Merge branch 'master' of gitosis@labs.riseup.net:module_sshd

manifests/init.pp

@@ -13,7 +13,7 @@
 # the Free Software Foundation.
 #
 # Deploy authorized_keys file with the define
-#     sshd::deploy_auth_key
+#     sshd::ssh_authorized_key
 # 
 # sshd-config:
 #
@@ -40,6 +40,15 @@
 #                               to ensure that only user foobar and root
 #                               might login. 
 #                               Default: empty -> no restriction is set
+#
+# sshd_allowed_groups           list of groups separated by spaces.
+#                               set this for example to "wheel sftponly"
+#                               to ensure that only users in the groups
+#                               wheel and sftponly might login.
+#                               Default: empty -> no restriction is set
+#                               Note: This is set after sshd_allowed_users,
+#                                     take care of the behaviour if you use
+#                                     these 2 options together.
 # 
 # sshd_use_pam:                 if you want to use pam or not for authenticaton
 #                               Values: no or yes. 
@@ -100,6 +109,14 @@
 # sshd_authorized_keys_file:    Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
 #                               Default: AuthorizedKeysFile	%h/.ssh/authorized_keys
 #
+# sshd_sftp_subsystem:  Set a different sftp-subystem than the default one.
+#                       Might be interesting for sftponly usage
+#                       Default: empty -> no change of the default
+#
+# sshd_additional_options:  Set this to any additional sshd_options which aren't listed above.
+#                           As well this option might be usefull to define complexer Match Blocks
+#                           This string is going to be included, like it is defined. So take care!
+#                           Default: empty -> not added.
 
 class sshd {
     include sshd::client 
@@ -118,77 +135,68 @@ class sshd {
 
 class sshd::base {
     # prepare variables to use in templates
-    $real_sshd_listen_address = $sshd_listen_address ? {
+    case $sshd_listen_address {
-      '' => [ '0.0.0.0', '::' ],
+      '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
-      default => $sshd_listen_address
     }
-    $real_sshd_allowed_users = $sshd_allowed_users ? {
+    case $sshd_allowed_users {
-        ''  => '',
+        '': { $sshd_allowed_users = '' }
-        default => $sshd_allowed_users
     }
-    $real_sshd_use_pam = $sshd_use_pam ? {
+    case $sshd_allowed_groups {
-        '' => 'no',
+      '': { $sshd_allowed_groups = '' }
-        default => $sshd_use_pam
     }
-    $real_sshd_permit_root_login = $sshd_permit_root_login ? {
+    case $sshd_use_pam {
-        '' => 'without-password',
+        '': { $sshd_use_pam = 'no' }
-        default => $sshd_permit_root_login
     }
-    $real_sshd_password_authentication = $sshd_password_authentication ? {
+    case $sshd_permit_root_login {
-        '' => 'no',
+        '': { $sshd_permit_root_login = 'without-password' }
-        default => $sshd_password_authentication
     }
-    $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
+    case $sshd_password_authentication {
-    	'' => 'no',
+        '': { $sshd_password_authentication = 'no' }
-	default => $sshd_tcp_forwarding
     }
-    $real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
+    case $sshd_tcp_forwarding {
-        '' => 'no',
+    	'': { $sshd_tcp_forwarding = 'no' }
-        default => $sshd_x11_forwarding
     }
-    $real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
+    case $sshd_x11_forwarding {
-    	'' => 'no',
+        '': { $sshd_x11_forwarding = 'no' }
-	default => $sshd_agent_forwarding
     }
-    $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
+    case $sshd_agent_forwarding {
-        '' => 'no',
+    	'': { $sshd_agent_forwarding = 'no' }
-	default => $sshd_challenge_response_authentication
     }
-    $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
+    case $sshd_challenge_response_authentication {
-    	'' => 'yes',
+        '': { $sshd_challenge_response_authentication = 'no' }
-	default => $sshd_pubkey_authentication
     }
-    $real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
+    case $sshd_pubkey_authentication {
-    	'' => 'no',
+    	'': { $sshd_pubkey_authentication = 'yes' }
-	default => $sshd_rsa_authentication
     }
-    $real_sshd_strict_modes = $sshd_strict_modes ? {
+    case $sshd_rsa_authentication {
-    	'' => 'yes',
+    	'': { $sshd_rsa_authentication = 'no' }
-	default => $sshd_strict_modes
     }
-    $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
+    case $sshd_strict_modes {
-        '' => 'yes',
+    	'': { $sshd_strict_modes = 'yes' }
-	default => $sshd_ignore_rhosts
     }
-    $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
+    case $sshd_ignore_rhosts {
-    	'' => 'no',
+        '': { $sshd_ignore_rhosts = 'yes' }
-	default => $sshd_rhosts_rsa_authentication
     }
-    $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
+    case $sshd_rhosts_rsa_authentication {
-    	'' => 'no',
+    	'': { $sshd_rhosts_rsa_authentication = 'no' }
-	default => $sshd_hostbased_authentication
     }
-    $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
+    case $sshd_hostbased_authentication {
-    	'' => 'no',
+    	'': { $sshd_hostbased_authentication = 'no' }
-	default => $sshd_permit_empty_passwords
     }
-    $real_sshd_port = $sshd_port ? {
+    case $sshd_permit_empty_passwords {
-      '' => 22,
+    	'': { $sshd_permit_empty_passwords = 'no' }
-      default => $sshd_port
     }
-    $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
+    case $sshd_port {
-      '' => "%h/.ssh/authorized_keys",
+      '': { $sshd_port = 22 }
-      default => $sshd_authorized_keys_file
+    }
+    case $sshd_authorized_keys_file {
+      '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
+    }
+    case $sshd_sftp_subsystem {
+        '': { $sshd_sftp_subsystem = '' }
+    }
+    case $sshd_additional_options {
+        '': { $sshd_additional_options = '' }
     }
       
