From 88d1da7425030448490e52c1ad44398c0627656c Mon Sep 17 00:00:00 2001 From: root Date: Tue, 15 Mar 2016 10:44:54 +0100 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- .etckeeper | 23 +-- apache2/httpd.conf | 55 +++++-- .../modules.d/._mrg0000_00_mod_autoindex.conf | 93 ----------- apache2/modules.d/00_default_settings.conf | 14 +- apache2/modules.d/00_error_documents.conf | 3 +- apache2/modules.d/00_mod_autoindex.conf | 3 +- apache2/modules.d/00_mod_info.conf | 5 +- apache2/modules.d/00_mod_mime.conf | 9 - apache2/modules.d/00_mod_status.conf | 5 +- apache2/modules.d/00_mpm.conf | 30 ++-- apache2/modules.d/47_mod_dav_svn.conf | 12 +- apache2/vhosts.d/00_default_vhost.conf | 2 +- apache2/vhosts.d/default_vhost.include | 86 +++++----- .../{httpd.conf.dist.new => httpd.conf.dist} | 0 .../modules.d/00_default_settings.conf.dist | 12 +- .../00_default_settings.conf.dist.new | 131 --------------- ....dist.new => 00_error_documents.conf.dist} | 0 .../modules.d/00_mod_autoindex.conf.dist | 3 +- .../modules.d/00_mod_autoindex.conf.dist.new | 85 ---------- ...fo.conf.dist.new => 00_mod_info.conf.dist} | 0 ...me.conf.dist.new => 00_mod_mime.conf.dist} | 0 ....conf.dist.new => 00_mod_status.conf.dist} | 0 ...{00_mpm.conf.dist.new => 00_mpm.conf.dist} | 0 ...nf.dist.new => 00_default_vhost.conf.dist} | 0 ...de.dist.new => default_vhost.include.dist} | 0 ...eper.conf.dist.new => etckeeper.conf.dist} | 0 config-archive/etc/ssh/sshd_config.dist | 18 +- config-archive/etc/ssh/sshd_config.dist.new | 152 ----------------- etckeeper/etckeeper.conf | 17 +- ssh/._mrg0000_sshd_config | 155 ------------------ ssh/sshd_config | 18 +- 31 files changed, 143 insertions(+), 788 deletions(-) delete mode 100644 apache2/modules.d/._mrg0000_00_mod_autoindex.conf rename config-archive/etc/apache2/{httpd.conf.dist.new => httpd.conf.dist} (100%) delete mode 100644 config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new rename config-archive/etc/apache2/modules.d/{00_error_documents.conf.dist.new => 00_error_documents.conf.dist} (100%) delete mode 100644 config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new rename config-archive/etc/apache2/modules.d/{00_mod_info.conf.dist.new => 00_mod_info.conf.dist} (100%) rename config-archive/etc/apache2/modules.d/{00_mod_mime.conf.dist.new => 00_mod_mime.conf.dist} (100%) rename config-archive/etc/apache2/modules.d/{00_mod_status.conf.dist.new => 00_mod_status.conf.dist} (100%) rename config-archive/etc/apache2/modules.d/{00_mpm.conf.dist.new => 00_mpm.conf.dist} (100%) rename config-archive/etc/apache2/vhosts.d/{00_default_vhost.conf.dist.new => 00_default_vhost.conf.dist} (100%) rename config-archive/etc/apache2/vhosts.d/{default_vhost.include.dist.new => default_vhost.include.dist} (100%) rename config-archive/etc/etckeeper/{etckeeper.conf.dist.new => etckeeper.conf.dist} (100%) delete mode 100644 config-archive/etc/ssh/sshd_config.dist.new delete mode 100644 ssh/._mrg0000_sshd_config diff --git a/.etckeeper b/.etckeeper index dca5e55..e070667 100755 --- a/.etckeeper +++ b/.etckeeper @@ -119,7 +119,6 @@ maybe chmod 0644 'apache2/info_users_passwd' maybe chmod 0644 'apache2/magic' maybe chmod 0755 'apache2/modules.d' maybe chmod 0755 'apache2/modules.d.old' -maybe chmod 0644 'apache2/modules.d/._mrg0000_00_mod_autoindex.conf' maybe chmod 0700 'apache2/modules.d/.rcs' maybe chmod 0444 'apache2/modules.d/.rcs/00_apache_manual.conf,v' maybe chmod 0444 'apache2/modules.d/.rcs/00_default_settings.conf,v' @@ -485,17 +484,16 @@ maybe chmod 0640 'config-archive/etc/amavisd.conf.dist' maybe chmod 0755 'config-archive/etc/apache2' maybe chmod 0644 'config-archive/etc/apache2/httpd.conf' maybe chmod 0644 'config-archive/etc/apache2/httpd.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/httpd.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/httpd.conf.dist' maybe chmod 0755 'config-archive/etc/apache2/modules.d' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_languages.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_languages.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_languages.conf.dist.new' @@ -503,22 +501,21 @@ maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_log_config.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_log_config.conf,v' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_log_config.