new style for 2.7
This commit is contained in:
parent
d5404bbdba
commit
2204eb01f6
23 changed files with 814 additions and 1111 deletions
7
README
7
README
|
@ -24,11 +24,12 @@ Nagios
|
|||
------
|
||||
|
||||
To have nagios checks setup automatically for sshd services, simply set
|
||||
$use_nagios = true before the class is included. If you want to disable ssh
|
||||
use_nagios to true in hiera. If you want to disable ssh
|
||||
nagios checking for a particular node (such as when ssh is firewalled), then you
|
||||
can set $nagios_check_ssh to false and that node will not be monitored.
|
||||
can set the class parameter nagios_check_ssh to false and that node will not bei
|
||||
monitored.
|
||||
|
||||
Nagios will automatically check the ports defined in $sshd_ports, and the
|
||||
Nagios will automatically check the ports defined in $sshd::ports, and the
|
||||
hostname specified by $nagios_check_ssh_hostname.
|
||||
|
||||
NOTE: this requires that you are using the shared-nagios puppet module which
|
||||
|
|
|
@ -1,31 +1,31 @@
|
|||
class sshd::base {
|
||||
file { 'sshd_config':
|
||||
path => '/etc/ssh/sshd_config',
|
||||
content => $lsbdistcodename ? {
|
||||
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
|
||||
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
|
||||
content => $::lsbdistcodename ? {
|
||||
'' => template("sshd/sshd_config/${::operatingsystem}.erb"),
|
||||
default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"),
|
||||
},
|
||||
notify => Service[sshd],
|
||||
owner => root, group => 0, mode => 600;
|
||||
}
|
||||
|
||||
# Now add the key, if we've got one
|
||||
case $sshrsakey {
|
||||
'': { info("no sshrsakey on $fqdn") }
|
||||
case $::sshrsakey {
|
||||
'': { info("no sshrsakey on ${::fqdn}") }
|
||||
default: {
|
||||
@@sshkey{"$fqdn":
|
||||
@@sshkey{$::fqdn:
|
||||
tag => "fqdn",
|
||||
type => ssh-rsa,
|
||||
key => $sshrsakey,
|
||||
key => $::sshrsakey,
|
||||
ensure => present,
|
||||
}
|
||||
# In case the node has uses a shared network address,
|
||||
# we don't define a sshkey resource using an IP address
|
||||
if $sshd_shared_ip == "no" {
|
||||
@@sshkey{"$ipaddress":
|
||||
if $sshd::shared_ip == "no" {
|
||||
@@sshkey{$::ipaddress:
|
||||
tag => "ipaddress",
|
||||
type => ssh-rsa,
|
||||
key => $sshrsakey,
|
||||
key => $::sshrsakey,
|
||||
ensure => present,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,23 +1,21 @@
|
|||
# manifests/client.pp
|
||||
|
||||
class sshd::client {
|
||||
class sshd::client(
|
||||
$shared_ip = hiera('sshd_shared_ip','no'),
|
||||
$ensure_version = hiera('sshd_ensure_version','installed')
|
||||
) {
|
||||
|
||||
case $sshd_shared_ip {
|
||||
'': { $sshd_shared_ip = "no" }
|
||||
}
|
||||
|
||||
case $operatingsystem {
|
||||
case $::operatingsystem {
|
||||
debian,ubuntu: { include sshd::client::debian }
|
||||
default: {
|
||||
case $kernel {
|
||||
case $::kernel {
|
||||
linux: { include sshd::client::linux }
|
||||
default: { include sshd::client::base }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if $use_shorewall{
|
||||
if hiera('use_shorewall',false) {
|
||||
include shorewall::rules::out::ssh
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
class sshd::client::base {
|
||||
# this is needed because the gid might have changed
|
||||
