh/ca/crl -# UserCACertificateFile ~/.ssh/ca-bundle.crt -# UserCACertificatePath ~/.ssh/crt -# UserCARevocationFile ~/.ssh/ca-bundle.crl -# UserCARevocationPath ~/.ssh/crl -# VAType none # Tunnel no # TunnelDevice any:any # PermitLocalCommand no diff --git a/config-archive/etc/ssh/ssh_config.1 b/config-archive/etc/ssh/ssh_config.1 index 3974564..1d4aedc 100644 --- a/config-archive/etc/ssh/ssh_config.1 +++ b/config-archive/etc/ssh/ssh_config.1 @@ -57,3 +57,7 @@ ForwardAgent yes # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + +# Send locale environment variables #367017 +SendEnv LANG LC_* diff --git a/config-archive/etc/ssh/ssh_config.2 b/config-archive/etc/ssh/ssh_config.2 new file mode 100644 index 0000000..3974564 --- /dev/null +++ b/config-archive/etc/ssh/ssh_config.2 @@ -0,0 +1,59 @@ +# $OpenBSD$ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +ForwardAgent yes +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# AllowedCertPurpose sslserver +# MandatoryCRL no +# CACertificateFile /etc/ssh/ca/ca-bundle.crt +# CACertificatePath /etc/ssh/ca/crt +# CARevocationFile /etc/ssh/ca/ca-bundle.crl +# CARevocationPath /etc/ssh/ca/crl +# UserCACertificateFile ~/.ssh/ca-bundle.crt +# UserCACertificatePath ~/.ssh/crt +# UserCARevocationFile ~/.ssh/ca-bundle.crl +# UserCARevocationPath ~/.ssh/crl +# VAType none +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/config-archive/etc/ssh/ssh_config.dist b/config-archive/etc/ssh/ssh_config.dist index 42874fe..0f76947 100644 --- a/config-archive/etc/ssh/ssh_config.dist +++ b/config-archive/etc/ssh/ssh_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -34,8 +34,10 @@ # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 +# Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index 2b3b4f9..3df38eb 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -42,6 +42,7 @@ #LoginGraceTime 2m #PermitRootLogin no +#PermitRootLogin prohibit-password PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 diff --git a/config-archive/etc/ssh/sshd_config.1 b/config-archive/etc/ssh/sshd_config.1 index d53811e..2b3b4f9 100644 --- a/config-archive/etc/ssh/sshd_config.1 +++ b/config-archive/etc/ssh/sshd_config.1 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ +# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -41,7 +41,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +#PermitRootLogin no PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 @@ -75,7 +75,6 @@ PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes -ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -86,7 +85,6 @@ ChallengeResponseAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -116,8 +114,8 @@ UsePrivilegeSeparation sandbox # Default for new installations. #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid +#UseDNS no +#PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none diff --git a/config-archive/etc/ssh/sshd_config.2 b/config-archive/etc/ssh/sshd_config.2 index ed0b2e9..d53811e 100644 --- a/config-archive/etc/ssh/sshd_config.2 +++ b/config-archive/etc/ssh/sshd_config.2 @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -26,72 +26,6 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# "key type names" for X.509 certificates with RSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 - -# "key type names" for X.509 certificates with DSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 -#X509KeyAlgorithm x509v3-sign-dss,dss-raw - -# The intended use for the X509 client certificate. Without this option -# no chain verification will be done. Currently accepted uses are case -# insensitive: -# - "sslclient", "SSL client", "SSL_client" or "client" -# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" -# - "skip" or ""(empty): don`t check purpose. -#AllowedCertPurpose sslclient - -# Specifies whether self-issued(self-signed) X.509 certificate can be -# allowed only by entry in AutorizedKeysFile that contain matching -# public key or certificate blob. -#KeyAllowSelfIssued no - -# Specifies whether CRL must present in store for all certificates in -# certificate chain with atribute "cRLDistributionPoints" -#MandatoryCRL no - -# A file with multiple certificates of certificate signers -# in PEM format concatenated together. -#CACertificateFile /etc/ssh/ca/ca-bundle.crt - -# A directory with certificates of certificate signers. -# The certificates should have name of the form: [HASH].