new style for 2.7

README

@@ -24,11 +24,12 @@ Nagios
 ------
 
 To have nagios checks setup automatically for sshd services, simply set
-$use_nagios = true before the class is included. If you want to disable ssh
+use_nagios to true in hiera. If you want to disable ssh
 nagios checking for a particular node (such as when ssh is firewalled), then you
-can set $nagios_check_ssh to false and that node will not be monitored.  
+can set the class parameter nagios_check_ssh to false and that node will not bei
+monitored.  
 
-Nagios will automatically check the ports defined in $sshd_ports, and the
+Nagios will automatically check the ports defined in $sshd::ports, and the
 hostname specified by $nagios_check_ssh_hostname.
 
 NOTE: this requires that you are using the shared-nagios puppet module which

manifests/base.pp

@@ -1,31 +1,31 @@
-class sshd::base {     
+class sshd::base {
   file { 'sshd_config':
     path => '/etc/ssh/sshd_config',
-    content => $lsbdistcodename ? {
-      '' => template("sshd/sshd_config/${operatingsystem}.erb"),
-      default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
+    content => $::lsbdistcodename ? {
+      '' => template("sshd/sshd_config/${::operatingsystem}.erb"),
+      default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"),
     },
     notify => Service[sshd],
     owner => root, group => 0, mode => 600;
   }
 
   # Now add the key, if we've got one
-  case $sshrsakey {
-    '': { info("no sshrsakey on $fqdn") }
+  case $::sshrsakey {
+    '': { info("no sshrsakey on ${::fqdn}") }
     default: {
-      @@sshkey{"$fqdn":
+      @@sshkey{$::fqdn:
         tag    => "fqdn",
         type   => ssh-rsa,
-        key    => $sshrsakey,
+        key    => $::sshrsakey,
         ensure => present,
       }
       # In case the node has uses a shared network address,
       # we don't define a sshkey resource using an IP address
-      if $sshd_shared_ip == "no" {
-        @@sshkey{"$ipaddress":
+      if $sshd::shared_ip == "no" {
+        @@sshkey{$::ipaddress:
           tag    => "ipaddress",
           type   => ssh-rsa,
-          key    => $sshrsakey,
+          key    => $::sshrsakey,
           ensure => present,
         }
       }

manifests/client.pp

@@ -1,23 +1,21 @@
 # manifests/client.pp
 
-class sshd::client {
+class sshd::client(
+  $shared_ip = hiera('sshd_shared_ip','no'),
+  $ensure_version = hiera('sshd_ensure_version','installed')
+) {
 
-  case $sshd_shared_ip {
-    '': { $sshd_shared_ip = "no" }
-  }
-
-  case $operatingsystem {
+  case $::operatingsystem {
     debian,ubuntu: { include sshd::client::debian }
     default: {
-      case $kernel {
+      case $::kernel {
         linux: { include sshd::client::linux }
         default: { include sshd::client::base }
       }
     }
   }
 
-  if $use_shorewall{
+  if hiera('use_shorewall',false) {
     include shorewall::rules::out::ssh
   }
-
 }

manifests/client/base.pp

@@ -1,10 +1,11 @@
 class sshd::client::base {
   # this is needed because the gid might have changed
-  config_file { '/etc/ssh/ssh_known_hosts':
+  file { '/etc/ssh/ssh_known_hosts':
+    mode => 0644, owner => root, group => 0;
   }
 
   # Now collect all server keys
-  case $sshd_shared_ip {
+  case $sshd::client::shared_ip {
     no:  { Sshkey <<||>> }
     yes: { Sshkey <<| tag == "fqdn" |>> }
   }

manifests/client/linux.pp

@@ -1,6 +1,5 @@
 class sshd::client::linux inherits sshd::client::base {
-  if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' }
   package {'openssh-clients':
-    ensure => $ssh_ensure_version,
+    ensure => $sshd::client::ensure_version,
   }
 }

manifests/debian.pp

@@ -7,7 +7,7 @@ class sshd::debian inherits sshd::linux {
     name => 'openssh-server',
   }
 