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf' maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fastcgi.conf.dist.new' maybe chmod 0644 'config-archive/etc/apache2/modules.d/20_mod_fcgid.conf' @@ -538,10 +535,10 @@ maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf, maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf,v' -maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include,v' -maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include.dist' maybe chmod 0644 'config-archive/etc/auto.master,v' maybe chmod 0644 'config-archive/etc/auto.misc,v' maybe chmod 0644 'config-archive/etc/auto.misc.dist.new' @@ -672,7 +669,7 @@ maybe chmod 0644 'config-archive/etc/elinks/elinks.conf,v' maybe chmod 0644 'config-archive/etc/etc-update.conf,v' maybe chmod 0755 'config-archive/etc/etckeeper' maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf' -maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist.new' +maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist' maybe chmod 0755 'config-archive/etc/fonts' maybe chmod 0755 'config-archive/etc/fonts/conf.avail' maybe chmod 0644 'config-archive/etc/fonts/conf.avail/30-urw-aliases.conf,v' @@ -991,7 +988,6 @@ maybe chmod 0600 'config-archive/etc/ssh/sshd_config.3' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.4' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.5' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.dist' -maybe chmod 0600 'config-archive/etc/ssh/sshd_config.dist.new' maybe chmod 0755 'config-archive/etc/ssl' maybe chmod 0755 'config-archive/etc/ssl/certs' maybe chmod 0644 'config-archive/etc/ssl/certs/ca-certificates.crt,v' @@ -2822,7 +2818,6 @@ maybe chmod 0755 'smartd_warning.sh' maybe chmod 0755 'snmp' maybe chmod 0644 'snmp/snmpd.conf.example' maybe chmod 0755 'ssh' -maybe chmod 0600 'ssh/._mrg0000_sshd_config' maybe chmod 0644 'ssh/moduli' maybe chmod 0644 'ssh/ssh_config' maybe chmod 0600 'ssh/ssh_host_dsa_key' diff --git a/apache2/httpd.conf b/apache2/httpd.conf index 31eb439..0494b0f 100644 --- a/apache2/httpd.conf +++ b/apache2/httpd.conf @@ -1,4 +1,4 @@ -# This is a modification of the default Apache 2.2 configuration file +# This is a modification of the default Apache 2.4 configuration file # for Gentoo Linux. # # Support: @@ -13,9 +13,9 @@ # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. -# See for detailed information. +# See for detailed information. # In particular, see -# +# # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding @@ -36,6 +36,7 @@ # ServerRoot at a non-local disk, be sure to point the LockFile directive # at a local disk. If you wish to share the same ServerRoot for multiple # httpd daemons, you will need to change at least LockFile and PidFile. +# Comment: The LockFile directive has been replaced by the Mutex directive ServerRoot "/usr/lib64/apache2" # Dynamic Shared Object (DSO) Support @@ -58,6 +59,7 @@ ServerRoot "/usr/lib64/apache2" # # Change these at your own risk! +LoadModule access_compat_module modules/mod_access_compat.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule asis_module modules/mod_asis.so @@ -65,17 +67,17 @@ LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so -LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so +LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_dbd_module modules/mod_authn_dbd.so LoadModule authn_dbm_module modules/mod_authn_dbm.so -LoadModule authn_default_module modules/mod_authn_default.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule authz_dbd_module modules/mod_authz_dbd.so LoadModule authz_dbm_module modules/mod_authz_dbm.so -LoadModule authz_default_module modules/mod_authz_default.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_owner_module modules/mod_authz_owner.so @@ -84,9 +86,12 @@ LoadModule autoindex_module modules/mod_autoindex.so LoadModule cache_module modules/mod_cache.so -#LoadModule cern_meta_module modules/mod_cern_meta.so + +LoadModule cache_disk_module modules/mod_cache_disk.so + +LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule cgi_module modules/mod_cgi.so -#LoadModule cgid_module modules/mod_cgid.so +LoadModule cgid_module modules/mod_cgid.so LoadModule charset_lite_module modules/mod_charset_lite.so LoadModule dav_module modules/mod_dav.so @@ -100,10 +105,7 @@ LoadModule dav_lock_module modules/mod_dav_lock.so LoadModule dbd_module modules/mod_dbd.so LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so - -LoadModule disk_cache_module modules/mod_disk_cache.so - -#LoadModule dumpio_module modules/mod_dumpio.so +LoadModule dumpio_module modules/mod_dumpio.so LoadModule env_module