Hi,

At the moment, most debian.org hosts accept incoming ssh connections from the entire Internet. In the future, DSA intends to change this and, by default, only accept ssh connections from other debian.org machines.

The following classes of hosts will continue to accept ssh from everywhere:

- upload hosts
- master and people.debian.org
- salsa.debian.org
- dedicated ssh jumphosts {na,eu}.ssh.debian.org
- porter boxes (maybe).

These changes will come into effect no sooner than mid December. The following snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all debian.org hosts other than the jumphosts.

Host *.debian.org !*.ssh.debian.org !ssh.debian.org
ProxyJump ssh.debian.org
# (or {na,eu}.ssh.debian.org)

Our documentation at https://dsa.debian.org/doc/firewall/ will also be updated.

Cheers,
Julien, for DSA

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlvm8lgACgkQnbAjVVb4 z63m6A//aAcRR2p5J2ctna0IyyjoXIeRQVvHCetGSVdYj5PTzF2d3wTOeBrZpEPI 5E0XxK5ciUuotEV4wgRDp+BkvX/NnUWm2wXK9OaHaA4TULu6p3FD6eWY6SC2LR1d ytsKbhc2bJCcjmEMUT346zgctKO+cXQ6GhgTVHcf5d+nvX5hjt9HlDQHma3qhy33 R9IneaFm3UAKUoqjwh8/dYFoiVz5El/koZAolbV3WvOFqzQ0NwrFKy4CrnwlOjrY 0CDllfQ6+xr1gVwKblBIln0FJmhPA8WAGMNA670BSbk26sEqvUBXdn0v1TNN+3Jc rOcyMfXuJf0I9/C5afy6GxHMYmawOqLJxIwVIohpbmafug3iEKjwI7bkCgtsZNjs ihtyvPPCbnjvwwVDEvSOo1w4Y3VCQ1fbBM4YpHohSvOY4s0ED27FnyX2BY/uidXS eazGM4wtyWapZ0D6pW9cQAtmNaTJIUfx0FpCX354xnJjmo6H17q6AsQANRFZYOEQ Grt9JO7fI0dEHtxNRYTdZB67F60PANtItFDhNxV7dFdL1WbaJ+vVKzYLp53psCQz cb2GxDcm3G2JbNM4Sp+bihesQHCLSNtUeHP9lyk07byOAxixW6Eh0oh6ThpMPSFC M8qCnkm2bm+AYtD53OMam8/sqMVBAWchYOQvEZbBejtvvBFHyag=
=BukO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)