-  $sshd_restartandstatus = $lsbdistcodename ? {
+  $sshd_restartandstatus = $::lsbdistcodename ? {
     etch => false,
     default => true
   }

manifests/init.pp

@@ -1,138 +1,61 @@
-class sshd {
-   # prepare variables to use in templates
-  case $sshd_listen_address {
-    '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
-  }
-  case $sshd_allowed_users {
-    '': { $sshd_allowed_users = '' }
-  }
-  case $sshd_allowed_groups {
-    '': { $sshd_allowed_groups = '' }
-  }
-  case $sshd_use_pam {
-    '': { $sshd_use_pam = 'no' }
-  }
-  case $sshd_permit_root_login {
-    '': { $sshd_permit_root_login = 'without-password' }
-  }
-  case $sshd_password_authentication {
-    '': { $sshd_password_authentication = 'no' }
-  }
-  case $sshd_kerberos_authentication {
-    '': { $sshd_kerberos_authentication = 'no' }
-  }
-  case $sshd_kerberos_orlocalpasswd {
-    '': { $sshd_kerberos_orlocalpasswd = 'yes' }
-  }
-  case $sshd_kerberos_ticketcleanup {
-    '': { $sshd_kerberos_ticketcleanup = 'yes' }
-  }
-  case $sshd_gssapi_authentication {
-    '': { $sshd_gssapi_authentication = 'no' }
-  }
-  case $sshd_gssapi_cleanupcredentials {
-    '': { $sshd_gssapi_cleanupcredentials = 'yes' }
-  }
-  case $sshd_tcp_forwarding {
-    '': { $sshd_tcp_forwarding = 'no' }
-  }
-  case $sshd_x11_forwarding {
-    '': { $sshd_x11_forwarding = 'no' }
-  }
-  case $sshd_agent_forwarding {
-    '': { $sshd_agent_forwarding = 'no' }
-  }
-  case $sshd_challenge_response_authentication {
-    '': { $sshd_challenge_response_authentication = 'no' }
-  }
-  case $sshd_pubkey_authentication {
-    '': { $sshd_pubkey_authentication = 'yes' }
-  }
-  case $sshd_rsa_authentication {
-    '': { $sshd_rsa_authentication = 'no' }
-  }
-  case $sshd_strict_modes {
-    '': { $sshd_strict_modes = 'yes' }
-  }
-  case $sshd_ignore_rhosts {
-    '': { $sshd_ignore_rhosts = 'yes' }
-  }
-  case $sshd_rhosts_rsa_authentication {
-    '': { $sshd_rhosts_rsa_authentication = 'no' }
-  }
-  case $sshd_hostbased_authentication {
-    '': { $sshd_hostbased_authentication = 'no' }
-  }
-  case $sshd_permit_empty_passwords {
-    '': { $sshd_permit_empty_passwords = 'no' }
-  }
-  if ( $sshd_port != '' ) and ( $sshd_ports != []) {
-      err("Cannot use sshd_port and sshd_ports at the same time.")
-  }
-  if $sshd_port != '' {
-      $sshd_ports = [ $sshd_port ]
-  } elsif ! $sshd_ports {
-      $sshd_ports = [ 22 ]
-  }
-  case $sshd_authorized_keys_file {
-    '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
-  }
-  case $sshd_hardened_ssl {
-    '': { $sshd_hardened_ssl = 'no' }
-  }
-  case $sshd_sftp_subsystem {
-    '': { $sshd_sftp_subsystem = '' }
-  }
-  case $sshd_head_additional_options {
-    '': { $sshd_head_additional_options = '' }
-  }
-  case $sshd_tail_additional_options {
-    '': { $sshd_tail_additional_options = '' }
-  }
-  case $sshd_ensure_version {
-    '': { $sshd_ensure_version = "present" }
-  }
-  case $sshd_print_motd {
-    '': {
-      case $operatingsystem {
-        debian,ubuntu: { $sshd_print_motd = "no" }
-        default: { $sshd_print_motd = "yes" }
-      }
-    }
-  }
-  case $sshd_shared_ip {
-    '': { $sshd_shared_ip = "no" }
+class sshd(
+  $nagios_check_ssh = hiera('nagios_check_ssh',true),
+  $nagios_check_ssh_hostname = hiera('nagios_check_ssh_hostname','absent'),
+  $ports = hiera('sshd_ports',[ 22 ]),
+  $shared_ip = hiera('sshd_shared_ip','no'),
+  $ensure_version = hiera('sshd_ensure_version','installed'),
+  $listen_address = hiera('sshd_listen_address',[ '0.0.0.0', '::' ]),
+  $allowed_users = hiera('sshd_allowed_users',''),
+  $allowed_groups = hiera('sshd_allowed_groups',''),
+  $use_pam = hiera('sshd_use_pam','no'),
+  $permit_root_login = hiera('sshd_permit_root_login','without-password'),
+  $password_authentication = hiera('sshd_password_authentication','no'),
+  $kerberos_authentication = hiera('sshd_kerberos_authentication','no'),
+  $kerberos_orlocalpasswd = hiera('sshd_sshd_kerberos_orlocalpasswd','yes'),
+  $kerberos_ticketcleanup = hiera('sshd_kerberos_ticketcleanup','yes'),
+  $gssapi_authentication = hiera('sshd_gssapi_authentication','no'),
+  $gssapi_cleanupcredentials = hiera('sshd_gssapi_cleanupcredentials','yes'),
+  $tcp_forwarding = hiera('sshd_tcp_forwarding','no'),
+  $x11_forwarding = hiera('sshd_x11_forwarding','no'),
+  $agent_forwarding = hiera('sshd_agent_forwarding','no'),
+  $challenge_response_authentication = hiera('sshd_challenge_response_authentication','no'),
+  $pubkey_authentication = hiera('sshd_pubkey_authentication','yes'),
+  $rsa_authentication = hiera('rsa_authentication','no'),
+  $strict_modes = hiera('sshd_strict_modes','yes'),
+  $ignore_rhosts = hiera('sshd_ignore_rhosts','yes'),
+  $rhosts_rsa_authentication = hiera('sshd_rhosts_rsa_authentication','no'),
+  $hostbased_authentication = hiera('sshd_hostbased_authentication','no'),
+  $permit_empty_passwords = hiera('sshd_permit_empty_passwords','no'),
+  $authorized_keys_file = hiera('sshd_authorized_keys_file','%h/.ssh/authorized_keys'),
+  $hardened_ssl = hiera('sshd_hardened_ssl','no'),
+  $sftp_subsystem = hiera('sshd_sftp_subsystem',''),
+  $head_additional_options = hiera('sshd_head_additional_options',''),
+  $tail_additional_options = hiera('sshd_tail_additional_options',''),
+  $print_motd = hiera('sshd_print_motd','yes')
+) {
+
+  class{'sshd::client':
+    shared_ip => $sshd::shared_ip,
+    ensure_version => $sshd::ensure_version
   }
 