modules/mod_env.so LoadModule expires_module modules/mod_expires.so LoadModule ext_filter_module modules/mod_ext_filter.so @@ -112,6 +114,9 @@ LoadModule file_cache_module modules/mod_file_cache.so LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so + +LoadModule http2_module modules/mod_http2.so + LoadModule ident_module modules/mod_ident.so LoadModule imagemap_module modules/mod_imagemap.so LoadModule include_module modules/mod_include.so @@ -124,9 +129,7 @@ LoadModule ldap_module modules/mod_ldap.so LoadModule log_config_module modules/mod_log_config.so LoadModule log_forensic_module modules/mod_log_forensic.so LoadModule logio_module modules/mod_logio.so - -LoadModule mem_cache_module modules/mod_mem_cache.so - +LoadModule macro_module modules/mod_macro.so LoadModule mime_module modules/mod_mime.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule negotiation_module modules/mod_negotiation.so @@ -143,15 +146,32 @@ LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_connect_module modules/mod_proxy_connect.so +LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so + + LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +LoadModule proxy_html_module modules/mod_proxy_html.so + + LoadModule proxy_http_module modules/mod_proxy_http.so -#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so -#LoadModule reqtimeout_module modules/mod_reqtimeout.so + +LoadModule proxy_scgi_module modules/mod_proxy_scgi.so + + +LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so + +LoadModule ratelimit_module modules/mod_ratelimit.so +LoadModule remoteip_module modules/mod_remoteip.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so +LoadModule slotmem_shm_module modules/mod_slotmem_shm.so + +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so + LoadModule speling_module modules/mod_speling.so LoadModule ssl_module modules/mod_ssl.so @@ -164,6 +184,7 @@ LoadModule substitute_module modules/mod_substitute.so LoadModule suexec_module modules/mod_suexec.so LoadModule unique_id_module modules/mod_unique_id.so +LoadModule unixd_module modules/mod_unixd.so LoadModule userdir_module modules/mod_userdir.so diff --git a/apache2/modules.d/._mrg0000_00_mod_autoindex.conf b/apache2/modules.d/._mrg0000_00_mod_autoindex.conf deleted file mode 100644 index dedf060..0000000 --- a/apache2/modules.d/._mrg0000_00_mod_autoindex.conf +++ /dev/null @@ -1,93 +0,0 @@ - - - - -# We include the /icons/ alias for FancyIndexed directory listings. If -# you do not use FancyIndexing, you may comment this out. -Alias /icons/ "/usr/share/apache2/icons/" - - - Options Indexes MultiViews - AllowOverride None - Require all granted - - - -# Directives controlling the display of server-generated directory listings. -# -# To see the listing of a directory, the Options directive for the -# directory must include "Indexes", and the directory must not contain -# a file matching those listed in the DirectoryIndex directive. - -# IndexOptions: Controls the appearance of server-generated directory -# listings. -#IndexOptions FancyIndexing VersionSort -IndexOptions FancyIndexing VersionSort FoldersFirst HTMLTable IgnoreCase NameWidth=50 - -# AddIcon* directives tell the server which icon to show for different -# files or filename extensions. These are only displayed for -# FancyIndexed directories. -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip - -AddIconByType (CDR,/icons/corel-document.png) image/x-coreldraw - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif core - -AddIcon /icons/corel-document.png .cdr - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -# DefaultIcon is which icon to show for files which do not have an icon -# explicitly set. -DefaultIcon /icons/unknown.gif - -# AddDescription allows you to place a short description after a file in -# server-generated indexes. These are only displayed for FancyIndexed -# directories. -# Format: AddDescription "description" filename - -AddDescription "GZIP-komprimiertes Tar-Archiv" .tar.gz -AddDescription "GZIP-komprimiertes Dokument" .gz -AddDescription "Tar-Archive" .tar -AddDescription "GZIP-komprimiertes Tar-Archiv" .tgz -AddDescription "PDF-Dokument" .pdf -AddDescription "CorelDraw-Zeichnung" .cdr - -# ReadmeName is the name of the README file the server will look for by -# default, and append to directory listings. - -# HeaderName is the name of a file which should be prepended to -# directory indexes. -ReadmeName README.html -HeaderName HEADER.html - -# IndexIgnore