config_file { '/etc/ssh/ssh_known_hosts':
|
||||
file { '/etc/ssh/ssh_known_hosts':
|
||||
mode => 0644, owner => root, group => 0;
|
||||
}
|
||||
|
||||
# Now collect all server keys
|
||||
case $sshd_shared_ip {
|
||||
case $sshd::client::shared_ip {
|
||||
no: { Sshkey <<||>> }
|
||||
yes: { Sshkey <<| tag == "fqdn" |>> }
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
class sshd::client::linux inherits sshd::client::base {
|
||||
if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' }
|
||||
package {'openssh-clients':
|
||||
ensure => $ssh_ensure_version,
|
||||
ensure => $sshd::client::ensure_version,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@ class sshd::debian inherits sshd::linux {
|
|||
name => 'openssh-server',
|
||||
}
|
||||
|
||||
$sshd_restartandstatus = $lsbdistcodename ? {
|
||||
$sshd_restartandstatus = $::lsbdistcodename ? {
|
||||
etch => false,
|
||||
default => true
|
||||
}
|
||||
|
|
|
@ -1,138 +1,61 @@
|
|||
class sshd {
|
||||
# prepare variables to use in templates
|
||||
case $sshd_listen_address {
|
||||
'': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
|
||||
}
|
||||
case $sshd_allowed_users {
|
||||
'': { $sshd_allowed_users = '' }
|
||||
}
|
||||
case $sshd_allowed_groups {
|
||||
'': { $sshd_allowed_groups = '' }
|
||||
}
|
||||
case $sshd_use_pam {
|
||||
'': { $sshd_use_pam = 'no' }
|
||||
}
|
||||
case $sshd_permit_root_login {
|
||||
'': { $sshd_permit_root_login = 'without-password' }
|
||||
}
|
||||
case $sshd_password_authentication {
|
||||
'': { $sshd_password_authentication = 'no' }
|
||||
}
|
||||
case $sshd_kerberos_authentication {
|
||||
'': { $sshd_kerberos_authentication = 'no' }
|
||||
}
|
||||
case $sshd_kerberos_orlocalpasswd {
|
||||
'': { $sshd_kerberos_orlocalpasswd = 'yes' }
|
||||
}
|
||||
case $sshd_kerberos_ticketcleanup {
|
||||
'': { $sshd_kerberos_ticketcleanup = 'yes' }
|
||||
}
|
||||
case $sshd_gssapi_authentication {
|
||||
'': { $sshd_gssapi_authentication = 'no' }
|
||||
}
|
||||
case $sshd_gssapi_cleanupcredentials {
|
||||
'': { $sshd_gssapi_cleanupcredentials = 'yes' }
|
||||
}
|
||||
case $sshd_tcp_forwarding {
|
||||
'': { $sshd_tcp_forwarding = 'no' }
|
||||
}
|
||||
case $sshd_x11_forwarding {
|
||||
'': { $sshd_x11_forwarding = 'no' }
|
||||
}
|
||||
case $sshd_agent_forwarding {
|
||||
'': { $sshd_agent_forwarding = 'no' }
|
||||
}
|
||||
case $sshd_challenge_response_authentication {
|
||||
'': { $sshd_challenge_response_authentication = 'no' }
|
||||
}
|
||||
case $sshd_pubkey_authentication {
|
||||
'': { $sshd_pubkey_authentication = 'yes' }
|
||||
}
|
||||
case $sshd_rsa_authentication {
|
||||
'': { $sshd_rsa_authentication = 'no' }
|
||||
}
|
||||
case $sshd_strict_modes {
|
||||
'': { $sshd_strict_modes = 'yes' }
|
||||
}
|
||||
case $sshd_ignore_rhosts {
|
||||
'': { $sshd_ignore_rhosts = 'yes' }
|
||||
}
|
||||
case $sshd_rhosts_rsa_authentication {
|
||||
'': { $sshd_rhosts_rsa_authentication = 'no' }
|
||||
}
|
||||
case $sshd_hostbased_authentication {
|
||||
'': { $sshd_hostbased_authentication = 'no' }
|
||||
}
|
||||
case $sshd_permit_empty_passwords {
|
||||
'': { $sshd_permit_empty_passwords = 'no' }
|
||||
}
|
||||
if ( $sshd_port != '' ) and ( $sshd_ports != []) {
|
||||
err("Cannot use sshd_port and sshd_ports at the same time.")