-  include sshd::client
-
-  case $operatingsystem {
+  case $::operatingsystem {
     gentoo: { include sshd::gentoo }
     redhat,centos: { include sshd::redhat }
-    centos: { include sshd::centos }
     openbsd: { include sshd::openbsd }
     debian,ubuntu: { include sshd::debian }
     default: { include sshd::base }
   }
 
-  if $use_nagios {
-    case $nagios_check_ssh {
-      false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
-      default: {
-        sshd::nagios{$sshd_ports:
-          check_hostname => $nagios_check_ssh_hostname ? {
-            '' => 'absent',
-            undef => 'absent',
-            default => $nagios_check_ssh_hostname
-          }
-        }
-      }
+  if hiera('use_nagios',false) and $sshd::nagios_check_ssh {
+    sshd::nagios{$sshd::ports:
+      check_hostname => $sshd::nagios_check_ssh_hostname
     }
   }
 
-  if $use_shorewall{
+  if hiera('use_shorewall', false) {
     class{'shorewall::rules::ssh':
-      ports => $sshd_ports,
+      ports => $sshd::ports,
     }
   }
 }

manifests/libssh2.pp

@@ -1,7 +1,7 @@
 # manifests/libssh2.pp
 
 class sshd::libssh2 {
-    package{'libssh2':
-        ensure => present,
-    }
+  package{'libssh2':
+    ensure => present,
+  }
 }

manifests/libssh2/devel.pp

@@ -1,7 +1,7 @@
 # manifests/libssh2/devel.pp
 
 class sshd::libssh2::devel inherits sshd::libssh2 {
-    package{"libssh2-devel.${architecture}":
-        ensure => installed,
-    }
+  package{"libssh2-devel.${::architecture}":
+    ensure => installed,
+  }
 }

manifests/linux.pp

@@ -1,6 +1,6 @@
 class sshd::linux inherits sshd::base {
   package{openssh:
-    ensure => $sshd_ensure_version,
+    ensure => $sshd::ensure_version,
   }
   File[sshd_config]{
     require +> Package[openssh],

manifests/nagios.pp

@@ -11,7 +11,7 @@ define sshd::nagios(
     'absent': {
       nagios::service{"ssh_port_${name}":
         ensure => $ensure,
-        check_command => "check_ssh_port!$real_port"
+        check_command => "check_ssh_port!${real_port}"
       }
     }
     default: {

templates/sshd_config/CentOS.erb

@@ -10,22 +10,22 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # only protocol 2
 Protocol 2
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 
@@ -48,83 +48,39 @@ SyslogFacility AUTHPRIV
 # Authentication:
 
