new style for 2.7

This commit is contained in:
mh 2012-06-05 18:23:03 -03:00
parent d5404bbdba
commit 2204eb01f6
23 changed files with 814 additions and 1111 deletions

7
README
View file

@ -24,11 +24,12 @@ Nagios
------
To have nagios checks setup automatically for sshd services, simply set
$use_nagios = true before the class is included. If you want to disable ssh
use_nagios to true in hiera. If you want to disable ssh
nagios checking for a particular node (such as when ssh is firewalled), then you
can set $nagios_check_ssh to false and that node will not be monitored.
can set the class parameter nagios_check_ssh to false and that node will not bei
monitored.
Nagios will automatically check the ports defined in $sshd_ports, and the
Nagios will automatically check the ports defined in $sshd::ports, and the
hostname specified by $nagios_check_ssh_hostname.
NOTE: this requires that you are using the shared-nagios puppet module which

View file

@ -1,31 +1,31 @@
class sshd::base {
file { 'sshd_config':
path => '/etc/ssh/sshd_config',
content => $lsbdistcodename ? {
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
content => $::lsbdistcodename ? {
'' => template("sshd/sshd_config/${::operatingsystem}.erb"),
default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"),
},
notify => Service[sshd],
owner => root, group => 0, mode => 600;
}
# Now add the key, if we've got one
case $sshrsakey {
'': { info("no sshrsakey on $fqdn") }
case $::sshrsakey {
'': { info("no sshrsakey on ${::fqdn}") }
default: {
@@sshkey{"$fqdn":
@@sshkey{$::fqdn:
tag => "fqdn",
type => ssh-rsa,
key => $sshrsakey,
key => $::sshrsakey,
ensure => present,
}
# In case the node has uses a shared network address,
# we don't define a sshkey resource using an IP address
if $sshd_shared_ip == "no" {
@@sshkey{"$ipaddress":
if $sshd::shared_ip == "no" {
@@sshkey{$::ipaddress:
tag => "ipaddress",
type => ssh-rsa,
key => $sshrsakey,
key => $::sshrsakey,
ensure => present,
}
}

View file

@ -1,23 +1,21 @@
# manifests/client.pp
class sshd::client {
class sshd::client(
$shared_ip = hiera('sshd_shared_ip','no'),
$ensure_version = hiera('sshd_ensure_version','installed')
) {
case $sshd_shared_ip {
'': { $sshd_shared_ip = "no" }
}
case $operatingsystem {
case $::operatingsystem {
debian,ubuntu: { include sshd::client::debian }
default: {
case $kernel {
case $::kernel {
linux: { include sshd::client::linux }
default: { include sshd::client::base }
}
}
}
if $use_shorewall{
if hiera('use_shorewall',false) {
include shorewall::rules::out::ssh
}
}

View file

@ -1,10 +1,11 @@
class sshd::client::base {
# this is needed because the gid might have changed
config_file { '/etc/ssh/ssh_known_hosts':
file { '/etc/ssh/ssh_known_hosts':
mode => 0644, owner => root, group => 0;
}
# Now collect all server keys
case $sshd_shared_ip {
case $sshd::client::shared_ip {
no: { Sshkey <<||>> }
yes: { Sshkey <<| tag == "fqdn" |>> }
}

View file

@ -1,6 +1,5 @@
class sshd::client::linux inherits sshd::client::base {
if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' }
package {'openssh-clients':
ensure => $ssh_ensure_version,
ensure => $sshd::client::ensure_version,
}
}

View file

@ -7,7 +7,7 @@ class sshd::debian inherits sshd::linux {
name => 'openssh-server',
}
$sshd_restartandstatus = $lsbdistcodename ? {
$sshd_restartandstatus = $::lsbdistcodename ? {
etch => false,
default => true
}