is a set of filenames which directory indexing should ignore -# and not include in the listing. Shell-style wildcarding is permitted. -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_default_settings.conf b/apache2/modules.d/00_default_settings.conf index 9d1862a..f7d2874 100644 --- a/apache2/modules.d/00_default_settings.conf +++ b/apache2/modules.d/00_default_settings.conf @@ -68,12 +68,10 @@ HostnameLookups Off # be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. -EnableMMAP off -EnableSendfile off -#EnableMMAP On -#EnableSendfile On +EnableMMAP On +EnableSendfile Off -# FileEtag: Configures the file attributes that are used to create +# FileETag: Configures the file attributes that are used to create # the ETag (entity tag) response header field when the document is # based on a static file. (The ETag value is used in cache management # to save network bandwidth.) @@ -109,8 +107,7 @@ LogLevel info Options FollowSymLinks AllowOverride None - Order deny,allow - Deny from all + Require all denied # DirectoryIndex: sets the file that Apache will serve if a directory @@ -128,8 +125,7 @@ LogLevel info # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. - Order allow,deny - Deny from all + Require all denied # vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_error_documents.conf b/apache2/modules.d/00_error_documents.conf index 90c6b0a..79cf538 100644 --- a/apache2/modules.d/00_error_documents.conf +++ b/apache2/modules.d/00_error_documents.conf @@ -30,8 +30,7 @@ Alias /error/ "/usr/share/apache2/error/" Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Order allow,deny - Allow from all + Require all granted LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback diff --git a/apache2/modules.d/00_mod_autoindex.conf b/apache2/modules.d/00_mod_autoindex.conf index f03f25c..dedf060 100644 --- a/apache2/modules.d/00_mod_autoindex.conf +++ b/apache2/modules.d/00_mod_autoindex.conf @@ -9,8 +9,7 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted diff --git a/apache2/modules.d/00_mod_info.conf b/apache2/modules.d/00_mod_info.conf index 44379d1..039e3c0 100644 --- a/apache2/modules.d/00_mod_info.conf +++ b/apache2/modules.d/00_mod_info.conf @@ -3,13 +3,10 @@ # http://servername/server-info SetHandler server-info - Order deny,allow - Deny from all - Allow from 127.0.0.1 - Allow from localhost AuthName "Server Status Access" AuthType Basic AuthUserFile /etc/apache2/info_users_passwd + Require local Require valid-user Satisfy Any diff --git a/apache2/modules.d/00_mod_mime.conf b/apache2/modules.d/00_mod_mime.conf index 6229e61..3940107 100644 --- a/apache2/modules.d/00_mod_mime.conf +++ b/apache2/modules.d/00_mod_mime.conf @@ -1,12 +1,3 @@ -# DefaultType: the default MIME type the server will use for a document -# if it cannot otherwise determine one, such as from filename extensions. -# If your server contains mostly text or HTML documents, "text/plain" is -# a good value. If most of your content is binary, such as applications -# or images, you may want to use "application/octet-stream" instead to -# keep browsers from trying to display binary files as though they are -# text. -DefaultType text/plain - # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. diff --git a/apache2/modules.d/00_mod_status.conf b/apache2/modules.d/00_mod_status.conf index 9ebd91f..f7e81db 100644 --- a/apache2/modules.d/00_mod_status.conf +++ b/apache2/modules.d/00_mod_status.conf @@ -3,13 +3,10 @@ # with the URL of http://servername/server-status SetHandler server-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 - Allow from localhost AuthName "Server Status Access" AuthType Basic AuthUserFile /etc/apache2/info_users_passwd + Require local Require valid-user Satisfy Any diff --git a/apache2/modules.d/00_mpm.conf b/apache2/modules.d/00_mpm.conf index 27dc24d..23c56fa 100644 --- a/apache2/modules.d/00_mpm.conf +++ b/apache2/modules.d/00_mpm.conf @@ -4,10 +4,10 @@ # identification number when it starts. # # DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING -PidFile /var/run/apache2.pid +PidFile /run/apache2.pid # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -#LockFile /var/run/apache2.lock +# Mutex file:/run/apache_mpm_mutex # Only one of the below sections will be relevant on your # installed httpd. Use "/usr/sbin/apache2 -l" to find out the @@ -17,9 +17,9 @@ PidFile /var/run/apache2.pid # These configuration directives apply to all MPMs # # StartServers: Number of child server