 #LoginGraceTime 2m
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login %>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
 #MaxAuthTries 6
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # Kerberos options
 #KerberosAuthentication no
@@ -145,33 +101,21 @@ ChallengeResponseAuthentication no
 # session checks to run without PAM authentication, then enable this but set 
 # ChallengeResponseAuthentication=no
 #UsePAM no
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
 
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 AcceptEnv LC_IDENTIFICATION LC_ALL
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
 
 #GatewayPorts no
 #X11Forwarding no
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
@@ -191,24 +135,20 @@ PrintMotd <%= sshd_print_motd %>
 #Banner /some/path
 
 # override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then -%>
-Subsystem	sftp	/usr/libexec/openssh/sftp-server
-<%- else -%>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> 
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users %>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then -%>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end -%>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
+<% end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/CentOS_Final.erb

@@ -1 +0,0 @@
-CentOS.erb

templates/sshd_config/CentOS_Final.erb

@@ -0,0 +1,154 @@
+#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+
+# only protocol 2
+Protocol 2
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= port %>
+<% end -%>
+<% end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
+ListenAddress <%= address %>
+<% end -%>
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 768
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
+#MaxAuthTries 6
+
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
+
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
+
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
+
+# similar for protocol version 2
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
+
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication mechanism. 
+# Depending on your PAM configuration, this may bypass the setting of 
+# PasswordAuthentication, PermitEmptyPasswords, and 
+# "PermitRootLogin without-password". If you just want the PAM account and 
+# session checks to run without PAM authentication, then enable this but set 
+# ChallengeResponseAuthentication=no
+#UsePAM no
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner /some/path
+
+# override default of no subsystems
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> 
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
+
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Debian_etch.erb

@@ -1,21 +1,21 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -39,80 +39,36 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # To change Kerberos options
 #KerberosAuthentication no
@@ -123,11 +79,7 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 X11DisplayOffset 10
 KeepAlive yes
 #UseLogin no
@@ -136,11 +88,7 @@ KeepAlive yes
 #Banner /etc/issue.net
 #ReverseMappingCheck yes
 
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -151,32 +99,24 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-PrintMotd <%= sshd_print_motd %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
+<% end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Debian_lenny.erb

@@ -1,21 +1,21 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -39,80 +39,36 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # To change Kerberos options
 #KerberosAuthentication no
@@ -123,11 +79,7 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 X11DisplayOffset 10
 KeepAlive yes
 #UseLogin no
@@ -139,11 +91,7 @@ KeepAlive yes
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -154,38 +102,26 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
-
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-PrintMotd <%= sshd_print_motd %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
+<% end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Debian_sid.erb

@@ -3,21 +3,21 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -37,115 +37,47 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # Kerberos options
-<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
-KerberosAuthentication yes
-<%- else -%>
-KerberosAuthentication no
-<%- end -%>
-<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
-KerberosOrLocalPasswd yes
-<%- else -%>
-KerberosOrLocalPasswd no
-<%- end -%>
-<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
-KerberosTicketCleanup yes
-<%- else -%>
-KerberosTicketCleanup no
-<%- end -%>
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
 
 # GSSAPI options
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPIAuthentication yes
-<%- else -%>
-GSSAPIAuthentication no
-<%- end -%>
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPICleanupCredentials yes
-<%- else -%>
-GSSAPICleanupCredentials yes
-<%- end -%>
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
 
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 X11DisplayOffset 10
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 PrintLastLog yes
 TCPKeepAlive yes
 
@@ -157,11 +89,7 @@ TCPKeepAlive yes
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
@@ -172,36 +100,24 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
-
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
-
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
+<% end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Debian_squeeze.erb

@@ -3,21 +3,21 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -37,115 +37,47 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # Kerberos options
-<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
-KerberosAuthentication yes
-<%- else -%>
-KerberosAuthentication no
-<%- end -%>
-<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
-KerberosOrLocalPasswd yes
-<%- else -%>
-KerberosOrLocalPasswd no
-<%- end -%>
-<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
-KerberosTicketCleanup yes
-<%- else -%>
-KerberosTicketCleanup no
-<%- end -%>
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
 