|
||||
}
|
||||
if $sshd_port != '' {
|
||||
$sshd_ports = [ $sshd_port ]
|
||||
} elsif ! $sshd_ports {
|
||||
$sshd_ports = [ 22 ]
|
||||
}
|
||||
case $sshd_authorized_keys_file {
|
||||
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
|
||||
}
|
||||
case $sshd_hardened_ssl {
|
||||
'': { $sshd_hardened_ssl = 'no' }
|
||||
}
|
||||
case $sshd_sftp_subsystem {
|
||||
'': { $sshd_sftp_subsystem = '' }
|
||||
}
|
||||
case $sshd_head_additional_options {
|
||||
'': { $sshd_head_additional_options = '' }
|
||||
}
|
||||
case $sshd_tail_additional_options {
|
||||
'': { $sshd_tail_additional_options = '' }
|
||||
}
|
||||
case $sshd_ensure_version {
|
||||
'': { $sshd_ensure_version = "present" }
|
||||
}
|
||||
case $sshd_print_motd {
|
||||
'': {
|
||||
case $operatingsystem {
|
||||
debian,ubuntu: { $sshd_print_motd = "no" }
|
||||
default: { $sshd_print_motd = "yes" }
|
||||
}
|
||||
}
|
||||
}
|
||||
case $sshd_shared_ip {
|
||||
'': { $sshd_shared_ip = "no" }
|
||||
class sshd(
|
||||
$nagios_check_ssh = hiera('nagios_check_ssh',true),
|
||||
$nagios_check_ssh_hostname = hiera('nagios_check_ssh_hostname','absent'),
|
||||
$ports = hiera('sshd_ports',[ 22 ]),
|
||||
$shared_ip = hiera('sshd_shared_ip','no'),
|
||||
$ensure_version = hiera('sshd_ensure_version','installed'),
|
||||
$listen_address = hiera('sshd_listen_address',[ '0.0.0.0', '::' ]),
|
||||
$allowed_users = hiera('sshd_allowed_users',''),
|
||||
$allowed_groups = hiera('sshd_allowed_groups',''),
|
||||
$use_pam = hiera('sshd_use_pam','no'),
|
||||
$permit_root_login = hiera('sshd_permit_root_login','without-password'),
|
||||
$password_authentication = hiera('sshd_password_authentication','no'),
|
||||
$kerberos_authentication = hiera('sshd_kerberos_authentication','no'),
|
||||
$kerberos_orlocalpasswd = hiera('sshd_sshd_kerberos_orlocalpasswd','yes'),
|
||||
$kerberos_ticketcleanup = hiera('sshd_kerberos_ticketcleanup','yes'),
|
||||
$gssapi_authentication = hiera('sshd_gssapi_authentication','no'),
|
||||
$gssapi_cleanupcredentials = hiera('sshd_gssapi_cleanupcredentials','yes'),
|
||||
$tcp_forwarding = hiera('sshd_tcp_forwarding','no'),
|
||||
$x11_forwarding = hiera('sshd_x11_forwarding','no'),
|
||||
$agent_forwarding = hiera('sshd_agent_forwarding','no'),
|
||||
$challenge_response_authentication = hiera('sshd_challenge_response_authentication','no'),
|
||||
$pubkey_authentication = hiera('sshd_pubkey_authentication','yes'),
|
||||
$rsa_authentication = hiera('rsa_authentication','no'),
|
||||
$strict_modes = hiera('sshd_strict_modes','yes'),
|
||||
$ignore_rhosts = hiera('sshd_ignore_rhosts','yes'),
|
||||
$rhosts_rsa_authentication = hiera('sshd_rhosts_rsa_authentication','no'),
|
||||
$hostbased_authentication = hiera('sshd_hostbased_authentication','no'),
|
||||
$permit_empty_passwords = hiera('sshd_permit_empty_passwords','no'),
|
||||
$authorized_keys_file = hiera('sshd_authorized_keys_file','%h/.ssh/authorized_keys'),
|
||||
$hardened_ssl = hiera('sshd_hardened_ssl','no'),
|
||||
$sftp_subsystem = hiera('sshd_sftp_subsystem',''),
|
||||
$head_additional_options = hiera('sshd_head_additional_options',''),
|
||||
$tail_additional_options = hiera('sshd_tail_additional_options',''),
|
||||
$print_motd = hiera('sshd_print_motd','yes')
|
||||
) {
|
||||
|
||||
class{'sshd::client':
|
||||
shared_ip => $sshd::shared_ip,
|
||||
ensure_version => $sshd::ensure_version
|
||||
}
|
||||
|
||||
include sshd::client
|
||||
|
||||
case $operatingsystem {
|
||||
case $::operatingsystem {
|
||||