processes created at startup -# MaxClients: Maximum number of child processes to serve requests -# MaxRequestsPerChild: Limit on the number of requests that an individual child -# server will handle during its life +# MaxRequestWorkers: Maximum number of child processes to serve requests +# MaxConnectionsPerChild: Limit on the number of connections that an individual +# child server will handle during its life # prefork MPM @@ -31,8 +31,8 @@ PidFile /var/run/apache2.pid StartServers 2 MinSpareServers 2 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # worker MPM @@ -46,8 +46,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # event MPM @@ -60,8 +60,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # peruser MPM @@ -76,8 +76,8 @@ PidFile /var/run/apache2.pid MinSpareProcessors 2 MinProcessors 2 MaxProcessors 10 - MaxClients 150 - MaxRequestsPerChild 1000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 1000 ExpireTimeout 1800 Multiplexer nobody nobody @@ -92,8 +92,8 @@ PidFile /var/run/apache2.pid StartServers 5 MinSpareServers 5 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # vim: ts=4 filetype=apache diff --git a/apache2/modules.d/47_mod_dav_svn.conf b/apache2/modules.d/47_mod_dav_svn.conf index ab8906c..ef77e8a 100644 --- a/apache2/modules.d/47_mod_dav_svn.conf +++ b/apache2/modules.d/47_mod_dav_svn.conf @@ -6,12 +6,12 @@ # Example configuration: # -# DAV svn -# SVNPath ${SVN_REPOS_LOC}/repos -# AuthType Basic -# AuthName "Subversion repository" -# AuthUserFile ${SVN_REPOS_LOC}/conf/svnusers -# Require valid-user +# DAV svn +# SVNPath ${SVN_REPOS_LOC}/repos +# AuthType Basic +# AuthName "Subversion repository" +# AuthUserFile ${SVN_REPOS_LOC}/conf/svnusers +# Require valid-user # diff --git a/apache2/vhosts.d/00_default_vhost.conf b/apache2/vhosts.d/00_default_vhost.conf index cb477ea..0c4aaf3 100644 --- a/apache2/vhosts.d/00_default_vhost.conf +++ b/apache2/vhosts.d/00_default_vhost.conf @@ -6,7 +6,7 @@ # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# +# # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host diff --git a/apache2/vhosts.d/default_vhost.include b/apache2/vhosts.d/default_vhost.include index c6eb4e3..c989fcf 100644 --- a/apache2/vhosts.d/default_vhost.include +++ b/apache2/vhosts.d/default_vhost.include @@ -14,50 +14,49 @@ DocumentRoot "/var/www/localhost/htdocs" # This should be changed to whatever you set DocumentRoot to. - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.2/mod/core.html#options - # for more information. - Options Indexes FollowSymLinks - - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - AllowOverride All - - # Controls who can get stuff from this server. - Order allow,deny - Allow from all + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + Options Indexes FollowSymLinks + + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + AllowOverride All + + # Controls who can get stuff from this server. + Require all granted - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - Alias /distfiles/ /usr/portage/distfiles/ - - - Options Indexes FollowSymLinks - AllowOverride All + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + Alias /distfiles/ /usr/portage/distfiles/ + + + Options Indexes FollowSymLinks + AllowOverride All Order allow,deny Allow from all @@ -128,8 +127,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride None Options None - Order allow,deny - Allow from all + Require all granted -# vim: filetype=apache ts=4 expandtab fileencoding=utf-8 +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/httpd.conf.dist.new b/config-archive/etc/apache2/httpd.conf.dist similarity index 100% rename from config-archive/etc/apache2/httpd.conf.dist.new rename to config-archive/etc/apache2/httpd.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist index afa8d91..38635aa 100644 --- a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist @@ -69,13 +69,13 @@ HostnameLookups Off # filesystems or if support for these functions is otherwise # broken on your system. EnableMMAP On -EnableSendfile On +EnableSendfile Off -# FileEtag: Configures the file attributes that are used to create +# FileETag: Configures the file attributes that are used to create # the ETag (entity tag) response header field when the document is # based on a static file. (The ETag value is used in cache management # to save network bandwidth.) -FileEtag INode MTime Size +FileETag MTime Size # ContentDigest: This directive enables the generation of