 # GSSAPI options
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPIAuthentication yes
-<%- else -%>
-GSSAPIAuthentication no
-<%- end -%>
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPICleanupCredentials yes
-<%- else -%>
-GSSAPICleanupCredentials yes
-<%- end -%>
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
 
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 X11DisplayOffset 10
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 PrintLastLog yes
 TCPKeepAlive yes
 
@@ -157,11 +89,7 @@ TCPKeepAlive yes
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
@@ -172,36 +100,24 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
-
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
-
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
+<% end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Debian_wheezy.erb

@@ -1 +0,0 @@
-Debian_sid.erb

templates/sshd_config/Debian_wheezy.erb

@@ -0,0 +1,123 @@
+# This file is managed by Puppet, all local modifications will be overwritten
+#
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+
+# What ports, IPs and protocols we listen for
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= port %>
+<% end -%>
+<% end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
+ListenAddress <%= address %>
+<% end -%>
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
+
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
+
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
+# similar for protocol version 2
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
+
+# Kerberos options
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
+
+# GSSAPI options
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
+
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
+X11DisplayOffset 10
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+PrintLastLog yes
+TCPKeepAlive yes
+
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
+
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/FreeBSD.erb

@@ -16,21 +16,21 @@
 
 #VersionAddendum FreeBSD-20100308
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 #AddressFamily any
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 
@@ -55,52 +55,24 @@ LogLevel INFO
 # Authentication:
 
 LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
 #MaxAuthTries 6
 #MaxSessions 10
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
@@ -109,53 +81,21 @@ HostbasedAuthentication no
 #IgnoreRhosts yes
 
 # Change to yes to enable built-in password authentication.
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable PAM authentication
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # Kerberos options
-<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
-KerberosAuthentication yes
-<%- else -%>
-KerberosAuthentication no
-<%- end -%>
-<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
-KerberosOrLocalPasswd yes
-<%- else -%>
-KerberosOrLocalPasswd no
-<%- end -%>
-<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
-KerberosTicketCleanup yes
-<%- else -%>
-KerberosTicketCleanup no
-<%- end -%>
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
 
 # GSSAPI options
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPIAuthentication yes
-<%- else -%>
-GSSAPIAuthentication no
-<%- end -%>
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPICleanupCredentials yes
-<%- else -%>
-GSSAPICleanupCredentials yes
-<%- end -%>
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
 
 # Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will 
@@ -166,30 +106,14 @@ GSSAPICleanupCredentials yes
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
 
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
 
 #GatewayPorts no
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 
 X11DisplayOffset 10
 #X11UseLocalhost yes
@@ -212,11 +136,7 @@ TCPKeepAlive yes
 #Banner none
 
 # override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/libexec/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
@@ -224,20 +144,18 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
-
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% end -%>
 
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Gentoo.erb

@@ -10,20 +10,20 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 #AddressFamily any
@@ -51,84 +51,39 @@ Protocol 2
 # Authentication:
 
 #LoginGraceTime 2m
-PermitRootLogin without-password
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then %>
-StrictModes yes
-<%- else %>
-StrictModes no
-<%- end %>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
-<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= sshd_permit_root_login %>
-<%- else %>
-PermitRootLogin without-password
-<%- end %>
 #MaxAuthTries 6
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then %>
-RSAAuthentication yes
-<%- else %>
-RSAAuthentication no
-<%- end %>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
-PubkeyAuthentication yes
-<%- else %>
-PubkeyAuthentication no
-<%- end %>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else %>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end %>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
-RhostsRSAAuthentication yes
-<%- else %>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
-HostbasedAuthentication yes
-<%- else %>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
-IgnoreRhosts yes
-<%- else %>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then %>
-PasswordAuthentication yes
-<%- else %>
-PasswordAuthentication no
-<%- end %>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
-ChallengeResponseAuthentication yes
-<%- else %>
-ChallengeResponseAuthentication no
-<%- end %>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # Kerberos options
 #KerberosAuthentication no
@@ -151,27 +106,15 @@ ChallengeResponseAuthentication no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then %>
-UsePAM yes
-<%- else %>
-UsePAM no
-<%- end %>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
-AllowTcpForwarding yes
-<%- else %>
-AllowTcpForwarding no
-<%- end %>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
 
