rabbit-slide-znz-openssh-on-debian9 2017.06.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.rabbit +1 -0
- data/README.md +23 -0
- data/Rakefile +17 -0
- data/config.yaml +21 -0
- data/openssh-on-debian9.md +98 -0
- data/pdf/openssh-on-debian9-openssh-on-debian9.pdf +0 -0
- metadata +63 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 26ba9a497dbb0fb2ac338faf58f7a1cb5028aa3f
|
|
4
|
+
data.tar.gz: 7fc8922ccd39ea7231a9944b89b083e7b20bf21b
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 05f330a18f570765093b416f98cd76b694e285cfb932960ca387c00dfdb39cb7bcdb2d20ff7e53aff0bc8cd70b5f6f6fbb6c70f062144d5371ba6aa2100ae16b
|
|
7
|
+
data.tar.gz: 89d8f0e0eb280fe390589de22b67844a7ef8d9d1c7cf4b0bb1c6da99df0ce9166d178a4cc7d95a033cb5e89b05f8b958b6030fd3db8003d33f02f70bc1b31a17
|
data/.rabbit
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
openssh-on-debian9.md
|
data/README.md
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# stretchでのOpenSSHのTCP wrappersサポート
|
|
2
|
+
|
|
3
|
+
Debian 9 "Stretch" リリースパーティ in 関西 での LT の発表資料です。
|
|
4
|
+
|
|
5
|
+
## 作者向け
|
|
6
|
+
|
|
7
|
+
### 表示
|
|
8
|
+
|
|
9
|
+
rake
|
|
10
|
+
|
|
11
|
+
### 公開
|
|
12
|
+
|
|
13
|
+
rake publish
|
|
14
|
+
|
|
15
|
+
## 閲覧者向け
|
|
16
|
+
|
|
17
|
+
### インストール
|
|
18
|
+
|
|
19
|
+
gem install rabbit-slide-znz-openssh-on-debian9
|
|
20
|
+
|
|
21
|
+
### 表示
|
|
22
|
+
|
|
23
|
+
rabbit rabbit-slide-znz-openssh-on-debian9.gem
|
data/Rakefile
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require "rabbit/task/slide"
|
|
2
|
+
|
|
3
|
+
# Edit ./config.yaml to customize meta data
|
|
4
|
+
|
|
5
|
+
spec = nil
|
|
6
|
+
Rabbit::Task::Slide.new do |task|
|
|
7
|
+
spec = task.spec
|
|
8
|
+
# spec.files += Dir.glob("doc/**/*.*")
|
|
9
|
+
# spec.files -= Dir.glob("private/**/*.*")
|
|
10
|
+
# spec.add_runtime_dependency("YOUR THEME")
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
desc "Tag #{spec.version}"
|
|
14
|
+
task :tag do
|
|
15
|
+
sh("git", "tag", "-a", spec.version.to_s, "-m", "Publish #{spec.version}")
|
|
16
|
+
sh("git", "push", "--tags")
|
|
17
|
+
end
|
data/config.yaml
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: openssh-on-debian9
|
|
3
|
+
base_name: openssh-on-debian9
|
|
4
|
+
tags:
|
|
5
|
+
- debian
|
|
6
|
+
- openssh
|
|
7
|
+
presentation_date: 2017/06/18
|
|
8
|
+
version: 2017.06.18
|
|
9
|
+
licenses: []
|
|
10
|
+
slideshare_id: stretchopensshtcp-wrappers
|
|
11
|
+
speaker_deck_id: stretchdefalseopensshfalsetcp-wrapperssapoto
|
|
12
|
+
ustream_id:
|
|
13
|
+
vimeo_id:
|
|
14
|
+
youtube_id:
|
|
15
|
+
author:
|
|
16
|
+
markup_language: :markdown
|
|
17
|
+
name: Kazuhiro NISHIYAMA
|
|
18
|
+
email: zn@mbf.nifty.com
|
|
19
|
+
rubygems_user: znz
|
|
20
|
+
slideshare_user: znzjp
|
|
21
|
+
speaker_deck_user: znz
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
# Debian での OpenSSH の TCP wrappers サポート
|
|
2
|
+
|
|
3
|
+
author
|
|
4
|
+
: Kazuhiro NISHIYAMA
|
|
5
|
+
|
|
6
|
+
date
|
|
7
|
+
: 2017/06/18
|
|
8
|
+
|
|
9
|
+
allotted-time
|
|
10
|
+
: 5m
|
|
11
|
+
|
|
12
|
+
theme
|
|
13
|
+
: lightning-simple
|
|
14
|
+
|
|
15
|
+
|
|
16
|
+
# OpenSSH 6.7 で削除
|
|
17
|
+
|
|
18
|
+
- *upstream で削除された*
|
|
19
|
+
|
|
20
|
+
http://www.openssh.com/txt/release-6.7 に
|
|
21
|
+
|
|
22
|
+
* sshd(8): Support for tcpwrappers/libwrap has been removed.
|
|
23
|
+
|
|
24
|
+
とある
|
|
25
|
+
|
|
26
|
+
# とりあえず拒否
|
|
27
|
+
|
|
28
|
+
/etc/hosts.deny:
|
|
29
|
+
|
|
30
|
+
ALL: ALL
|
|
31
|
+
|
|
32
|
+
- TCP wrappers 対応は OpenSSH だけじゃない
|
|
33
|
+
- デフォルトは安全側に倒して拒否したい
|
|
34
|
+
|
|
35
|
+
# すると……
|
|
36
|
+
|
|
37
|
+
- 繋がらなくなった
|
|
38
|
+
- 影響がないはずと思っていた openssh-server に影響がでた?
