rabbit-slide-znz-openssh-on-debian9 2017.06.18
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.rabbit +1 -0
- data/README.md +23 -0
- data/Rakefile +17 -0
- data/config.yaml +21 -0
- data/openssh-on-debian9.md +98 -0
- data/pdf/openssh-on-debian9-openssh-on-debian9.pdf +0 -0
- metadata +63 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 26ba9a497dbb0fb2ac338faf58f7a1cb5028aa3f
|
|
4
|
+
data.tar.gz: 7fc8922ccd39ea7231a9944b89b083e7b20bf21b
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 05f330a18f570765093b416f98cd76b694e285cfb932960ca387c00dfdb39cb7bcdb2d20ff7e53aff0bc8cd70b5f6f6fbb6c70f062144d5371ba6aa2100ae16b
|
|
7
|
+
data.tar.gz: 89d8f0e0eb280fe390589de22b67844a7ef8d9d1c7cf4b0bb1c6da99df0ce9166d178a4cc7d95a033cb5e89b05f8b958b6030fd3db8003d33f02f70bc1b31a17
|
data/.rabbit
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
openssh-on-debian9.md
|
data/README.md
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# stretchでのOpenSSHのTCP wrappersサポート
|
|
2
|
+
|
|
3
|
+
Debian 9 "Stretch" リリースパーティ in 関西 での LT の発表資料です。
|
|
4
|
+
|
|
5
|
+
## 作者向け
|
|
6
|
+
|
|
7
|
+
### 表示
|
|
8
|
+
|
|
9
|
+
rake
|
|
10
|
+
|
|
11
|
+
### 公開
|
|
12
|
+
|
|
13
|
+
rake publish
|
|
14
|
+
|
|
15
|
+
## 閲覧者向け
|
|
16
|
+
|
|
17
|
+
### インストール
|
|
18
|
+
|
|
19
|
+
gem install rabbit-slide-znz-openssh-on-debian9
|
|
20
|
+
|
|
21
|
+
### 表示
|
|
22
|
+
|
|
23
|
+
rabbit rabbit-slide-znz-openssh-on-debian9.gem
|
data/Rakefile
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require "rabbit/task/slide"
|
|
2
|
+
|
|
3
|
+
# Edit ./config.yaml to customize meta data
|
|
4
|
+
|
|
5
|
+
spec = nil
|
|
6
|
+
Rabbit::Task::Slide.new do |task|
|
|
7
|
+
spec = task.spec
|
|
8
|
+
# spec.files += Dir.glob("doc/**/*.*")
|
|
9
|
+
# spec.files -= Dir.glob("private/**/*.*")
|
|
10
|
+
# spec.add_runtime_dependency("YOUR THEME")
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
desc "Tag #{spec.version}"
|
|
14
|
+
task :tag do
|
|
15
|
+
sh("git", "tag", "-a", spec.version.to_s, "-m", "Publish #{spec.version}")
|
|
16
|
+
sh("git", "push", "--tags")
|
|
17
|
+
end
|
data/config.yaml
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: openssh-on-debian9
|
|
3
|
+
base_name: openssh-on-debian9
|
|
4
|
+
tags:
|
|
5
|
+
- debian
|
|
6
|
+
- openssh
|
|
7
|
+
presentation_date: 2017/06/18
|
|
8
|
+
version: 2017.06.18
|
|
9
|
+
licenses: []
|
|
10
|
+
slideshare_id: stretchopensshtcp-wrappers
|
|
11
|
+
speaker_deck_id: stretchdefalseopensshfalsetcp-wrapperssapoto
|
|
12
|
+
ustream_id:
|
|
13
|
+
vimeo_id:
|
|
14
|
+
youtube_id:
|
|
15
|
+
author:
|
|
16
|
+
markup_language: :markdown
|
|
17
|
+
name: Kazuhiro NISHIYAMA
|
|
18
|
+
email: zn@mbf.nifty.com
|
|
19
|
+
rubygems_user: znz
|
|
20
|
+
slideshare_user: znzjp
|
|
21
|
+
speaker_deck_user: znz
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
# Debian での OpenSSH の TCP wrappers サポート
|
|
2
|
+
|
|
3
|
+
author
|
|
4
|
+
: Kazuhiro NISHIYAMA
|
|
5
|
+
|
|
6
|
+
date
|
|
7
|
+
: 2017/06/18
|
|
8
|
+
|
|
9
|
+
allotted-time
|
|
10
|
+
: 5m
|
|
11
|
+
|
|
12
|
+
theme
|
|
13
|
+
: lightning-simple
|
|
14
|
+
|
|
15
|
+
|
|
16
|
+
# OpenSSH 6.7 で削除
|
|
17
|
+
|
|
18
|
+
- *upstream で削除された*
|
|
19
|
+
|
|
20
|
+
http://www.openssh.com/txt/release-6.7 に
|
|
21
|
+
|
|
22
|
+
* sshd(8): Support for tcpwrappers/libwrap has been removed.
|
|
23
|
+
|
|
24
|
+
とある
|
|
25
|
+
|
|
26
|
+
# とりあえず拒否
|
|
27
|
+
|
|
28
|
+
/etc/hosts.deny:
|
|
29
|
+
|
|
30
|
+
ALL: ALL
|
|
31
|
+
|
|
32
|
+
- TCP wrappers 対応は OpenSSH だけじゃない
|
|
33
|
+
- デフォルトは安全側に倒して拒否したい
|
|
34
|
+
|
|
35
|
+
# すると……
|
|
36
|
+
|
|
37
|
+
- 繋がらなくなった
|
|
38
|
+
- 影響がないはずと思っていた openssh-server に影響がでた?