Content-MD5 # headers as defined in RFC1864 respectively RFC2616. @@ -107,8 +107,7 @@ LogLevel warn Options FollowSymLinks AllowOverride None - Order deny,allow - Deny from all + Require all denied # DirectoryIndex: sets the file that Apache will serve if a directory @@ -126,8 +125,7 @@ LogLevel warn # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. - Order allow,deny - Deny from all + Require all denied # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new deleted file mode 100644 index 38635aa..0000000 --- a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new +++ /dev/null @@ -1,131 +0,0 @@ -# This configuration file reflects default settings for Apache HTTP Server. -# You may change these, but chances are that you may not need to. - -# Timeout: The number of seconds before receives and sends time out. -Timeout 300 - -# KeepAlive: Whether or not to allow persistent connections (more than -# one request per connection). Set to "Off" to deactivate. -KeepAlive On - -# MaxKeepAliveRequests: The maximum number of requests to allow -# during a persistent connection. Set to 0 to allow an unlimited amount. -# We recommend you leave this number high, for maximum performance. -MaxKeepAliveRequests 100 - -# KeepAliveTimeout: Number of seconds to wait for the next request from the -# same client on the same connection. -KeepAliveTimeout 15 - -# UseCanonicalName: Determines how Apache constructs self-referencing -# URLs and the SERVER_NAME and SERVER_PORT variables. -# When set "Off", Apache will use the Hostname and Port supplied -# by the client. When set "On", Apache will use the value of the -# ServerName directive. -UseCanonicalName Off - -# AccessFileName: The name of the file to look for in each directory -# for additional configuration directives. See also the AllowOverride -# directive. -AccessFileName .htaccess - -# ServerTokens -# This directive configures what you return as the Server HTTP response -# Header. The default is 'Full' which sends information about the OS-Type -# and compiled in modules. -# Set to one of: Full | OS | Minor | Minimal | Major | Prod -# where Full conveys the most information, and Prod the least. -ServerTokens Prod - -# TraceEnable -# This directive overrides the behavior of TRACE for both the core server and -# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, -# which disallows any request body to accompany the request. TraceEnable off -# causes the core server and mod_proxy to return a 405 (Method not allowed) -# error to the client. -# For security reasons this is turned off by default. (bug #240680) -TraceEnable off - -# Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated -# documents or custom error documents). -# Set to "EMail" to also include a mailto: link to the ServerAdmin. -# Set to one of: On | Off | EMail -ServerSignature On - -# HostnameLookups: Log the names of clients or just their IP addresses -# e.g., www.apache.org (on) or 204.62.129.132 (off). -# The default is off because it'd be overall better for the net if people -# had to knowingly turn this feature on, since enabling it means that -# each client request will result in AT LEAST one lookup request to the -# nameserver. -HostnameLookups Off - -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall is used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -EnableMMAP On -EnableSendfile Off - -# FileETag: Configures the file attributes that are used to create -# the ETag (entity tag) response header field when the document is -# based on a static file. (The ETag value is used in cache management -# to save network bandwidth.) -FileETag MTime Size - -# ContentDigest: This directive enables the generation of Content-MD5 -# headers as defined in RFC1864 respectively RFC2616. -# The Content-MD5 header provides an end-to-end message integrity -# check (MIC) of the entity-body. A proxy or client may check this -# header for detecting accidental modification of the entity-body -# in transit. -# Note that this can cause performance problems on your server since -# the message digest is computed on every request (the values are -# not cached). -# Content-MD5 is only sent for documents served by the core, and not -# by any module. For example, SSI documents, output from CGI scripts, -# and byte range responses do not have this header. -ContentDigest Off - -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -ErrorLog /var/log/apache2/error_log - -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -LogLevel