|
|
39
|
+
|
|
40
|
+
# 試しに許可
|
|
41
|
+
|
|
42
|
+
/etc/hosts.allow:
|
|
43
|
+
|
|
44
|
+
sshd: 127.0.0.1 [::1]
|
|
45
|
+
sshd: 10.
|
|
46
|
+
sshd: .jp
|
|
47
|
+
|
|
48
|
+
- localhost を許可
|
|
49
|
+
- 例として 10.0.0.0/8 を許可
|
|
50
|
+
- 今は関係ないけど、逆引きが .jp も許可
|
|
51
|
+
|
|
52
|
+
# すると……
|
|
53
|
+
|
|
54
|
+
- 繋がった
|
|
55
|
+
- 何かがおかしい
|
|
56
|
+
- /usr/share/doc/openssh-server/changelog.Debian.gz をみてみることに
|
|
57
|
+
|
|
58
|
+
# openssh (1:6.7p1-1) unstable; urgency=medium
|
|
59
|
+
|
|
60
|
+
1:6.7p1-1 の項目の一部を引用:
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
|
|
64
|
+
dropping this reduces preauth attack surface in sshd. On the other
|
|
65
|
+
hand, this support seems to be quite widely used, and abruptly dropping
|
|
66
|
+
it (from the perspective of users who don't read openssh-unix-dev) could
|
|
67
|
+
easily cause more serious problems in practice. It's not entirely clear
|
|
68
|
+
what the right long-term answer for Debian is, but it at least probably
|
|
69
|
+
doesn't involve dropping this feature shortly before a freeze.
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
- いきなり消すと影響が大きいので、
|
|
73
|
+
とりあえず戻した、という感じ?
|
|
74
|
+
|
|
75
|
+
# いったんまとめ
|
|
76
|
+
|
|
77
|
+
- とりあえず stretch では、まだ TCP wrappers が使える
|
|
78
|
+
- この先どうなるかはわからない
|
|
79
|
+
- 鍵のロールオーバー https://www.debian.org/security/key-rollover/index.ja.html のようなこともあったので、個人的には Debian 独自が続くのは不安がある
|
|
80
|
+
- upstream との差が開かない方が望ましいので、そのうち外れるのでは、という気がする
|
|
81
|
+
|
|
82
|
+
# 確認環境
|
|
83
|
+
|
|
84
|
+
- Debian GNU/Linux 9.0 (stretch)
|
|
85
|
+
- openssh-server 1:7.4p1-10
|
|
86
|
+
- Ubuntu 16.04.2 LTS (xenial)
|
|
87
|
+
- openssh-server 1:7.2p2-4ubuntu2.2
|
|
88
|
+
|
|
89
|
+
# ちなみに前のバージョンは?
|
|
90
|
+
|
|
91
|
+
- Debian GNU/Linux 8.8 (jessie)
|
|
92
|
+
- openssh-server 1:6.7p1-5+deb8u3
|
|
93
|
+
- Ubuntu 14.04.5 LTS (trusty)
|
|
94
|
+
- openssh-server 1:6.6p1-2ubuntu2.8
|
|
95
|
+
|
|
96
|
+
Restore は 1:6.7p1-1、つまり jessie の時点での話だった
|
|
97
|
+
|
|
98
|
+
jessie, stretch と残ったので、しばらく残るのか、突然消えるのか、まだわからなさそう
|
|
Binary file
|
metadata
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: rabbit-slide-znz-openssh-on-debian9
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 2017.06.18
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Kazuhiro NISHIYAMA
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2017-06-18 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rabbit
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 2.0.2
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 2.0.2
|
|
27
|
+
description: ' Debian 9 "Stretch" リリースパーティ in 関西 での LT の発表資料です。'
|
|
28
|
+
email:
|
|
29
|
+
- zn@mbf.nifty.com
|
|
30
|
+
executables: []
|
|
31
|
+
extensions: []
|
|
32
|
+
extra_rdoc_files: []
|
|
33
|
+
files:
|
|
34
|
+
- ".rabbit"
|
|
35
|
+
- README.md
|
|
36
|
+
- Rakefile
|
|
37
|
+
- config.yaml
|
|
38
|
+
- openssh-on-debian9.md
|
|
39
|
+
- pdf/openssh-on-debian9-openssh-on-debian9.pdf
|
|
40
|
+
homepage: http://slide.rabbit-shocker.org/authors/znz/openssh-on-debian9/
|
|
41
|
+
licenses: []
|
|
42
|
+
metadata: {}
|
|
43
|
+
post_install_message:
|
|
44
|
+
rdoc_options: []
|
|
45
|
+
require_paths:
|
|
46
|
+
- lib
|
|
47
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
48
|
+
requirements:
|
|
49
|
+
- - ">="
|
|
50
|
+
- !ruby/object:Gem::Version
|
|
51
|
+
version: '0'
|
|
52
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
53
|
+
requirements:
|
|
54
|
+
- - ">="
|
|
55
|
+
- !ruby/object:Gem::Version
|
|
56
|
+
version: '0'
|
|
57
|
+
requirements: []
|
|
58
|
+
rubyforge_project:
|
|
59
|
+
rubygems_version: 2.5.2
|
|
60
|
+
signing_key:
|
|
61
|
+
specification_version: 4
|
|
62
|
+
summary: stretchでのOpenSSHのTCP wrappersサポート
|
|
63
|
+
test_files: []
|