[NUMBER] -# or have symbolic links to them of this form. -#CACertificatePath /etc/ssh/ca/crt - -# A file with multiple CRL of certificate signers -# in PEM format concatenated together. -#CARevocationFile /etc/ssh/ca/ca-bundle.crl - -# A directory with CRL of certificate signers. -# The CRL should have name of the form: [HASH].r[NUMBER] -# or have symbolic links to them of this form. -#CARevocationPath /etc/ssh/ca/crl - -# LDAP protocol version. -# Example: -# CAldapVersion 2 - -# Note because of OpenSSH options parser limitation -# use %3D instead of = ! -# LDAP initialization may require URL to be escaped, i.e. -# use %2C instead of ,(comma). Escaped URL don't depend from -# LDAP initialization method. -# Example: -# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom - -# SSH can use "Online Certificate Status Protocol"(OCSP) -# to validate certificate. Set VAType to -# - none : do not use OCSP to validate certificates; -# - ocspcert: validate only certificates that specify `OCSP -# Service Locator' URL; -# - ocspspec: use specified in the configuration 'OCSP Responder' -# to validate all certificates. -#VAType none - # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 @@ -192,13 +126,29 @@ UsePrivilegeSeparation sandbox # Default for new installations. # no default banner path #Banner none +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes - + # disable hpn performance boosts #HPNDisabled no diff --git a/config-archive/etc/ssh/sshd_config.3 b/config-archive/etc/ssh/sshd_config.3 index 7084972..ed0b2e9 100644 --- a/config-archive/etc/ssh/sshd_config.3 +++ b/config-archive/etc/ssh/sshd_config.3 @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! @@ -153,8 +154,8 @@ ChallengeResponseAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -171,6 +172,7 @@ UsePAM yes X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes PrintMotd no PrintLastLog no #TCPKeepAlive yes @@ -211,6 +213,7 @@ Subsystem sftp /usr/lib64/misc/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 diff --git a/config-archive/etc/ssh/sshd_config.4 b/config-archive/etc/ssh/sshd_config.4 index 9a37794..7084972 100644 --- a/config-archive/etc/ssh/sshd_config.4 +++ b/config-archive/etc/ssh/sshd_config.4 @@ -27,8 +27,8 @@ # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 #X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 # "key type names" for X.509 certificates with DSA key # Note first defined is used in signature operations! @@ -95,11 +95,13 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO -#LogLevel DEBUG # Authentication: @@ -117,6 +119,11 @@ PermitRootLogin yes # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -168,23 +175,21 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server @@ -192,18 +197,21 @@ Subsystem sftp /usr/lib64/misc/sftp-server # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes -# allow the use of the none cipher -#NoneEnabled no - -# disable hpn performance boosts. +# disable hpn performance boosts #HPNDisabled no # buffer size for hpn to non-hpn connections #HPNBufferSize 2048 +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/config-archive/etc/ssh/sshd_config.5 b/config-archive/etc/ssh/sshd_config.5 new file mode 100644 index 0000000..9a37794 --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.5 @@ -0,0 +1,209 @@ +# $OpenBSD$ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO +#LogLevel DEBUG + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no + +# disable hpn performance boosts. +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/config-archive/etc/ssh/sshd_config.dist.new b/config-archive/etc/ssh/sshd_config.dist.new new file mode 100644 index 0000000..20d455d --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.dist.new @@ -0,0 +1,152 @@ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/ssh/._mrg0000_sshd_config b/ssh/._mrg0000_sshd_config new file mode 100644 index 0000000..62e82fe --- /dev/null +++ b/ssh/._mrg0000_sshd_config @@ -0,0 +1,155 @@ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin no +#PermitRootLogin prohibit-password +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/ssh/ssh_config b/ssh/ssh_config index f6f0346..2554ff8 100644 --- a/ssh/ssh_config +++ b/ssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -35,8 +35,10 @@ ForwardAgent yes # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 +# Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160