warn - -# We configure the "default" to be a very restrictive set of features. - - Options FollowSymLinks - AllowOverride None - Require all denied - - -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# -# The index.html.var file (a type-map) is used to deliver content- -# negotiated documents. The MultiViews Options can be used for the -# same purpose, but it is much slower. -# -# Do not change this entry unless you know what you are doing. - - DirectoryIndex index.html index.html.var - - -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. - - Require all denied - - -# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new b/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist similarity index 100% rename from config-archive/etc/apache2/modules.d/00_error_documents.conf.dist.new rename to config-archive/etc/apache2/modules.d/00_error_documents.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist index 097410a..10bf483 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist @@ -9,8 +9,7 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new deleted file mode 100644 index 10bf483..0000000 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new +++ /dev/null @@ -1,85 +0,0 @@ - - - - -# We include the /icons/ alias for FancyIndexed directory listings. If -# you do not use FancyIndexing, you may comment this out. -Alias /icons/ "/usr/share/apache2/icons/" - - - Options Indexes MultiViews - AllowOverride None - Require all granted - - - -# Directives controlling the display of server-generated directory listings. -# -# To see the listing of a directory, the Options directive for the -# directory must include "Indexes", and the directory must not contain -# a file matching those listed in the DirectoryIndex directive. - -# IndexOptions: Controls the appearance of server-generated directory -# listings. -IndexOptions FancyIndexing VersionSort - -# AddIcon* directives tell the server which icon to show for different -# files or filename extensions. These are only displayed for -# FancyIndexed directories. -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif core - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -# DefaultIcon is which icon to show for files which do not have an icon -# explicitly set. -DefaultIcon /icons/unknown.gif - -# AddDescription allows you to place a short description after a file in -# server-generated indexes. These are only displayed for FancyIndexed -# directories. -# Format: AddDescription "description" filename - -#AddDescription "GZIP compressed document" .gz -#AddDescription "tar archive" .tar -#AddDescription "GZIP compressed tar archive" .tgz - -# ReadmeName is the name of the README file the server will look for by -# default, and append to directory listings. - -# HeaderName is the name of a file which should be prepended to -# directory indexes. -ReadmeName README.html -HeaderName HEADER.html - -# IndexIgnore is a set of filenames which directory indexing should ignore -# and not include in the listing. Shell-style wildcarding is permitted. -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - - - -# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist similarity index 100% rename from config-archive/etc/apache2/modules.d/00_mod_info.conf.dist.new rename to config-archive/etc/apache2/modules.d/00_mod_info.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist similarity index 100% rename from config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist.new rename to config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist similarity index 100% rename from config-archive/etc/apache2/modules.d/00_mod_status.conf.dist.new rename to config-archive/etc/apache2/modules.d/00_mod_status.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mpm.conf.dist similarity index 100% rename from config-archive/etc/apache2/modules.d/00_mpm.conf.dist.new rename to config-archive/etc/apache2/modules.d/00_mpm.conf.dist diff --git a/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist similarity index 100% rename from config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist.new rename to config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist diff --git a/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new b/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist similarity index 100% rename from config-archive/etc/apache2/vhosts.d/default_vhost.include.dist.new rename to config-archive/etc/apache2/vhosts.d/default_vhost.include.dist