From 2204eb01f6cf10992ccdd7e092d1fc522e5ec3e1 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 5 Jun 2012 18:23:03 -0300 Subject: [PATCH] new style for 2.7 --- README | 7 +- manifests/base.pp | 22 +-- manifests/client.pp | 16 +-- manifests/client/base.pp | 5 +- manifests/client/linux.pp | 3 +- manifests/debian.pp | 2 +- manifests/init.pp | 167 ++++++---------------- manifests/libssh2.pp | 6 +- manifests/libssh2/devel.pp | 6 +- manifests/linux.pp | 2 +- manifests/nagios.pp | 2 +- templates/sshd_config/CentOS.erb | 128 +++++------------ templates/sshd_config/CentOS_Final.erb | 155 ++++++++++++++++++++- templates/sshd_config/Debian_etch.erb | 130 +++++------------- templates/sshd_config/Debian_lenny.erb | 138 +++++-------------- templates/sshd_config/Debian_sid.erb | 168 ++++++----------------- templates/sshd_config/Debian_squeeze.erb | 168 ++++++----------------- templates/sshd_config/Debian_wheezy.erb | 124 ++++++++++++++++- templates/sshd_config/FreeBSD.erb | 156 +++++---------------- templates/sshd_config/Gentoo.erb | 134 +++++------------- templates/sshd_config/OpenBSD.erb | 120 +++++----------- templates/sshd_config/Ubuntu.erb | 124 ++++++++++++++++- templates/sshd_config/Ubuntu_lucid.erb | 142 +++++-------------- 23 files changed, 814 insertions(+), 1111 deletions(-) mode change 120000 => 100644 templates/sshd_config/CentOS_Final.erb mode change 120000 => 100644 templates/sshd_config/Debian_wheezy.erb mode change 120000 => 100644 templates/sshd_config/Ubuntu.erb diff --git a/README b/README index 5d14392..417e289 100644 --- a/README +++ b/README @@ -24,11 +24,12 @@ Nagios ------ To have nagios checks setup automatically for sshd services, simply set -$use_nagios = true before the class is included. If you want to disable ssh +use_nagios to true in hiera. If you want to disable ssh nagios checking for a particular node (such as when ssh is firewalled), then you -can set $nagios_check_ssh to false and that node will not be monitored. +can set the class parameter nagios_check_ssh to false and that node will not bei +monitored. -Nagios will automatically check the ports defined in $sshd_ports, and the +Nagios will automatically check the ports defined in $sshd::ports, and the hostname specified by $nagios_check_ssh_hostname. NOTE: this requires that you are using the shared-nagios puppet module which diff --git a/manifests/base.pp b/manifests/base.pp index 848e547..4001985 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,31 +1,31 @@ -class sshd::base { +class sshd::base { file { 'sshd_config': path => '/etc/ssh/sshd_config', - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + content => $::lsbdistcodename ? { + '' => template("sshd/sshd_config/${::operatingsystem}.erb"), + default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"), }, notify => Service[sshd], owner => root, group => 0, mode => 600; } # Now add the key, if we've got one - case $sshrsakey { - '': { info("no sshrsakey on $fqdn") } + case $::sshrsakey { + '': { info("no sshrsakey on ${::fqdn}") } default: { - @@sshkey{"$fqdn": + @@sshkey{$::fqdn: tag => "fqdn", type => ssh-rsa, - key => $sshrsakey, + key => $::sshrsakey, ensure => present, } # In case the node has uses a shared network address, # we don't define a sshkey resource using an IP address - if $sshd_shared_ip == "no" { - @@sshkey{"$ipaddress": + if $sshd::shared_ip == "no" { + @@sshkey{$::ipaddress: tag => "ipaddress", type => ssh-rsa, - key => $sshrsakey, + key => $::sshrsakey, ensure => present, } } diff --git a/manifests/client.pp b/manifests/client.pp index 5eed5fc..c99cf27 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,23 +1,21 @@ # manifests/client.pp -class sshd::client { +class sshd::client( + $shared_ip = hiera('sshd_shared_ip','no'), + $ensure_version = hiera('sshd_ensure_version','installed') +) { - case $sshd_shared_ip { - '': { $sshd_shared_ip = "no" } - } - - case $operatingsystem { + case $::operatingsystem { debian,ubuntu: { include sshd::client::debian } default: { - case $kernel { + case $::kernel { linux: { include sshd::client::linux } default: { include sshd::client::base } } } } - if $use_shorewall{ + if hiera('use_shorewall',false) { include shorewall::rules::out::ssh } - } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 1fe2b14..c2580c1 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,10 +1,11 @@ class sshd::client::base { # this is needed because the gid might have changed - config_file { '/etc/ssh/ssh_known_hosts': + file { '/etc/ssh/ssh_known_hosts': + mode => 0644, owner => root, group => 0; } # Now collect all server keys - case $sshd_shared_ip { + case $sshd::client::shared_ip { no: { Sshkey <<||>> } yes: { Sshkey <<| tag == "fqdn" |>> } } diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp index 8c58ca8..0c420be 100644 --- a/manifests/client/linux.pp +++ b/manifests/client/linux.pp @@ -1,6 +1,5 @@ class sshd::client::linux inherits sshd::client::base { - if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } package {'openssh-clients': - ensure => $ssh_ensure_version, + ensure => $sshd::client::ensure_version, } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 43dc26c..45eb901 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -7,7 +7,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $sshd_restartandstatus = $lsbdistcodename ? { + $sshd_restartandstatus = $::lsbdistcodename ? { etch => false, default => true } diff --git a/manifests/init.pp b/manifests/init.pp index 8b3361c..f183acd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,138 +1,61 @@ -class sshd { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_kerberos_authentication { - '': { $sshd_kerberos_authentication = 'no' } - } - case $sshd_kerberos_orlocalpasswd { - '': { $sshd_kerberos_orlocalpasswd = 'yes' } - } - case $sshd_kerberos_ticketcleanup { - '': { $sshd_kerberos_ticketcleanup = 'yes' } - } - case $sshd_gssapi_authentication { - '': { $sshd_gssapi_authentication = 'no' } - } - case $sshd_gssapi_cleanupcredentials { - '': { $sshd_gssapi_cleanupcredentials = 'yes' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - if ( $sshd_port != '' ) and ( $sshd_ports != []) { - err("Cannot use sshd_port and sshd_ports at the same time.") - } - if $sshd_port != '' { - $sshd_ports = [ $sshd_port ] - } elsif ! $sshd_ports { - $sshd_ports = [ 22 ] - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_hardened_ssl { - '': { $sshd_hardened_ssl = 'no' } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_head_additional_options { - '': { $sshd_head_additional_options = '' } - } - case $sshd_tail_additional_options { - '': { $sshd_tail_additional_options = '' } - } - case $sshd_ensure_version { - '': { $sshd_ensure_version = "present" } - } - case $sshd_print_motd { - '': { - case $operatingsystem { - debian,ubuntu: { $sshd_print_motd = "no" } - default: { $sshd_print_motd = "yes" } - } - } - } - case $sshd_shared_ip { - '': { $sshd_shared_ip = "no" } +class sshd( + $nagios_check_ssh = hiera('nagios_check_ssh',true), + $nagios_check_ssh_hostname = hiera('nagios_check_ssh_hostname','absent'), + $ports = hiera('sshd_ports',[ 22 ]), + $shared_ip = hiera('sshd_shared_ip','no'), + $ensure_version = hiera('sshd_ensure_version','installed'), + $listen_address = hiera('sshd_listen_address',[ '0.0.0.0', '::' ]), + $allowed_users = hiera('sshd_allowed_users',''), + $allowed_groups = hiera('sshd_allowed_groups',''), + $use_pam = hiera('sshd_use_pam','no'), + $permit_root_login = hiera('sshd_permit_root_login','without-password'), + $password_authentication = hiera('sshd_password_authentication','no'), + $kerberos_authentication = hiera('sshd_kerberos_authentication','no'), + $kerberos_orlocalpasswd = hiera('sshd_sshd_kerberos_orlocalpasswd','yes'), + $kerberos_ticketcleanup = hiera('sshd_kerberos_ticketcleanup','yes'), + $gssapi_authentication = hiera('sshd_gssapi_authentication','no'), + $gssapi_cleanupcredentials = hiera('sshd_gssapi_cleanupcredentials','yes'), + $tcp_forwarding = hiera('sshd_tcp_forwarding','no'), + $x11_forwarding = hiera('sshd_x11_forwarding','no'), + $agent_forwarding = hiera('sshd_agent_forwarding','no'), + $challenge_response_authentication = hiera('sshd_challenge_response_authentication','no'), + $pubkey_authentication = hiera('sshd_pubkey_authentication','yes'), + $rsa_authentication = hiera('rsa_authentication','no'), + $strict_modes = hiera('sshd_strict_modes','yes'), + $ignore_rhosts = hiera('sshd_ignore_rhosts','yes'), + $rhosts_rsa_authentication = hiera('sshd_rhosts_rsa_authentication','no'), + $hostbased_authentication = hiera('sshd_hostbased_authentication','no'), + $permit_empty_passwords = hiera('sshd_permit_empty_passwords','no'), + $authorized_keys_file = hiera('sshd_authorized_keys_file','%h/.ssh/authorized_keys'), + $hardened_ssl = hiera('sshd_hardened_ssl','no'), + $sftp_subsystem = hiera('sshd_sftp_subsystem',''), + $head_additional_options = hiera('sshd_head_additional_options',''), + $tail_additional_options = hiera('sshd_tail_additional_options',''), + $print_motd = hiera('sshd_print_motd','yes') +) { + + class{'sshd::client': + shared_ip => $sshd::shared_ip, + ensure_version => $sshd::ensure_version } - include sshd::client - - case $operatingsystem { + case $::operatingsystem { gentoo: { include sshd::gentoo } redhat,centos: { include sshd::redhat } - centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } default: { include sshd::base } } - if $use_nagios { - case $nagios_check_ssh { - false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { - sshd::nagios{$sshd_ports: - check_hostname => $nagios_check_ssh_hostname ? { - '' => 'absent', - undef => 'absent', - default => $nagios_check_ssh_hostname - } - } - } + if hiera('use_nagios',false) and $sshd::nagios_check_ssh { + sshd::nagios{$sshd::ports: + check_hostname => $sshd::nagios_check_ssh_hostname } } - if $use_shorewall{ + if hiera('use_shorewall', false) { class{'shorewall::rules::ssh': - ports => $sshd_ports, + ports => $sshd::ports, } } } diff --git a/manifests/libssh2.pp b/manifests/libssh2.pp index 5b4e363..403ac7b 100644 --- a/manifests/libssh2.pp +++ b/manifests/libssh2.pp @@ -1,7 +1,7 @@ # manifests/libssh2.pp class sshd::libssh2 { - package{'libssh2': - ensure => present, - } + package{'libssh2': + ensure => present, + } } diff --git a/manifests/libssh2/devel.pp b/manifests/libssh2/devel.pp index 87a8697..261e34c 100644 --- a/manifests/libssh2/devel.pp +++ b/manifests/libssh2/devel.pp @@ -1,7 +1,7 @@ # manifests/libssh2/devel.pp class sshd::libssh2::devel inherits sshd::libssh2 { - package{"libssh2-devel.${architecture}": - ensure => installed, - } + package{"libssh2-devel.${::architecture}": + ensure => installed, + } } diff --git a/manifests/linux.pp b/manifests/linux.pp index a1f4e2a..f071ada 100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@ -1,6 +1,6 @@ class sshd::linux inherits sshd::base { package{openssh: - ensure => $sshd_ensure_version, + ensure => $sshd::ensure_version, } File[sshd_config]{ require +> Package[openssh], diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 7742cdb..ef5fe10 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -11,7 +11,7 @@ define sshd::nagios( 'absent': { nagios::service{"ssh_port_${name}": ensure => $ensure, - check_command => "check_ssh_port!$real_port" + check_command => "check_ssh_port!