gentoo: { include sshd::gentoo }
|
||||
redhat,centos: { include sshd::redhat }
|
||||
centos: { include sshd::centos }
|
||||
openbsd: { include sshd::openbsd }
|
||||
debian,ubuntu: { include sshd::debian }
|
||||
default: { include sshd::base }
|
||||
}
|
||||
|
||||
if $use_nagios {
|
||||
case $nagios_check_ssh {
|
||||
false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
|
||||
default: {
|
||||
sshd::nagios{$sshd_ports:
|
||||
check_hostname => $nagios_check_ssh_hostname ? {
|
||||
'' => 'absent',
|
||||
undef => 'absent',
|
||||
default => $nagios_check_ssh_hostname
|
||||
}
|
||||
}
|
||||
}
|
||||
if hiera('use_nagios',false) and $sshd::nagios_check_ssh {
|
||||
sshd::nagios{$sshd::ports:
|
||||
check_hostname => $sshd::nagios_check_ssh_hostname
|
||||
}
|
||||
}
|
||||
|
||||
if $use_shorewall{
|
||||
if hiera('use_shorewall', false) {
|
||||
class{'shorewall::rules::ssh':
|
||||
ports => $sshd_ports,
|
||||
ports => $sshd::ports,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# manifests/libssh2/devel.pp
|
||||
|
||||
class sshd::libssh2::devel inherits sshd::libssh2 {
|
||||
package{"libssh2-devel.${architecture}":
|
||||
package{"libssh2-devel.${::architecture}":
|
||||
ensure => installed,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
class sshd::linux inherits sshd::base {
|
||||
package{openssh:
|
||||
ensure => $sshd_ensure_version,
|
||||
ensure => $sshd::ensure_version,
|
||||
}
|
||||
File[sshd_config]{
|
||||
require +> Package[openssh],
|
||||
|
|
|
@ -11,7 +11,7 @@ define sshd::nagios(
|
|||
'absent': {
|
||||
nagios::service{"ssh_port_${name}":
|
||||
ensure => $ensure,
|
||||
check_command => "check_ssh_port!$real_port"
|
||||
check_command => "check_ssh_port!${real_port}"
|
||||
}
|
||||
}
|
||||
default: {
|
||||
|
|
|
@ -10,22 +10,22 @@
|
|||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# only protocol 2
|
||||
Protocol 2
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
|
||||
|
@ -48,83 +48,39 @@ SyslogFacility AUTHPRIV
|
|||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login %>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
#MaxAuthTries 6
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
@ -145,33 +101,21 @@ ChallengeResponseAuthentication no
|
|||
# session checks to run without PAM authentication, then enable this but set
|
||||
# ChallengeResponseAuthentication=no
|
||||
#UsePAM no
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
<%- end -%>
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
# Accept locale-related environment variables
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
|
@ -191,24 +135,20 @@ PrintMotd <%= sshd_print_motd %>
|
|||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then -%>
|
||||
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||
<%- else -%>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users %>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then -%>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
CentOS.erb
|
154
templates/sshd_config/CentOS_Final.erb
Normal file
154
templates/sshd_config/CentOS_Final.erb
Normal file
|
@ -0,0 +1,154 @@
|
|||
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# only protocol 2
|
||||
Protocol 2
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
#ServerKeyBits 768
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
SyslogFacility AUTHPRIV
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
#MaxAuthTries 6
|
||||
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication mechanism.
