added sshd_rhosts_rsa_authentication variable, default set to no
added sshd_hostbased_authentication variable, default set to no
This commit is contained in:
Micah Anderson
parent
9edd2705d4
commit
06163fbb92
5 changed files with 63 additions and 10 deletions
|
|
@ -60,6 +60,14 @@
|
|||
# Valid Values: yes or no
|
||||
# Default: no
|
||||
#
|
||||
# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
|
||||
# Valid Values: yes or no
|
||||
# Default: no
|
||||
#
|
||||
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
|
||||
# Valid Values: yes or no
|
||||
# Default: no
|
||||
#
|
||||
# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
|
||||
# Valid Values: yes or no
|
||||
# Default: yes
|
||||
|
|
@ -125,6 +133,14 @@ class sshd::base {
|
|||
'' => 'yes',
|
||||
default => $sshd_ignore_rhosts
|
||||
}
|
||||
$real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_rhosts_rsa_authentication
|
||||
}
|
||||
$real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_hostbased_authentication
|
||||
}
|
||||
|
||||
file { 'sshd_config':
|
||||
path => '/etc/ssh/sshd_config',
|
||||
|
|
|
|||
|
|
@ -64,9 +64,19 @@ PubkeyAuthentication no
|
|||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
#HostbasedAuthentication no
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
|
|
|||
|
|
@ -53,8 +53,12 @@ PubkeyAuthentication no
|
|||
|
||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
|
||||
# rhosts authentication should not be used
|
||||
#RhostsAuthentication no
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
|
|
@ -63,10 +67,13 @@ IgnoreRhosts yes
|
|||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
|
|
|
|||
|
|
@ -67,9 +67,19 @@ PubkeyAuthentication no
|
|||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
#HostbasedAuthentication no
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
|
|
|||
|
|
@ -61,9 +61,19 @@ PubkeyAuthentication no
|
|||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
#HostbasedAuthentication no
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
|
|
|||
Loading…
Reference in a new issue