Manage sshd_config file #725
Conversation
|
This is based on part of #628; @edunham, could you please take a look? Do not merge this yet - we need to figure out how to bring the versions on
|
aneeshusa
force-pushed
the
manage-sshd-config
branch
from
beb87f4
to
d015c0f
Compare
aneeshusa
force-pushed
the
manage-sshd-config
branch
2 times, most recently
from
089af7a
to
77571c6
Compare
|
Also cc @larsbergstrom and @metajack about getting our versions to all match. I don't know how this works with MacStadium:
Another option is using the OpenSSH in Homebrew, but I'm a little wary of messing with the default |
aneeshusa
force-pushed
the
manage-sshd-config
branch
3 times, most recently
from
fa499d1
to
c177633
Compare
I'd support a move to 10.11. |
|
macOS is at 10.13 now. I think we should move to 10.12 if we are going to upgrade. 10.13 is really new, and some things may be getting ironed out still, but 10.12 should be plenty stable. |
|
I'm +1 on standardizing on 10.12 (thanks for the suggestion @metajack), but I'd like to move just one builder to 10.12 first and let it run for a bit to make sure it won't cause any build breakage. It's probably easiest to upgrade It would also be nice to standardize the XCode version; I think one of the 8.x versions is probably good for now. |
|
With the resolution of #731, 5/9 Mac builders now have macOS 10.11.6, so I think for now it'll be easiest to get all the Macs on 10.11.6 and think about upgrading to 10.12 later. Macs that still need to be upgraded:
I also looked at the @larsbergstrom or @edunham Can you put in tickets with MacStadium to upgrade the remaining Macs as well? |
aneeshusa
force-pushed
the
manage-sshd-config
branch
from
c177633
to
8d258cf
Compare
|
Updated and simplified to assume all macOS machines are on macOS 10.11. |
|
I think that @edunham has gotten all the machines to 10.11 now,so this should theoretically be good to review and land :-) |
|
☔ The latest upstream changes (presumably #807) made this pull request unmergeable. Please resolve the merge conflicts. |
This is based on Mozilla's Modern sshd_config from: https://wiki.mozilla.org/Security/Guidelines/OpenSSH Note that root login is still allowed, because we have not yet set up per-user accounts. Add a test to ensure the sshd_config file is properly parsed and validated by the OpenSSH version on the machine to help guard against this behavior.
Our new 10.11.6 macOS machines have Xcode 8.2 installed. Use xcode8 on Travis, which maps to Xcode 8gm and macOS 10.11. This is also important to help ensure tests like the sshd config test match the behavior we'll see in the field.
aneeshusa
force-pushed
the
manage-sshd-config
branch
from
8d258cf
to
728c7d9
Compare
|
@jdm I'm still interested in this PR and have rebased it, but we ought to do #811 before merging this, hence the lack of updates so far. I also chose the Xcode version specifically to be |
We still have production machines on macOS 10.10.5 (and Xcode 7.2); this is the closest fit that Travis offers, which macOS 10.10, albeit an older Xcode version of 6.4.
|
I just pushed a commit to add more Travis builders for 10.10 (so we test both 10.10 and 10.11 on Travis); if that looks OK we may be able to merge this without waiting for #811. |
|
We can revert to xcode8 if it works. I updated to xcode8.3 to make #807 work, but I didn't test anything in between. |
|
☔ The latest upstream changes (presumably #969) made this pull request unmergeable. Please resolve the merge conflicts. |
This is based on Mozilla's Modern sshd_config from:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH
Note that root login is still allowed,
because we have not yet set up per-user accounts.
Add a test to ensure the sshd_config file is properly parsed and
validated by the OpenSSH version on the machine to help guard
against this behavior.
Additionally, our new 10.11.6 macOS machines have Xcode 8.2 installed.
Use xcode8 on Travis, which maps to Xcode 8gm and macOS 10.11.
This is also important to help ensure tests like the sshd config test
match the behavior we'll see in the field.
This change is