From 67c560e1746d2fdc4fded70a6a5af4838da0ceb8 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Sun, 12 Feb 2023 15:04:20 +0100 Subject: [PATCH] Imported config file examples, improved ssh's --- examples/Brewfile | 47 +++++++++++++++ examples/azure/config | 15 +++++ examples/oci/config | 10 ++++ examples/ssh/ssh_config | 88 ++++++++++++++++++++++++++++ examples/ssh/sshd_config | 123 +++++++++++++++++++++++++++++++++++++++ examples/ssh_config | 77 ------------------------ 6 files changed, 283 insertions(+), 77 deletions(-) create mode 100644 examples/Brewfile create mode 100644 examples/azure/config create mode 100644 examples/oci/config create mode 100644 examples/ssh/ssh_config create mode 100644 examples/ssh/sshd_config delete mode 100644 examples/ssh_config diff --git a/examples/Brewfile b/examples/Brewfile new file mode 100644 index 0000000..3cfdf46 --- /dev/null +++ b/examples/Brewfile @@ -0,0 +1,47 @@ +################################################################################ +## ~/.Brewfile +## +## Gotchas: +## - `moreutils` installs its own old version of parallel, which conflicts with +## the `parallel` formula; install `gettext`, `parallel` and `sponge` instead +## +## Sources: +## - https://github.com/Homebrew/homebrew-bundle +################################################################################ + +tap "homebrew/bundle" +tap "homebrew/cask" +tap "homebrew/core" + +brew "asdf" +brew "chezmoi" +brew "diff-pdf" +brew "git-lfs" +brew "mas" +brew "parallel" +brew "pre-commit" +brew "python-yq" +brew "rename" +brew "sponge" + +cask_args appdir: "~/Applications" + +cask "aldente" +cask "desmume" +cask "docker" +cask "firefox" +cask "gpg-suite-no-mail" +cask "iterm2" +cask "keka" +cask "little-snitch", args: { appdir: "/Applications" } +cask "monitorcontrol" +cask "openzfs" +cask "skype" +cask "spotify" +cask "steam" +cask "vlc" + +mas "be focused", id: 973134470 +mas "prime video", id: 545519333 +mas "whatsapp", id: 1147396723 +mas "xcode", id: 497799835 diff --git a/examples/azure/config b/examples/azure/config new file mode 100644 index 0000000..50090fc --- /dev/null +++ b/examples/azure/config @@ -0,0 +1,15 @@ +################################################################################ +## ~/.azure/config +## +## Sources: +## - https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration +################################################################################ + +[cloud] +name = AzureCloud + +[core] +collect_telemetry = false + +[defaults] +location = eastus diff --git a/examples/oci/config b/examples/oci/config new file mode 100644 index 0000000..81e3f0d --- /dev/null +++ b/examples/oci/config @@ -0,0 +1,10 @@ +################################################################################ +## ~/.oci/config +################################################################################ + +[DEFAULT] +user=ocid1.user.oc1..aaaaaaaayap6nsl77k2u34v2k7t47uidv27qfhv43av7ryn2xp37tezezlha +fingerprint=aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99 +key_file=/home/user/.oci/oci_api_key.pem +tenancy=ocid1.tenancy.oc1..aaaaaaaawtuhnzgr175bto5wmddky4nqorr9txnjxugmtrcsoatsbv4nn6qt4 +region=eu-amsterdam-1 diff --git a/examples/ssh/ssh_config b/examples/ssh/ssh_config new file mode 100644 index 0000000..0a48f0f --- /dev/null +++ b/examples/ssh/ssh_config @@ -0,0 +1,88 @@ +################################################################################ +## ~/.ssh/config +## +## Gotchas: +## - options are applied first-come-first-served, so: +## - specific and higher priority settings go on top, generic and lower ones +## go on the bottom +## - user defaults MUST come last to be treated as such +## - host specificity is NOT a factor of priority +## - multiple host names (and aliases) may be specified per section +## - targets may match multiple host sections and have settings applied in order +## - host sections only apply to the matched names +## - canonicalization forces a configuration reload to check the now canonical +## host name against the configuration +################################################################################ + +# Canonicalize host names as first thing +# Forces a configuration reload so that only the canonical host name is matched +# against the rest of the configuration +CanonicalizeHostname yes +CanonicalDomains lan localdomain my.org + +# 'special' devices +# E.g. work ones +Host net?a?