|
||||
# Depending on your PAM configuration, this may bypass the setting of
|
||||
# PasswordAuthentication, PermitEmptyPasswords, and
|
||||
# "PermitRootLogin without-password". If you just want the PAM account and
|
||||
# session checks to run without PAM authentication, then enable this but set
|
||||
# ChallengeResponseAuthentication=no
|
||||
#UsePAM no
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
# Accept locale-related environment variables
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#UsePrivilegeSeparation yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
|
||||
# no default banner path
|
||||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
|
@ -1,21 +1,21 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -39,80 +39,36 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To change Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
@ -123,11 +79,7 @@ PasswordAuthentication no
|
|||
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||
#KerberosTgtPassing yes
|
||||
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
KeepAlive yes
|
||||
#UseLogin no
|
||||
|
@ -136,11 +88,7 @@ KeepAlive yes
|
|||
#Banner /etc/issue.net
|
||||
#ReverseMappingCheck yes
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -151,32 +99,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -39,80 +39,36 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To change Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
@ -123,11 +79,7 @@ PasswordAuthentication no
|
|||
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||
#KerberosTgtPassing yes
|
||||
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
KeepAlive yes
|
||||
#UseLogin no
|
||||
|
@ -139,11 +91,7 @@ KeepAlive yes
|
|||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -154,38 +102,26 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
|
||||
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
AllowAgentForwarding yes
|
||||
<%- else -%>
|
||||
AllowAgentForwarding no
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -3,21 +3,21 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -37,115 +37,47 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
|
||||
KerberosAuthentication yes
|
||||
<%- else -%>
|
||||
KerberosAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
|
||||
KerberosOrLocalPasswd yes
|
||||
<%- else -%>
|
||||
KerberosOrLocalPasswd no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
|
||||
KerberosTicketCleanup yes
|
||||
<%- else -%>
|
||||
KerberosTicketCleanup no
|
||||
<%- end -%>
|
||||
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
|
||||
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
|
||||
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
|
||||
|
||||
# GSSAPI options
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPIAuthentication yes
|
||||
<%- else -%>
|
||||
GSSAPIAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- else -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- end -%>
|
||||
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
|
||||
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
|
||||
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
|
||||
|
@ -157,11 +89,7 @@ TCPKeepAlive yes
|
|||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
AllowAgentForwarding yes
|
||||
<%- else -%>
|
||||
AllowAgentForwarding no
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -3,21 +3,21 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -37,115 +37,47 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 120
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
|
||||
KerberosAuthentication yes
|
||||
<%- else -%>
|
||||
KerberosAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
|
||||
KerberosOrLocalPasswd yes
|
||||
<%- else -%>
|
||||
KerberosOrLocalPasswd no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
|
||||
KerberosTicketCleanup yes
|
||||
<%- else -%>
|
||||
KerberosTicketCleanup no
|
||||
<%- end -%>
|
||||
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
|
||||
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
|
||||
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
|
||||
|
||||
# GSSAPI options
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPIAuthentication yes
|
||||
<%- else -%>
|
||||
GSSAPIAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- else -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- end -%>