     file { 'sshd_config':
@@ -294,43 +302,3 @@ define sshd::ssh_authorized_key(
         }
     }
 }
-
-# deprecated!
-define sshd::deploy_auth_key(
-        $source = 'present',
-        $user = 'root', 
-        $target_dir = '/root/.ssh/', 
-        $group = 0 ) {
-
-        notice("this way of deploying authorized keys is deprecated. use the native ssh_authorized_key instead")
-
-        $real_target = $target_dir ? {
-                '' => "/home/$user/.ssh/",
-                default => $target_dir,
-        }
-
-        file {$real_target:
-                ensure => directory,
-                owner => $user,
-                group => $group,
-                mode => 700,
-        }
-
-        case $source {
-            'present': { $keysource = $name }
-            default: { $keysource = $source }
-        }
-
-        file {"authorized_keys_${user}":
-                path => "$real_target/authorized_keys",
-                owner => $user,
-                group => $group,
-                mode => 600,
-                source => [ "puppet://$server/files/sshd/authorized_keys/${keysource}",
-                    "puppet://$server/files/sshd/authorized_keys/${fqdn}",
-                    "puppet://$server/files/sshd/authorized_keys/default",
-                    "puppet://$server/sshd/authorized_keys/${name}",
-                    "puppet://$server/sshd/authorized_keys/${fqdn}",
-                    "puppet://$server/sshd/authorized_keys/default" ],
-        }
-}

templates/sshd_config/CentOS.erb

@@ -10,14 +10,14 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless real_sshd_port.to_s.empty? then %>
+<%- unless sshd_port.to_s.empty? then %>
-Port <%= real_sshd_port %>
+Port <%= sshd_port %>
 <%- else %>
 Port 22
 <%- end %>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
 ListenAddress <%= address %>
 <% end -%>
 #AddressFamily any
@@ -42,13 +42,13 @@ SyslogFacility AUTHPRIV
 # Authentication:
 
 #LoginGraceTime 2m
-<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= real_sshd_permit_root_login %>
+PermitRootLogin <%= sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
 
-<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then %>
 StrictModes yes
 <%- else %>
 StrictModes no
@@ -56,33 +56,33 @@ StrictModes no
 
 #MaxAuthTries 6
 
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then %>
 RSAAuthentication yes
 <%- else %>
 RSAAuthentication no
 <%- end %>
 