-fw? org?-h?-sw? + CanonicalDomains that.org + CanonicalizeMaxDots 0 +Host !bastion* *.brt*.my.org *.brs? *.brs?? + AddressFamily inet6 + ProxyCommand ssh -W %h:%p `host bastion.my.org | awk '/address/ {print $4; exit}' | xargs host | cut -d\ -f5` + +# Connect to secured hosts +# E.g. targets using non-default configuration +Host *-bastion-* *-fw + IdentitiesOnly yes + IdentityFile ~/.ssh/id_rsa + Port 2222 + +# Avoid OS incompatibility nuisances +# E.g. LANG not set when connecting to Linux from Darwin +Host linux-* raspberrypi? + SendEnv -LC_* PAGER + SetEnv LANG=C LANGUAGE=en LC_ALL=C + +# Connect to unresolvable host names +# E.g. home routers +Host router fixed-ip + HostName 192.168.50.1 + User root + +# Enable connections to old SSH server versions +# E.g. legacy targets using old key algorithms +Host legacy-hosts azure-vm-* oci-bastion-* + HostKeyAlgorithms +ssh-dss +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + +# Avoid nuisances with ephemeral hosts and localhost +# E.g. preemptible or testing virtual machines which are often recreated +Host localhost *-vm-* + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + +# User-specific settings +# E.g. programmatic accesses +Match user robots + AddKeysToAgent no + BatchMode yes + ForwardAgent no + IdentitiesOnly yes + IdentityFile ~/.ssh/robots.id_ed25519 + ServerAliveCountMax 1 + ServerAliveInterval 30 + UseKeyChain no + +# Keep connections open for some time to reuse them +# %C returns a hash of different information and is useful as socket identifier +ControlMaster auto +ControlPersist 30s +ControlPath ~/.ssh/control-%C + +# User defaults +AddKeysToAgent yes +Compression yes +ForwardAgent yes +HashKnownHosts no +ServerAliveCountMax 2 +ServerAliveInterval 300 +UseKeyChain yes diff --git a/examples/ssh/sshd_config b/examples/ssh/sshd_config new file mode 100644 index 0000000..173923d --- /dev/null +++ b/examples/ssh/sshd_config @@ -0,0 +1,123 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/examples/ssh_config b/examples/ssh_config deleted file mode 100644 index 23ebaab..0000000 --- a/examples/ssh_config +++ /dev/null @@ -1,77 +0,0 @@ -################################################################################ -## ~/.ssh/config -## -## Gotchas: -## - priority goes from top to bottom -## - defaults MUST come last -## - canonicalization as a default MUST be on top to force a config reload -## when checking hosts matching it -## - host specificity is NOT a factor of priority -## - host sections can be specified multiple times -## - multiple hostnames (and aliases) may be specified per section -## - host sections apply to the name you use (not what it resolves to) -################################################################################ - -# Canonicalize host names before connecting -# On top, so it forces a config reload for canonical hosts -CanonicalizeHostname yes -CanonicalDomains lan local my.org - -# Legacy hosts' specific settings -# E.g. old key algorithms -Host legacy - BatchMode yes - ForwardAgent yes - HostKeyAlgorithms +ssh-dss - Port 2222 - -# Virtual Machines' specific settings -# E.g. no key checking due to them being ephemeral -Host local vm* - Hostname localhost - IdentitiesOnly yes - IdentityFile ~/.ssh/id_rsa - StrictHostKeyChecking no - UserKnownHostsFile /dev/null - -# Network devices' specific settings -# E.g. firewalls and switches -Host net?a?-fw? org?-h?-sw? - CanonicalDomains my.org - CanonicalizeMaxDots 0 -Host !bastion* *.brt*.my.org *.brs? *.brs?? - ProxyCommand ssh -W %h:%p `host bastion.my.org | awk '/address/ {print $4; exit}' | xargs host | cut -d\ -f5` - -# Home devices' specific settings -Host omnia turris - AddressFamily inet6 - IdentitiesOnly yes - User root -Host raspberrypi* - AddKeysToAgent no - SendEnv -LC_* PAGER - SetEnv FOO=bar - UseKeyChain no - User pi - -# User-specific settings -Match user robots - IdentityFile ~/.ssh/id_ed25519 - ServerAliveInterval 300 - ServerAliveCountMax 2 - -# Default settings -# ------------------ - -AddKeysToAgent yes -Compression yes -HashKnownHosts no -ServerAliveInterval 300 -ServerAliveCountMax 2 -UseKeyChain yes - -# Keep connections open for some time to reuse them -# %C returns a hash of different information and is useful as socket identifier -ControlMaster auto -ControlPersist 30s -ControlPath ~/.ssh/control-%C