|
||||
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
|
||||
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
|
||||
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
|
||||
|
@ -157,11 +89,7 @@ TCPKeepAlive yes
|
|||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
AllowAgentForwarding yes
|
||||
<%- else -%>
|
||||
AllowAgentForwarding no
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
Debian_sid.erb
|
123
templates/sshd_config/Debian_wheezy.erb
Normal file
123
templates/sshd_config/Debian_wheezy.erb
Normal file
|
@ -0,0 +1,123 @@
|
|||
# This file is managed by Puppet, all local modifications will be overwritten
|
||||
#
|
||||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 768
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
|
||||
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
|
||||
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
|
||||
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
|
||||
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
|
||||
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
|
||||
#UseLogin no
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
#Banner /etc/issue.net
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
|
@ -16,21 +16,21 @@
|
|||
|
||||
#VersionAddendum FreeBSD-20100308
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
#AddressFamily any
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
|
||||
|
@ -55,52 +55,24 @@ LogLevel INFO
|
|||
# Authentication:
|
||||
|
||||
LoginGraceTime 600
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
|
@ -109,53 +81,21 @@ HostbasedAuthentication no
|
|||
#IgnoreRhosts yes
|
||||
|
||||
# Change to yes to enable built-in password authentication.
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable PAM authentication
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
|
||||
KerberosAuthentication yes
|
||||
<%- else -%>
|
||||
KerberosAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
|
||||
KerberosOrLocalPasswd yes
|
||||
<%- else -%>
|
||||
KerberosOrLocalPasswd no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
|
||||
KerberosTicketCleanup yes
|
||||
<%- else -%>
|
||||
KerberosTicketCleanup no
|
||||
<%- end -%>
|
||||
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
|
||||
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
|
||||
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
|
||||
|
||||
# GSSAPI options
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPIAuthentication yes
|
||||
<%- else -%>
|
||||
GSSAPIAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- else -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- end -%>
|
||||
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
|
||||
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
|
||||
|
||||
# Set this to 'no' to disable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -166,30 +106,14 @@ GSSAPICleanupCredentials yes
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
<%- end -%>
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
AllowAgentForwarding yes
|
||||
<%- else -%>
|
||||
AllowAgentForwarding no
|
||||
<%- end -%>
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
#GatewayPorts no
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
|
||||
X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
|
@ -212,11 +136,7 @@ TCPKeepAlive yes
|
|||
#Banner none
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
@ -224,20 +144,18 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -10,20 +10,20 @@
|
|||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
#AddressFamily any
|
||||
|
@ -51,84 +51,39 @@ Protocol 2
|
|||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin without-password
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then %>
|
||||
StrictModes yes
|
||||
<%- else %>
|
||||
StrictModes no
|
||||
<%- end %>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= sshd_permit_root_login %>
|
||||
<%- else %>
|
||||
PermitRootLogin without-password
|
||||
<%- end %>
|
||||
#MaxAuthTries 6
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
RSAAuthentication yes
|
||||
<%- else %>
|
||||
RSAAuthentication no
|
||||
<%- end %>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
PubkeyAuthentication yes
|
||||
<%- else %>
|
||||
PubkeyAuthentication no
|
||||
<%- end %>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else %>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end %>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then %>
|
||||
PasswordAuthentication yes
|
||||
<%- else %>
|
||||
PasswordAuthentication no
|
||||
<%- end %>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else %>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end %>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
@ -151,27 +106,15 @@ ChallengeResponseAuthentication no
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then %>
|
||||
UsePAM yes
|
||||
<%- else %>
|
||||
UsePAM no
|
||||
<%- end %>
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
AllowTcpForwarding yes
|
||||
<%- else %>
|
||||
AllowTcpForwarding no
|
||||
<%- end %>
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
#GatewayPorts no
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
X11Forwarding yes
|
||||
<%- else %>
|
||||
X11Forwarding no
|
||||
<%- end %>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
|
@ -189,11 +132,7 @@ PrintMotd <%= sshd_print_motd %>
|
|||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/misc/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
@ -201,18 +140,19 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= sshd_allowed_users %>
|
||||