${real_port}" } } default: { diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 3d5b5b0..0f4bb1f 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,22 +10,22 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # only protocol 2 Protocol 2 -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -48,83 +48,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login %> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -145,33 +101,21 @@ ChallengeResponseAuthentication no # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> +UsePAM <%= scope.lookupvar('sshd::use_pam') %> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= sshd_print_motd %> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -191,24 +135,20 @@ PrintMotd <%= sshd_print_motd %> #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then -%> -Subsystem sftp /usr/libexec/openssh/sftp-server -<%- else -%> -Subsystem sftp <%= sshd_sftp_subsystem %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users %> -<%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then -%> -AllowGroups <%= sshd_allowed_groups %> -<%- end -%> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb deleted file mode 120000 index 03246aa..0000000 --- a/templates/sshd_config/CentOS_Final.erb +++ /dev/null @@ -1 +0,0 @@ -CentOS.erb \ No newline at end of file diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb new file mode 100644 index 0000000..0f4bb1f --- /dev/null +++ b/templates/sshd_config/CentOS_Final.erb @@ -0,0 +1,154 @@ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> + +# only protocol 2 +Protocol 2 +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<% end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +ListenAddress <%= address %> +<% end -%> + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> + +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> + +#MaxAuthTries 6 + +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> + +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> + +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> + +# similar for protocol version 2 +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +#GatewayPorts no +#X11Forwarding no +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> + +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> + +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 1047222..ef4a5d1 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -1,21 +1,21 @@ # Package generated configuration file # See the sshd(8) manpage for details -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -39,80 +39,36 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To change Kerberos options #KerberosAuthentication no @@ -123,11 +79,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 KeepAlive yes #UseLogin no @@ -136,11 +88,7 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/lib/openssh/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -151,32 +99,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> -<%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -PrintMotd <%= sshd_print_motd %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 4ffb94c..8cbea30 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -1,21 +1,21 @@ # Package generated configuration file # See the sshd(8) manpage for details -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -39,80 +39,36 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To change Kerberos options #KerberosAuthentication no @@ -123,11 +79,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 KeepAlive yes #UseLogin no @@ -139,11 +91,7 @@ KeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/lib/openssh/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -154,38 +102,26 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -<%- if sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> - -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> -<%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -PrintMotd <%= sshd_print_motd %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index b211708..9fc34d4 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -3,21 +3,21 @@ # Package generated configuration file # See the sshd(8) manpage for details -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -37,115 +37,47 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos options -<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> -KerberosAuthentication yes -<%- else -%> -KerberosAuthentication no -<%- end -%> -<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> -KerberosOrLocalPasswd yes -<%- else -%> -KerberosOrLocalPasswd no -<%- end -%> -<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> -KerberosTicketCleanup yes -<%- else -%> -KerberosTicketCleanup no -<%- end -%> +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> # GSSAPI options -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPIAuthentication yes -<%- else -%> -GSSAPIAuthentication no -<%- end -%> -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPICleanupCredentials yes -<%- else -%> -GSSAPICleanupCredentials yes -<%- end -%> +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= sshd_print_motd %> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -157,11 +89,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/lib/openssh/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -<%- if sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> - -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> -<%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index fb58e72..b2eb801 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -3,21 +3,21 @@ # Package generated configuration file # See the sshd(8) manpage for details -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -37,115 +37,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos options -<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> -KerberosAuthentication yes -<%- else -%> -KerberosAuthentication no -<%- end -%> -<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> -KerberosOrLocalPasswd yes -<%- else -%> -KerberosOrLocalPasswd no -<%- end -%> -<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> -KerberosTicketCleanup yes -<%- else -%> -KerberosTicketCleanup no -<%- end -%> +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> # GSSAPI options -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPIAuthentication yes -<%- else -%> -GSSAPIAuthentication no -<%- end -%> -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPICleanupCredentials yes -<%- else -%> -GSSAPICleanupCredentials yes -<%- end -%> +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= sshd_print_motd %> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -157,11 +89,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/lib/openssh/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -<%- if sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> - -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> -<%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb deleted file mode 120000 index 3faae05..0000000 --- a/templates/sshd_config/Debian_wheezy.erb +++ /dev/null @@ -1 +0,0 @@ -Debian_sid.erb \ No newline at end of file diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb new file mode 100644 index 0000000..9fc34d4 --- /dev/null +++ b/templates/sshd_config/Debian_wheezy.erb @@ -0,0 +1,123 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# +# Package generated configuration file +# See the sshd(8) manpage for details + +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> + +# What ports, IPs and protocols we listen for +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<% end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> + +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> + +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> + +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> + +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +# similar for protocol version 2 +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> + +# Kerberos options +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> + +# GSSAPI options +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> + +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11DisplayOffset 10 +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintLastLog yes +TCPKeepAlive yes + +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> + +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> + +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 9853f5d..9b98aec 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -16,21 +16,21 @@ #VersionAddendum FreeBSD-20100308 -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> #AddressFamily any -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -55,52 +55,24 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication @@ -109,53 +81,21 @@ HostbasedAuthentication no #IgnoreRhosts yes # Change to yes to enable built-in password authentication. -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable PAM authentication -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # Kerberos options -<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> -KerberosAuthentication yes -<%- else -%> -KerberosAuthentication no -<%- end -%> -<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> -KerberosOrLocalPasswd yes -<%- else -%> -KerberosOrLocalPasswd no -<%- end -%> -<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> -KerberosTicketCleanup yes -<%- else -%> -KerberosTicketCleanup no -<%- end -%> +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> # GSSAPI options -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPIAuthentication yes -<%- else -%> -GSSAPIAuthentication no -<%- end -%> -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPICleanupCredentials yes -<%- else -%> -GSSAPICleanupCredentials yes -<%- end -%> +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -166,30 +106,14 @@ GSSAPICleanupCredentials yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> +UsePAM <%= scope.lookupvar('sshd::use_pam') %> -<%- if sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> #GatewayPorts no -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 #X11UseLocalhost yes @@ -212,11 +136,7 @@ TCPKeepAlive yes #Banner none # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/libexec/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -224,20 +144,18 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # AllowTcpForwarding no # ForceCommand cvs server -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> - -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 8581804..1cb4522 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,20 +10,20 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -51,84 +51,39 @@ Protocol 2 # Authentication: #LoginGraceTime 2m -PermitRootLogin without-password +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then %> -StrictModes yes -<%- else %> -StrictModes no -<%- end %> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> -<%- unless sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then %> -RSAAuthentication yes -<%- else %> -RSAAuthentication no -<%- end %> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then %> -PubkeyAuthentication yes -<%- else %> -PubkeyAuthentication no -<%- end %> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else %> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -RhostsRSAAuthentication yes -<%- else %> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then %> -HostbasedAuthentication yes -<%- else %> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then %> -IgnoreRhosts yes -<%- else %> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> -ChallengeResponseAuthentication