|
|
39
|
+
|
|
40
|
+
# 試しに許可
|
|
41
|
+
|
|
42
|
+
/etc/hosts.allow:
|
|
43
|
+
|
|
44
|
+
sshd: 127.0.0.1 [::1]
|
|
45
|
+
sshd: 10.
|
|
46
|
+
sshd: .jp
|
|
47
|
+
|
|
48
|
+
- localhost を許可
|
|
49
|
+
- 例として 10.0.0.0/8 を許可
|
|
50
|
+
- 今は関係ないけど、逆引きが .jp も許可
|
|
51
|
+
|
|
52
|
+
# すると……
|
|
53
|
+
|
|
54
|
+
- 繋がった
|
|
55
|
+
- 何かがおかしい
|
|
56
|
+
- /usr/share/doc/openssh-server/changelog.Debian.gz をみてみることに
|
|
57
|
+
|
|
58
|
+
# openssh (1:6.7p1-1) unstable; urgency=medium
|
|
59
|
+
|
|
60
|
+
1:6.7p1-1 の項目の一部を引用:
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
|
|
64
|
+
dropping this reduces preauth attack surface in sshd. On the other
|
|
65
|
+
hand, this support seems to be quite widely used, and abruptly dropping
|
|
66
|
+
it (from the perspective of users who don't read openssh-unix-dev) could
|
|
67
|
+
easily cause more serious problems in practice. It's not entirely clear
|
|
68
|
+
what the right long-term answer for Debian is, but it at least probably
|
|
69
|
+
doesn't involve dropping this feature shortly before a freeze.
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
- いきなり消すと影響が大きいので、
|
|
73
|
+
とりあえず戻した、という感じ?
|
|
74
|
+
|
|
75
|
+
# いったんまとめ
|
|
76
|
+
|
|
77
|
+
- とりあえず stretch では、まだ TCP wrappers が使える
|
|
78
|
+
- この先どうなるかはわからない
|
|
79
|
+
- 鍵のロールオーバー https://www.debian.org/security/key-rollover/index.ja.html のようなこともあったので、個人的には Debian 独自が続くのは不安がある
|
|
80
|
+
- upstream との差が開かない方が望ましいので、そのうち外れるのでは、という気がする
|
|
81
|
+
|
|
82
|
+
# 確認環境
|
|
83
|
+
|
|
84
|
+
- Debian GNU/Linux 9.0 (stretch)
|
|
85
|
+
- openssh-server 1:7.4p1-10
|
|
86
|
+
- Ubuntu 16.04.2 LTS (xenial)
|
|
87
|
+
- openssh-server 1:7.2p2-4ubuntu2.2
|
|
88
|
+
|
|
89
|
+
# ちなみに前のバージョンは?
|
|
90
|
+
|
|
91
|
+
- Debian GNU/Linux 8.8 (jessie)
|
|
92
|
+
- openssh-server 1:6.7p1-5+deb8u3
|
|
93
|
+
- Ubuntu 14.04.5 LTS (trusty)
|
|
94
|
+
- openssh-server 1:6.6p1-2ubuntu2.8
|
|
95
|
+
|
|
96
|
+
Restore は 1:6.7p1-1、つまり jessie の時点での話だった
|
|
97
|
+
|
|
98
|
+
jessie, stretch と残ったので、しばらく残るのか、突然消えるのか、まだわからなさそう
|
|
Binary file
|
metadata
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: rabbit-slide-znz-openssh-on-debian9
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 2017.06.18
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Kazuhiro NISHIYAMA
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2017-06-18 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rabbit
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 2.0.2
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 2.0.2
|
|
27
|
+
description: ' Debian 9 "Stretch" リリースパーティ in 関西 での LT の発表資料です。'
|
|
28
|
+
email:
|
|
29
|
+
- zn@mbf.nifty.com
|
|
30
|
+
executables: []
|
|
31
|
+
extensions: []
|
|
32
|
+
extra_rdoc_files: []
|
|
33
|
+
files:
|
|
34
|
+
- ".rabbit"
|
|
35
|
+
- README.md
|
|
36
|
+
- Rakefile
|
|
37
|
+
- config.yaml
|
|
38
|
+
- openssh-on-debian9.md
|
|
39
|
+
- pdf/openssh-on-debian9-openssh-on-debian9.pdf
|
|
40
|
+
homepage: http://slide.rabbit-shocker.org/authors/znz/openssh-on-debian9/
|
|
41
|
+
licenses: []
|
|
42
|
+
metadata: {}
|
|
43
|
+
post_install_message:
|
|
44
|
+
rdoc_options: []
|
|
45
|
+
require_paths:
|
|
46
|
+
- lib
|
|
47
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
48
|
+
requirements:
|
|
49
|
+
- - ">="
|
|
50
|
+
- !ruby/object:Gem::Version
|
|
51
|
+
version: '0'
|
|
52
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
53
|
+
requirements:
|
|
54
|
+
- - ">="
|
|
55
|
+
- !ruby/object:Gem::Version
|
|
56
|
+
version: '0'
|
|
57
|
+
requirements: []
|
|
58
|
+
rubyforge_project:
|
|
59
|
+
rubygems_version: 2.5.2
|
|
60
|
+
signing_key:
|
|
61
|
+
specification_version: 4
|
|
62
|
+
summary: stretchでのOpenSSHのTCP wrappersサポート
|
|
63
|
+
test_files: []
|