diff --git a/config-archive/etc/etckeeper/etckeeper.conf.dist.new b/config-archive/etc/etckeeper/etckeeper.conf.dist similarity index 100% rename from config-archive/etc/etckeeper/etckeeper.conf.dist.new rename to config-archive/etc/etckeeper/etckeeper.conf.dist diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index 1647cbe..20d455d 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -107,7 +107,7 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -141,20 +141,6 @@ UsePrivilegeSeparation sandbox # Default for new installations. # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - - -# allow the use of the none cipher -#NoneEnabled no - # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/config-archive/etc/ssh/sshd_config.dist.new b/config-archive/etc/ssh/sshd_config.dist.new deleted file mode 100644 index 20d455d..0000000 --- a/config-archive/etc/ssh/sshd_config.dist.new +++ /dev/null @@ -1,152 +0,0 @@ -# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -#AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -PrintLastLog no -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# here are the new patched ldap related tokens -# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -#UseLPK yes -#LpkLdapConf /etc/ldap.conf -#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -#LpkUserDN ou=users,dc=phear,dc=org -#LpkGroupDN ou=groups,dc=phear,dc=org -#LpkBindDN cn=Manager,dc=phear,dc=org -#LpkBindPw secret -#LpkServerGroup mail -#LpkFilter (hostAccess=master.phear.org) -#LpkForceTLS no -#LpkSearchTimelimit 3 -#LpkBindTimelimit 3 -#LpkPubKeyAttr sshPublicKey - -# override default of no subsystems -Subsystem sftp /usr/lib64/misc/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server - -# Allow client to pass locale environment variables #367017 -AcceptEnv LANG LC_* diff --git a/etckeeper/etckeeper.conf b/etckeeper/etckeeper.conf index a5983d9..8134bfb 100644 --- a/etckeeper/etckeeper.conf +++ b/etckeeper/etckeeper.conf @@ -30,15 +30,24 @@ DARCS_COMMIT_OPTIONS="-a" #AVOID_COMMIT_BEFORE_INSTALL=1 # The high-level package manager that's being used. -# (apt, pacman-g2, yum, zypper etc) -# For gentoo this is emerge +# (apt, pacman-g2, yum, dnf, zypper etc) +#HIGHLEVEL_PACKAGE_MANAGER=apt + +# Gentoo specific: +# For portage this is emerge +# For paludis this is cave HIGHLEVEL_PACKAGE_MANAGER=emerge # The low-level package manager that's being used. # (dpkg, rpm, pacman, pacman-g2, etc) -# For gentoo this is qlist +#LOWLEVEL_PACKAGE_MANAGER=dpkg + +# Gentoo specific: +# For portage this is qlist +# For paludis this is cave LOWLEVEL_PACKAGE_MANAGER=qlist # To push each commit to a remote, put the name of the remote here. -# (eg, "origin" for git). +# (eg, "origin" for git). Space-separated lists of multiple remotes +# also work (eg, "origin gitlab github" for git). PUSH_REMOTE="origin" diff --git a/ssh/._mrg0000_sshd_config b/ssh/._mrg0000_sshd_config deleted file mode 100644 index 62e82fe..0000000 --- a/ssh/._mrg0000_sshd_config +++ /dev/null @@ -1,155 +0,0 @@ -# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin no -#PermitRootLogin prohibit-password -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -#AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -PrintLastLog no -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# here are the new patched ldap related tokens -# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -#UseLPK yes -#LpkLdapConf /etc/ldap.conf -#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -#LpkUserDN ou=users,dc=phear,dc=org -#LpkGroupDN ou=groups,dc=phear,dc=org -#LpkBindDN cn=Manager,dc=phear,dc=org -#LpkBindPw secret -#LpkServerGroup mail -#LpkFilter (hostAccess=master.phear.org) -#LpkForceTLS no -#LpkSearchTimelimit 3 -#LpkBindTimelimit 3 -#LpkPubKeyAttr sshPublicKey - -# override default of no subsystems -Subsystem sftp /usr/lib64/misc/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server - -# Allow client to pass locale environment variables #367017 -AcceptEnv LANG LC_* diff --git a/ssh/sshd_config b/ssh/sshd_config index 3df38eb..62e82fe 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -110,7 +110,7 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -144,20 +144,6 @@ UsePrivilegeSeparation sandbox # Default for new installations. # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - - -# allow the use of the none cipher -#NoneEnabled no - # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no -- 2.39.5