 #GatewayPorts no
-<%- if sshd_x11_forwarding.to_s == 'yes' then %>
-X11Forwarding yes
-<%- else %>
-X11Forwarding no
-<%- end %>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
@@ -189,11 +132,7 @@ PrintMotd <%= sshd_print_motd %>
 #Banner /some/path
 
 # override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/lib/misc/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
@@ -201,18 +140,19 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
-<%- unless sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= sshd_allowed_users %>
-<%- end %>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
-Ciphers aes256-ctr
-MACs hmac-sha1
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+

templates/sshd_config/OpenBSD.erb

@@ -8,20 +8,20 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 #Protocol 2,1
@@ -45,83 +45,39 @@ ListenAddress <%= address %>
 # Authentication:
 
 #LoginGraceTime 2m
-<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= sshd_permit_root_login %>
-<%- else %>
-PermitRootLogin without-password
-<%- end %>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then %>
-StrictModes yes
-<%- else %>
-StrictModes no
-<%- end %>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
 #MaxAuthTries 6
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then %>
-RSAAuthentication yes
-<%- else %>
-RSAAuthentication no
-<%- end %>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
-PubkeyAuthentication yes
-<%- else %>
-PubkeyAuthentication no
-<%- end %>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else %>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end %>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
-RhostsRSAAuthentication yes
-<%- else %>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
-HostbasedAuthentication yes
-<%- else %>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
-IgnoreRhosts yes
-<%- else %>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then %>
-PasswordAuthentication yes
-<%- else %>
-PasswordAuthentication no
-<%- end %>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
-ChallengeResponseAuthentication yes
-<%- else %>
-ChallengeResponseAuthentication no
-<%- end %>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # Kerberos options
 #KerberosAuthentication no
@@ -133,18 +89,10 @@ ChallengeResponseAuthentication no
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
-AllowTcpForwarding yes
-<%- else %>
-AllowTcpForwarding no
-<%- end %>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
 
 #GatewayPorts no
-<%- if sshd_x11_forwarding.to_s == 'yes' then %>
-X11Forwarding yes
-<%- else %>
-X11Forwarding no
-<%- end %>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 PrintMotd <%= sshd_print_motd %>
@@ -165,18 +113,14 @@ PrintMotd <%= sshd_print_motd %>
 #Banner /some/path
 
 # override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/libexec/sftp-server
-<%- else %>
-Subsystem	sftp	<%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
 
-<%- unless sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= sshd_allowed_users %>
-<%- end %>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
@@ -184,11 +128,11 @@ AllowGroups <%= sshd_allowed_groups %>
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end -%>
+<% end -%>
 
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Ubuntu.erb

@@ -1 +0,0 @@
-Debian_squeeze.erb

templates/sshd_config/Ubuntu.erb

@@ -0,0 +1,123 @@
+# This file is managed by Puppet, all local modifications will be overwritten
+#
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+
+# What ports, IPs and protocols we listen for
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= port %>
+<% end -%>
+<% end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
+ListenAddress <%= address %>
+<% end -%>
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
+
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
+
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
+# similar for protocol version 2
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
+
+# Kerberos options
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
+
+# GSSAPI options
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
+
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
+X11DisplayOffset 10
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+PrintLastLog yes
+TCPKeepAlive yes
+
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
+
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>

templates/sshd_config/Ubuntu_lucid.erb

@@ -1,21 +1,21 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
 
 # What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
 #Port -- disabled by puppet
 <% else -%>
 Port <%= port %>
 <% end -%>
-<%- end -%>
+<% end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -39,80 +39,36 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
 
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
 
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
 
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
 
 # similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
 
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
 # Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # To change Kerberos options
 #KerberosAuthentication no
@@ -123,11 +79,7 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 X11DisplayOffset 10
 KeepAlive yes
 #UseLogin no
@@ -136,11 +88,7 @@ KeepAlive yes
 #Banner /etc/issue.net
 #ReverseMappingCheck yes
 
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem      sftp    <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -151,42 +99,28 @@ Subsystem      sftp    <%= sshd_sftp_subsystem %>
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
 
 HostbasedUsesNameFromPacketOnly yes
 
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
 <%- end -%>
 
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 
-ChallengeResponseAuthentication no
-
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-PrintMotd <%= sshd_print_motd %>
-
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
-Ciphers aes128-ctr
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
 MACs hmac-sha1
-<%- end %>
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>