<%- end %>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
|
|
|
@ -8,20 +8,20 @@
|
|||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
#Protocol 2,1
|
||||
|
@ -45,83 +45,39 @@ ListenAddress <%= address %>
|
|||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= sshd_permit_root_login %>
|
||||
<%- else %>
|
||||
PermitRootLogin without-password
|
||||
<%- end %>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then %>
|
||||
StrictModes yes
|
||||
<%- else %>
|
||||
StrictModes no
|
||||
<%- end %>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
#MaxAuthTries 6
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
RSAAuthentication yes
|
||||
<%- else %>
|
||||
RSAAuthentication no
|
||||
<%- end %>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
PubkeyAuthentication yes
|
||||
<%- else %>
|
||||
PubkeyAuthentication no
|
||||
<%- end %>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else %>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end %>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then %>
|
||||
PasswordAuthentication yes
|
||||
<%- else %>
|
||||
PasswordAuthentication no
|
||||
<%- end %>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else %>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end %>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
@ -133,18 +89,10 @@ ChallengeResponseAuthentication no
|
|||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
AllowTcpForwarding yes
|
||||
<%- else %>
|
||||
AllowTcpForwarding no
|
||||
<%- end %>
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
#GatewayPorts no
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
X11Forwarding yes
|
||||
<%- else %>
|
||||
X11Forwarding no
|
||||
<%- end %>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
|
@ -165,18 +113,14 @@ PrintMotd <%= sshd_print_motd %>
|
|||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= sshd_allowed_users %>
|
||||
<%- end %>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
@ -184,11 +128,11 @@ AllowGroups <%= sshd_allowed_groups %>
|
|||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
Debian_squeeze.erb
|
123
templates/sshd_config/Ubuntu.erb
Normal file
123
templates/sshd_config/Ubuntu.erb
Normal file
|
@ -0,0 +1,123 @@
|
|||
# This file is managed by Puppet, all local modifications will be overwritten
|
||||
#
|
||||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 768
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# Kerberos options
|
||||
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
|
||||
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
|
||||
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
|
||||
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
|
||||
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
|
||||
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
|
||||
#UseLogin no
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
#Banner /etc/issue.net
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
|
@ -1,21 +1,21 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
<%- end %>
|
||||
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- sshd_ports.each do |port| -%>
|
||||
<%- if port.to_s == 'off' then -%>
|
||||
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
|
||||
<% if port == 'off' -%>
|
||||
#Port -- disabled by puppet
|
||||
<% else -%>
|
||||
Port <%= port %>
|
||||
<% end -%>
|
||||
<%- end -%>
|
||||
<% end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in sshd_listen_address -%>
|
||||
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -39,80 +39,36 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
|
||||
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
|
||||
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
|
||||
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
|
||||
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
|
||||
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
<%- end -%>
|
||||
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
|
||||
|
||||
# To change Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
@ -123,11 +79,7 @@ PasswordAuthentication no
|
|||
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||
#KerberosTgtPassing yes
|
||||
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
<%- end -%>
|
||||
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
|
||||
X11DisplayOffset 10
|
||||
KeepAlive yes
|
||||
#UseLogin no
|
||||
|
@ -136,11 +88,7 @@ KeepAlive yes
|
|||
#Banner /etc/issue.net
|
||||
#ReverseMappingCheck yes
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -151,42 +99,28 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
<%- end -%>
|
||||
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
|
||||
|
||||
HostbasedUsesNameFromPacketOnly yes
|
||||
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
|
||||
|
||||
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
|
||||
AllowUsers <%= s %>
|
||||
<% end -%>
|
||||
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
|
||||
AllowGroups <%= s %>
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
AllowAgentForwarding yes
|
||||
<%- else -%>
|
||||
AllowAgentForwarding no
|
||||
<%- end -%>
|
||||
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
PrintMotd <%= sshd_print_motd %>
|
||||
|
||||
<%- unless sshd_tail_additional_options.to_s.empty? then %>
|
||||
<%= sshd_tail_additional_options %>
|
||||
<%- end %>
|
||||
|
||||
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
|
||||
Ciphers aes128-ctr
|
||||
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
|
||||
Ciphers aes256-ctr
|
||||
MACs hmac-sha1
|
||||
<%- end %>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in a new issue