Update SSHD and Kernel configs

Signed-off-by: Tommy <contact@tommytran.io>
2024-11-22 09:21:32 -05:00 · 2022-09-12 17:58:29 -04:00 · 2022-09-12 17:58:29 -04:00 · c75d4a363a
commit c75d4a363a
parent 254eeaef42
8 changed files with 29 additions and 44 deletions
--- a/Docker-Compose.ign
+++ b/Docker-Compose.ign
--- a/Docker-Compose.yml
+++ b/Docker-Compose.yml
@ -59,9 +59,10 @@ systemd:
      mask: true
 storage:
  files:
-    - path: /etc/ssh/sshd_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/sshd_config.d/10-custom.conf
      contents:
        inline: |
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
      contents:
@ -114,18 +115,12 @@ storage:
      contents: 
        inline: | 
          * hard core 0
-    - path: /etc/ssh/ssh_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/ssh_config.d/10-custom.conf
      overwrite: true
      contents: 
        inline: | 
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/sysctl.d/20-silence-audit.conf
      contents:
        inline: |
          # Raise console message logging level from DEBUG (7) to WARNING (4)
          # so that audit messages don't get interspersed on the console that
          # may frustrate a user trying to interactively log in.
          kernel.printk=4
  links:
    - path: /etc/localtime
      target: ../usr/share/zoneinfo/America/New_York
@ -185,3 +180,4 @@ kernel_arguments:
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
    - sysctl.net.ipv6.conf.default.accept_ra=0
    - sysctl.kernel.printk=4
--- a/Generic.ign
+++ b/Generic.ign
--- a/Generic.yml
+++ b/Generic.yml
@ -77,9 +77,10 @@ systemd:
      mask: true
 storage:
  files:
-    - path: /etc/ssh/sshd_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/sshd_config.d/10-custom.conf
      contents:
        inline: |
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
      contents:
@ -120,18 +121,12 @@ storage:
      contents: 
        inline: | 
          * hard core 0
-    - path: /etc/ssh/ssh_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/ssh_config.d/10-custom.conf
      overwrite: true
      contents: 
        inline: | 
          GSSAPIAuthentication no
    - path: /etc/sysctl.d/20-silence-audit.conf
      contents:
        inline: |
-          # Raise console message logging level from DEBUG (7) to WARNING (4)
+          X11Forwarding no 
-          # so that audit messages don't get interspersed on the console that
+          GSSAPIAuthentication no
          # may frustrate a user trying to interactively log in.
          kernel.printk=4
  links:
    - path: /etc/localtime
      target: ../usr/share/zoneinfo/America/New_York
@ -188,4 +183,5 @@ kernel_arguments:
    - sysctl.vm.swappiness=1
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
-    - sysctl.net.ipv6.conf.default.accept_ra=0
+    - sysctl.net.ipv6.conf.default.accept_ra=0
    - kernel.printk=4
--- a/GitLab.ign
+++ b/GitLab.ign
--- a/GitLab.yml
+++ b/GitLab.yml
@ -79,9 +79,10 @@ systemd:
      mask: true
 storage:
  files:
-    - path: /etc/ssh/sshd_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/sshd_config.d/10-custom.conf
      contents:
        inline: |
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
      contents:
@ -122,18 +123,12 @@ storage:
      contents: 
        inline: | 
          * hard core 0
-    - path: /etc/ssh/ssh_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/ssh_config.d/10-custom.conf
      overwrite: true
      contents: 
        inline: | 
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/sysctl.d/20-silence-audit.conf
      contents:
        inline: |
          # Raise console message logging level from DEBUG (7) to WARNING (4)
          # so that audit messages don't get interspersed on the console that
          # may frustrate a user trying to interactively log in.
          kernel.printk=4
  links:
    - path: /etc/localtime
      target: ../usr/share/zoneinfo/America/New_York
@ -190,4 +185,6 @@ kernel_arguments:
    - sysctl.vm.swappiness=1
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
-    - sysctl.net.ipv6.conf.default.accept_ra=0
+    - sysctl.net.ipv6.conf.default.accept_ra=0
    - sysctl.kernel.printk=4
--- a/OnlyOffice.ign
+++ b/OnlyOffice.ign
--- a/OnlyOffice.yml
+++ b/OnlyOffice.yml
@ -78,9 +78,10 @@ systemd:
      mask: true
 storage:
  files:
-    - path: /etc/ssh/sshd_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/sshd_config.d/10-custom.conf
      contents:
        inline: |
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
      contents:
@ -121,18 +122,12 @@ storage:
      contents: 
        inline: | 
          * hard core 0
-    - path: /etc/ssh/ssh_config.d/60-disable-GSSAPI.conf
+    - path: /etc/ssh/ssh_config.d/10-custom.conf
      overwrite: true
      contents: 
        inline: | 
          X11Forwarding no 
          GSSAPIAuthentication no
    - path: /etc/sysctl.d/20-silence-audit.conf
      contents:
        inline: |
          # Raise console message logging level from DEBUG (7) to WARNING (4)
          # so that audit messages don't get interspersed on the console that
          # may frustrate a user trying to interactively log in.
          kernel.printk=4
  links:
    - path: /etc/localtime
      target: ../usr/share/zoneinfo/America/New_York
@ -189,4 +184,5 @@ kernel_arguments:
    - sysctl.vm.swappiness=1
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
-    - sysctl.net.ipv6.conf.default.accept_ra=0
+    - sysctl.net.ipv6.conf.default.accept_ra=0
    - sysctl.kernel.printk=4