View file

@ -1,138 +1,61 @@
class sshd {
# prepare variables to use in templates
case $sshd_listen_address {
'': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
}
case $sshd_allowed_users {
'': { $sshd_allowed_users = '' }
}
case $sshd_allowed_groups {
'': { $sshd_allowed_groups = '' }
}
case $sshd_use_pam {
'': { $sshd_use_pam = 'no' }
}
case $sshd_permit_root_login {
'': { $sshd_permit_root_login = 'without-password' }
}
case $sshd_password_authentication {
'': { $sshd_password_authentication = 'no' }
}
case $sshd_kerberos_authentication {
'': { $sshd_kerberos_authentication = 'no' }
}
case $sshd_kerberos_orlocalpasswd {
'': { $sshd_kerberos_orlocalpasswd = 'yes' }
}
case $sshd_kerberos_ticketcleanup {
'': { $sshd_kerberos_ticketcleanup = 'yes' }
}
case $sshd_gssapi_authentication {
'': { $sshd_gssapi_authentication = 'no' }
}
case $sshd_gssapi_cleanupcredentials {
'': { $sshd_gssapi_cleanupcredentials = 'yes' }
}
case $sshd_tcp_forwarding {
'': { $sshd_tcp_forwarding = 'no' }
}
case $sshd_x11_forwarding {
'': { $sshd_x11_forwarding = 'no' }
}
case $sshd_agent_forwarding {
'': { $sshd_agent_forwarding = 'no' }
}
case $sshd_challenge_response_authentication {
'': { $sshd_challenge_response_authentication = 'no' }
}
case $sshd_pubkey_authentication {
'': { $sshd_pubkey_authentication = 'yes' }
}
case $sshd_rsa_authentication {
'': { $sshd_rsa_authentication = 'no' }
}
case $sshd_strict_modes {
'': { $sshd_strict_modes = 'yes' }
}
case $sshd_ignore_rhosts {
'': { $sshd_ignore_rhosts = 'yes' }
}
case $sshd_rhosts_rsa_authentication {
'': { $sshd_rhosts_rsa_authentication = 'no' }
}
case $sshd_hostbased_authentication {
'': { $sshd_hostbased_authentication = 'no' }
}
case $sshd_permit_empty_passwords {
'': { $sshd_permit_empty_passwords = 'no' }
}
if ( $sshd_port != '' ) and ( $sshd_ports != []) {
err("Cannot use sshd_port and sshd_ports at the same time.")
}
if $sshd_port != '' {
$sshd_ports = [ $sshd_port ]
} elsif ! $sshd_ports {
$sshd_ports = [ 22 ]
}
case $sshd_authorized_keys_file {
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
}
case $sshd_hardened_ssl {
'': { $sshd_hardened_ssl = 'no' }
}
case $sshd_sftp_subsystem {
'': { $sshd_sftp_subsystem = '' }
}
case $sshd_head_additional_options {
'': { $sshd_head_additional_options = '' }
}
case $sshd_tail_additional_options {
'': { $sshd_tail_additional_options = '' }
}
case $sshd_ensure_version {
'': { $sshd_ensure_version = "present" }
}
case $sshd_print_motd {
'': {
case $operatingsystem {
debian,ubuntu: { $sshd_print_motd = "no" }
default: { $sshd_print_motd = "yes" }
}
}
}
case $sshd_shared_ip {
'': { $sshd_shared_ip = "no" }
class sshd(
$nagios_check_ssh = hiera('nagios_check_ssh',true),
$nagios_check_ssh_hostname = hiera('nagios_check_ssh_hostname','absent'),
$ports = hiera('sshd_ports',[ 22 ]),
$shared_ip = hiera('sshd_shared_ip','no'),
$ensure_version = hiera('sshd_ensure_version','installed'),
$listen_address = hiera('sshd_listen_address',[ '0.0.0.0', '::' ]),
$allowed_users = hiera('sshd_allowed_users',''),
$allowed_groups = hiera('sshd_allowed_groups',''),
$use_pam = hiera('sshd_use_pam','no'),
$permit_root_login = hiera('sshd_permit_root_login','without-password'),
$password_authentication = hiera('sshd_password_authentication','no'),
$kerberos_authentication = hiera('sshd_kerberos_authentication','no'),
$kerberos_orlocalpasswd = hiera('sshd_sshd_kerberos_orlocalpasswd','yes'),
$kerberos_ticketcleanup = hiera('sshd_kerberos_ticketcleanup','yes'),
$gssapi_authentication = hiera('sshd_gssapi_authentication','no'),
$gssapi_cleanupcredentials = hiera('sshd_gssapi_cleanupcredentials','yes'),
$tcp_forwarding = hiera('sshd_tcp_forwarding','no'),
$x11_forwarding = hiera('sshd_x11_forwarding','no'),
$agent_forwarding = hiera('sshd_agent_forwarding','no'),
$challenge_response_authentication = hiera('sshd_challenge_response_authentication','no'),
$pubkey_authentication = hiera('sshd_pubkey_authentication','yes'),
$rsa_authentication = hiera('rsa_authentication','no'),
$strict_modes = hiera('sshd_strict_modes','yes'),
$ignore_rhosts = hiera('sshd_ignore_rhosts','yes'),
$rhosts_rsa_authentication = hiera('sshd_rhosts_rsa_authentication','no'),
$hostbased_authentication = hiera('sshd_hostbased_authentication','no'),
$permit_empty_passwords = hiera('sshd_permit_empty_passwords','no'),
$authorized_keys_file = hiera('sshd_authorized_keys_file','%h/.ssh/authorized_keys'),
$hardened_ssl = hiera('sshd_hardened_ssl','no'),
$sftp_subsystem = hiera('sshd_sftp_subsystem',''),
$head_additional_options = hiera('sshd_head_additional_options',''),
$tail_additional_options = hiera('sshd_tail_additional_options',''),
$print_motd = hiera('sshd_print_motd','yes')
) {
class{'sshd::client':
shared_ip => $sshd::shared_ip,
ensure_version => $sshd::ensure_version
}
include sshd::client
case $operatingsystem {
case $::operatingsystem {
gentoo: { include sshd::gentoo }
redhat,centos: { include sshd::redhat }
centos: { include sshd::centos }
openbsd: { include sshd::openbsd }
debian,ubuntu: { include sshd::debian }
default: { include sshd::base }
}
if $use_nagios {
case $nagios_check_ssh {
false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
default: {
sshd::nagios{$sshd_ports:
check_hostname => $nagios_check_ssh_hostname ? {
'' => 'absent',
undef => 'absent',
default => $nagios_check_ssh_hostname
}
}
}
if hiera('use_nagios',false) and $sshd::nagios_check_ssh {
sshd::nagios{$sshd::ports:
check_hostname => $sshd::nagios_check_ssh_hostname
}
}
if $use_shorewall{
if hiera('use_shorewall', false) {
class{'shorewall::rules::ssh':
ports => $sshd_ports,
ports => $sshd::ports,
}
}
}

