Merge remote branch 'shared/master'
Conflicts: templates/sshd_config/Debian_squeeze.erb I always picked the shared repository version when conflicts arose. The only exception to this rule was: I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order to be consistent with existing Etch and Lenny templates. This is not the default Debian setting, but I would find it weird if a host had this setting changed by Puppet after upgrading to Squeeze. The right way to proceed would probably be to make this configurable.
This commit is contained in:
intrigeri
commit
2f7903bcc4
2 changed files with 70 additions and 14 deletions
|
|
@ -76,7 +76,31 @@
|
|||
# sshd_password_authentication: If you want to enable password authentication or not
|
||||
# Valid values: yes or no
|
||||
# Default: no
|
||||
#
|
||||
#
|
||||
# sshd_kerberos_authentication: If you want the password that is provided by the user to be
|
||||
# validated through the Kerberos KDC. To use this option the
|
||||
# server needs a Kerberos servtab which allows the verification of
|
||||
# the KDC's identity.
|
||||
# Valid values: yes or no
|
||||
# Default: no
|
||||
#
|
||||
# sshd_kerberos_orlocalpasswd: If password authentication through Kerberos fails, then the password
|
||||
# will be validated via any additional local mechanism.
|
||||
# Valid values: yes or no
|
||||
# Default: yes
|
||||
#
|
||||
# sshd_kerberos_ticketcleanup: Destroy the user's ticket cache file on logout?
|
||||
# Valid values: yes or no
|
||||
# Default: yes
|
||||
#
|
||||
# sshd_gssapi_authentication: Authenticate users based on GSSAPI?
|
||||
# Valid values: yes or no
|
||||
# Default: no
|
||||
#
|
||||
# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout?
|
||||
# Valid values: yes or no
|
||||
# Default: yes
|
||||
#
|
||||
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
|
||||
# When disabled, s/key passowords are disabled
|
||||
# Valid values: yes or no
|
||||
|
|
@ -163,6 +187,21 @@ class sshd {
|
|||
case $sshd_password_authentication {
|
||||
'': { $sshd_password_authentication = 'no' }
|
||||
}
|
||||
case $sshd_kerberos_authentication {
|
||||
'': { $sshd_kerberos_authentication = 'no' }
|
||||
}
|
||||
case $sshd_kerberos_orlocalpasswd {
|
||||
'': { $sshd_kerberos_orlocalpasswd = 'yes' }
|
||||
}
|
||||
case $sshd_kerberos_ticketcleanup {
|
||||
'': { $sshd_kerberos_ticketcleanup = 'yes' }
|
||||
}
|
||||
case $sshd_gssapi_authentication {
|
||||
'': { $sshd_gssapi_authentication = 'no' }
|
||||
}
|
||||
case $sshd_gssapi_cleanupcredentials {
|
||||
'': { $sshd_gssapi_cleanupcredentials = 'yes' }
|
||||
}
|
||||
case $sshd_tcp_forwarding {
|
||||
'': { $sshd_tcp_forwarding = 'no' }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
# This file is managed by Puppet, all local modifications will be overwritten
|
||||
#
|
||||
# Package generated configuration file
|
||||
# See the sshd_config(5) manpage for details
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
<%- unless sshd_head_additional_options.to_s.empty? then %>
|
||||
<%= sshd_head_additional_options %>
|
||||
|
|
@ -71,21 +73,18 @@ IgnoreRhosts yes
|
|||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
|
|
@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes
|
|||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
# Change to no to disable tunnelled clear text passwords
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
|
|
@ -112,14 +111,33 @@ PasswordAuthentication no
|
|||
<%- end -%>
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
|
||||
KerberosAuthentication yes
|
||||
<%- else -%>
|
||||
KerberosAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
|
||||
KerberosOrLocalPasswd yes
|
||||
<%- else -%>
|
||||
KerberosOrLocalPasswd no
|
||||
<%- end -%>
|
||||
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
|
||||
KerberosTicketCleanup yes
|
||||
<%- else -%>
|
||||
KerberosTicketCleanup no
|
||||
<%- end -%>
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPIAuthentication yes
|
||||
<%- else -%>
|
||||
GSSAPIAuthentication no
|
||||
<%- end -%>
|
||||
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- else -%>
|
||||
GSSAPICleanupCredentials yes
|
||||
<%- end -%>
|
||||
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
|
|
@ -130,6 +148,7 @@ X11DisplayOffset 10
|
|||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
|
||||
#UseLogin no
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
|
|
@ -173,8 +192,6 @@ AllowAgentForwarding yes
|
|||
AllowAgentForwarding no
|
||||
<%- end -%>
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
|
|
|
|||
Loading…
Reference in a new issue