yes -<%- else %> -ChallengeResponseAuthentication no -<%- end %> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -151,27 +106,15 @@ ChallengeResponseAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> +UsePAM <%= scope.lookupvar('sshd::use_pam') %> -<%- if sshd_tcp_forwarding.to_s == 'yes' then %> -AllowTcpForwarding yes -<%- else %> -AllowTcpForwarding no -<%- end %> +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> #GatewayPorts no -<%- if sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= sshd_print_motd %> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -189,11 +132,7 @@ PrintMotd <%= sshd_print_motd %> #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/lib/misc/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -201,18 +140,19 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # AllowTcpForwarding no # ForceCommand cvs server -<%- unless sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> -Ciphers aes256-ctr -MACs hmac-sha1 +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> + +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> + diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index b6def87..6b474d7 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,20 +8,20 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -45,83 +45,39 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -<%- unless sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then %> -StrictModes yes -<%- else %> -StrictModes no -<%- end %> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then %> -RSAAuthentication yes -<%- else %> -RSAAuthentication no -<%- end %> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then %> -PubkeyAuthentication yes -<%- else %> -PubkeyAuthentication no -<%- end %> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else %> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -RhostsRSAAuthentication yes -<%- else %> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then %> -HostbasedAuthentication yes -<%- else %> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then %> -IgnoreRhosts yes -<%- else %> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> -ChallengeResponseAuthentication yes -<%- else %> -ChallengeResponseAuthentication no -<%- end %> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -133,18 +89,10 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -<%- if sshd_tcp_forwarding.to_s == 'yes' then %> -AllowTcpForwarding yes -<%- else %> -AllowTcpForwarding no -<%- end %> +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> #GatewayPorts no -<%- if sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd <%= sshd_print_motd %> @@ -165,18 +113,14 @@ PrintMotd <%= sshd_print_motd %> #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/libexec/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> -<%- unless sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -184,11 +128,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb deleted file mode 120000 index 11b0acc..0000000 --- a/templates/sshd_config/Ubuntu.erb +++ /dev/null @@ -1 +0,0 @@ -Debian_squeeze.erb \ No newline at end of file diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb new file mode 100644 index 0000000..b2eb801 --- /dev/null +++ b/templates/sshd_config/Ubuntu.erb @@ -0,0 +1,123 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# +# Package generated configuration file +# See the sshd(8) manpage for details + +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> + +# What ports, IPs and protocols we listen for +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<% end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> + +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> + +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> + +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> + +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +# similar for protocol version 2 +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> + +# Kerberos options +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> + +# GSSAPI options +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> + +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11DisplayOffset 10 +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintLastLog yes +TCPKeepAlive yes + +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> + +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> + +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 304558b..cc6e921 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -1,21 +1,21 @@ # Package generated configuration file # See the sshd(8) manpage for details -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -39,80 +39,36 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To change Kerberos options #KerberosAuthentication no @@ -123,11 +79,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 KeepAlive yes #UseLogin no @@ -136,11 +88,7 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/lib/openssh/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -151,42 +99,28 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> +UsePAM <%= scope.lookupvar('sshd::use_pam') %> HostbasedUsesNameFromPacketOnly yes -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- if sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -ChallengeResponseAuthentication no - -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> -<%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -PrintMotd <%= sshd_print_motd %> - -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> -Ciphers aes128-ctr +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +Ciphers aes256-ctr MACs hmac-sha1 -<%- end %> +<% end -%> + +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%>