View file

@ -1,7 +1,7 @@
# manifests/libssh2/devel.pp
class sshd::libssh2::devel inherits sshd::libssh2 {
package{"libssh2-devel.${architecture}":
package{"libssh2-devel.${::architecture}":
ensure => installed,
}
}

View file

@ -1,6 +1,6 @@
class sshd::linux inherits sshd::base {
package{openssh:
ensure => $sshd_ensure_version,
ensure => $sshd::ensure_version,
}
File[sshd_config]{
require +> Package[openssh],

View file

@ -11,7 +11,7 @@ define sshd::nagios(
'absent': {
nagios::service{"ssh_port_${name}":
ensure => $ensure,
check_command => "check_ssh_port!$real_port"
check_command => "check_ssh_port!${real_port}"
}
}
default: {

View file

@ -10,22 +10,22 @@
# possible, but leave them commented. Uncommented options change a
# default value.
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# only protocol 2
Protocol 2
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
@ -48,83 +48,39 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login %>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
@ -145,33 +101,21 @@ ChallengeResponseAuthentication no
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
#X11Forwarding no
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd <%= sshd_print_motd %>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
@ -191,24 +135,20 @@ PrintMotd <%= sshd_print_motd %>
#Banner /some/path
# override default of no subsystems
<%- if sshd_sftp_subsystem.to_s.empty? then -%>
Subsystem sftp /usr/libexec/openssh/sftp-server
<%- else -%>
Subsystem sftp <%= sshd_sftp_subsystem %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users %>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then -%>
AllowGroups <%= sshd_allowed_groups %>
<%- end -%>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<% end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -1 +0,0 @@
CentOS.erb

View file

@ -0,0 +1,154 @@
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# only protocol 2
Protocol 2
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
#X11Forwarding no
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -1,21 +1,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@ -39,80 +39,36 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To change Kerberos options
#KerberosAuthentication no
@ -123,11 +79,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
@ -136,11 +88,7 @@ KeepAlive yes
#Banner /etc/issue.net
#ReverseMappingCheck yes
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -151,32 +99,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
PrintMotd <%= sshd_print_motd %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<% end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -1,21 +1,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@ -39,80 +39,36 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To change Kerberos options
#KerberosAuthentication no
@ -123,11 +79,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
@ -139,11 +91,7 @@ KeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -154,38 +102,26 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
PrintMotd <%= sshd_print_motd %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<% end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -3,21 +3,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@ -37,115 +37,47 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# Kerberos options
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
KerberosAuthentication yes
<%- else -%>
KerberosAuthentication no
<%- end -%>
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
KerberosOrLocalPasswd yes
<%- else -%>
KerberosOrLocalPasswd no
<%- end -%>
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
KerberosTicketCleanup yes
<%- else -%>
KerberosTicketCleanup no
<%- end -%>
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPIAuthentication yes
<%- else -%>
GSSAPIAuthentication no
<%- end -%>
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPICleanupCredentials yes
<%- else -%>
GSSAPICleanupCredentials yes
<%- end -%>
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
PrintMotd <%= sshd_print_motd %>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
PrintLastLog yes
TCPKeepAlive yes
@ -157,11 +89,7 @@ TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<% end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -3,21 +3,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@ -37,115 +37,47 @@ LogLevel INFO
# Authentication:
LoginGraceTime 120
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# Kerberos options
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
KerberosAuthentication yes
<%- else -%>
KerberosAuthentication no
<%- end -%>
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
KerberosOrLocalPasswd yes
<%- else -%>
KerberosOrLocalPasswd no
<%- end -%>
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
KerberosTicketCleanup yes
<%- else -%>
KerberosTicketCleanup no
<%- end -%>
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPIAuthentication yes
<%- else -%>
GSSAPIAuthentication no
<%- end -%>
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPICleanupCredentials yes
<%- else -%>
GSSAPICleanupCredentials yes
<%- end -%>
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
PrintMotd <%= sshd_print_motd %>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
PrintLastLog yes
TCPKeepAlive yes
@ -157,11 +89,7 @@ TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<% end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -1 +0,0 @@
Debian_sid.erb

View file

@ -0,0 +1,123 @@
# This file is managed by Puppet, all local modifications will be overwritten
#
# Package generated configuration file
# See the sshd(8) manpage for details
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# Kerberos options
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -16,21 +16,21 @@
#VersionAddendum FreeBSD-20100308
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
#AddressFamily any
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
@ -55,52 +55,24 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
#MaxSessions 10
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
@ -109,53 +81,21 @@ HostbasedAuthentication no
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable PAM authentication
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
KerberosAuthentication yes
<%- else -%>
KerberosAuthentication no
<%- end -%>
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
KerberosOrLocalPasswd yes
<%- else -%>
KerberosOrLocalPasswd no
<%- end -%>
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
KerberosTicketCleanup yes
<%- else -%>
KerberosTicketCleanup no
<%- end -%>
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPIAuthentication yes
<%- else -%>
GSSAPIAuthentication no
<%- end -%>
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPICleanupCredentials yes
<%- else -%>
GSSAPICleanupCredentials yes
<%- end -%>
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -166,30 +106,14 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
#X11UseLocalhost yes
@ -212,11 +136,7 @@ TCPKeepAlive yes
#Banner none
# override default of no subsystems
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/libexec/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@ -224,20 +144,18 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# AllowTcpForwarding no
# ForceCommand cvs server
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -10,20 +10,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
#AddressFamily any
@ -51,84 +51,39 @@ Protocol 2
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
<%- end %>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
<%- unless sshd_permit_root_login.to_s.empty? then %>
PermitRootLogin <%= sshd_permit_root_login %>
<%- else %>
PermitRootLogin without-password
<%- end %>
#MaxAuthTries 6
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
RSAAuthentication yes
<%- else %>
RSAAuthentication no
<%- end %>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then %>
PasswordAuthentication yes
<%- else %>
PasswordAuthentication no
<%- end %>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
<%- end %>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
@ -151,27 +106,15 @@ ChallengeResponseAuthentication no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then %>
UsePAM yes
<%- else %>
UsePAM no
<%- end %>
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
<%- else %>
X11Forwarding no
<%- end %>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd <%= sshd_print_motd %>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
@ -189,11 +132,7 @@ PrintMotd <%= sshd_print_motd %>
#Banner /some/path
# override default of no subsystems
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/misc/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@ -201,18 +140,19 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# AllowTcpForwarding no
# ForceCommand cvs server
<%- unless sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= sshd_allowed_users %>
<%- end %>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -8,20 +8,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
#Protocol 2,1
@ -45,83 +45,39 @@ ListenAddress <%= address %>
# Authentication:
#LoginGraceTime 2m
<%- unless sshd_permit_root_login.to_s.empty? then %>
PermitRootLogin <%= sshd_permit_root_login %>
<%- else %>
PermitRootLogin without-password
<%- end %>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
<%- end %>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
RSAAuthentication yes
<%- else %>
RSAAuthentication no
<%- end %>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then %>
PasswordAuthentication yes
<%- else %>
PasswordAuthentication no
<%- end %>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
<%- end %>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
@ -133,18 +89,10 @@ ChallengeResponseAuthentication no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
<%- else %>
X11Forwarding no
<%- end %>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd <%= sshd_print_motd %>
@ -165,18 +113,14 @@ PrintMotd <%= sshd_print_motd %>
#Banner /some/path
# override default of no subsystems
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/libexec/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
<%- unless sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= sshd_allowed_users %>
<%- end %>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@ -184,11 +128,11 @@ AllowGroups <%= sshd_allowed_groups %>
# AllowTcpForwarding no
# ForceCommand cvs server
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<% end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -1 +0,0 @@
Debian_squeeze.erb

View file

@ -0,0 +1,123 @@
# This file is managed by Puppet, all local modifications will be overwritten
#
# Package generated configuration file
# See the sshd(8) manpage for details
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# Kerberos options
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>

View file

@ -1,21 +1,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@ -39,80 +39,36 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To change Kerberos options
#KerberosAuthentication no
@ -123,11 +79,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
@ -136,11 +88,7 @@ KeepAlive yes
#Banner /etc/issue.net
#ReverseMappingCheck yes
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -151,42 +99,28 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
HostbasedUsesNameFromPacketOnly yes
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
ChallengeResponseAuthentication no
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
PrintMotd <%= sshd_print_motd %>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes128-ctr
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>