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
 PubkeyAuthentication yes
 <%- else %>
 PubkeyAuthentication no
 <%- end %>
 
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
 <%- else %>
 AuthorizedKeysFile %h/.ssh/authorized_keys
 <%- end %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
 RhostsRSAAuthentication yes
 <%- else %>
 RhostsRSAAuthentication no
 <% end -%>
 
 # similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
 HostbasedAuthentication yes
 <%- else %>
 HostbasedAuthentication no
@@ -93,28 +93,28 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts no
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
 IgnoreRhosts yes
 <%- else %>
 IgnoreRhosts no
 <% end -%>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then %>
 PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
 PermitEmptyPasswords yes
 <% else -%>
 PermitEmptyPasswords no
 <% end -%>
 
 # Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
 ChallengeResponseAuthentication yes
 <%- else %>
 ChallengeResponseAuthentication no
@@ -141,7 +141,7 @@ GSSAPICleanupCredentials yes
 # session checks to run without PAM authentication, then enable this but set 
 # ChallengeResponseAuthentication=no
 #UsePAM no
-<%- if real_sshd_use_pam.to_s == 'yes' then %>
+<%- if sshd_use_pam.to_s == 'yes' then %>
 UsePAM yes
 <%- else %>
 UsePAM no
@@ -152,7 +152,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 AcceptEnv LC_IDENTIFICATION LC_ALL
 
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
 AllowTcpForwarding yes
 <%- else %>
 AllowTcpForwarding no
@@ -160,7 +160,7 @@ AllowTcpForwarding no
 
 #GatewayPorts no
 #X11Forwarding no
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then %>
 X11Forwarding yes
 <%- else %>
 X11Forwarding no
@@ -186,7 +186,21 @@ X11Forwarding no
 #Banner /some/path
 
 # override default of no subsystems
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
 Subsystem	sftp	/usr/libexec/openssh/sftp-server
-<%- unless real_sshd_allowed_users.to_s.empty? then %>
+<%- else %>
-AllowUsers <%= real_sshd_allowed_users %>
+Subsystem      sftp    <%= sshd_sftp_subsystem %>
 <%- end %>
+
+<%- unless sshd_allowed_users.to_s.empty? then %>
+AllowUsers <%= sshd_allowed_users %>
+<%- end %>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
+

templates/sshd_config/Debian_etch.erb

@@ -2,14 +2,14 @@
 # See the sshd(8) manpage for details
 
 # What ports, IPs and protocols we listen for
-<%- unless real_sshd_port.to_s.empty? then -%>
+<%- unless sshd_port.to_s.empty? then -%>
-Port <%= real_sshd_port -%>
+Port <%= sshd_port -%>
 <%- else -%>
 Port 22
 <%- end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -33,52 +33,52 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
+<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= real_sshd_permit_root_login -%>
+PermitRootLogin <%= sshd_permit_root_login -%>
 <%- else -%>
 PermitRootLogin without-password
 <%- end -%>
 
-<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
+<%- if sshd_strict_modes.to_s == 'yes' then -%>
 StrictModes yes
 <%- else -%>
 StrictModes no
 <%- end -%>
 
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
 RSAAuthentication yes
 <%- else -%>
 RSAAuthentication no
 <%- end -%>
 
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
 PubkeyAuthentication yes
 <%- else -%>
 PubkeyAuthentication no
 <%- end -%>
 
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
+<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
 <%- else -%>
 AuthorizedKeysFile %h/.ssh/authorized_keys
 <%- end -%>
 
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
 RhostsRSAAuthentication yes
 <%- else -%>
 RhostsRSAAuthentication no
 <% end -%>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
 IgnoreRhosts yes
 <%- else -%>
 IgnoreRhosts no
 <% end -%>
 
 # similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
 HostbasedAuthentication yes
 <%- else -%>
 HostbasedAuthentication no
@@ -88,21 +88,21 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
 PermitEmptyPasswords yes
 <% else -%>
 PermitEmptyPasswords no
 <% end -%>
 
 # Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
 ChallengeResponseAuthentication yes
 <%- else -%>
 ChallengeResponseAuthentication no
 <%- end -%>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
+<%- if sshd_password_authentication.to_s == 'yes' then -%>
 PasswordAuthentication yes
 <%- else -%>
 PasswordAuthentication no
@@ -117,7 +117,7 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
+<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
 X11Forwarding yes
 <%- else -%>
 X11Forwarding no
@@ -130,7 +130,11 @@ KeepAlive yes
 #Banner /etc/issue.net
 #ReverseMappingCheck yes
 
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
 #Subsystem	sftp	/usr/lib/sftp-server
+<%- else %>
+Subsystem      sftp    <%= sshd_sftp_subsystem %>
+<%- end %>
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -141,7 +145,7 @@ KeepAlive yes
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then -%>
+<%- if sshd_use_pam.to_s == 'yes' then -%>
 UsePAM yes
 <%- else -%>
 UsePAM no
@@ -149,7 +153,7 @@ UsePAM no
 
 HostbasedUsesNameFromPacketOnly yes
 
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
 AllowTcpForwarding yes
 <%- else -%>
 AllowTcpForwarding no
@@ -157,7 +161,16 @@ AllowTcpForwarding no
 
 ChallengeResponseAuthentication no
 
-<%- unless real_sshd_allowed_users.to_s.empty? then -%>
+<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= real_sshd_allowed_users -%>
+AllowUsers <%= sshd_allowed_users -%>
 <%- end -%>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
+
 

templates/sshd_config/Debian_lenny.erb

@@ -2,14 +2,14 @@
 # See the sshd(8) manpage for details
 
 # What ports, IPs and protocols we listen for
-<%- unless real_sshd_port.to_s.empty? then -%>
+<%- unless sshd_port.to_s.empty? then -%>
-Port <%= real_sshd_port -%>
+Port <%= sshd_port -%>
 <%- else -%>
 Port 22
 <%- end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -33,52 +33,52 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
+<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= real_sshd_permit_root_login -%>
+PermitRootLogin <%= sshd_permit_root_login -%>
 <%- else -%>
 PermitRootLogin without-password
 <%- end -%>
 
-<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
+<%- if sshd_strict_modes.to_s == 'yes' then -%>
 StrictModes yes
 <%- else -%>
 StrictModes no
 <%- end -%>
 
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
 RSAAuthentication yes
 <%- else -%>
 RSAAuthentication no
 <%- end -%>
 
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
 PubkeyAuthentication yes
 <%- else -%>
 PubkeyAuthentication no
 <%- end -%>
 
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
+<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
 <%- else -%>
 AuthorizedKeysFile %h/.ssh/authorized_keys
 <%- end -%>
 
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
 RhostsRSAAuthentication yes
 <%- else -%>
 RhostsRSAAuthentication no
 <% end -%>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
 IgnoreRhosts yes
 <%- else -%>
 IgnoreRhosts no
 <% end -%>
 
 # similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
 HostbasedAuthentication yes
 <%- else -%>
 HostbasedAuthentication no
@@ -88,21 +88,21 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
 PermitEmptyPasswords yes
 <% else -%>
 PermitEmptyPasswords no
 <% end -%>
 
 # Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
 ChallengeResponseAuthentication yes
 <%- else -%>
 ChallengeResponseAuthentication no
 <%- end -%>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
+<%- if sshd_password_authentication.to_s == 'yes' then -%>
 PasswordAuthentication yes
 <%- else -%>
 PasswordAuthentication no
@@ -117,7 +117,7 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
+<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
 X11Forwarding yes
 <%- else -%>
 X11Forwarding no
@@ -130,7 +130,11 @@ KeepAlive yes
 #Banner /etc/issue.net
 #ReverseMappingCheck yes
 
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
 #Subsystem	sftp	/usr/lib/sftp-server
+<%- else %>
+Subsystem      sftp    <%= sshd_sftp_subsystem %>
+<%- end %>
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -141,7 +145,7 @@ KeepAlive yes
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then -%>
+<%- if sshd_use_pam.to_s == 'yes' then -%>
 UsePAM yes
 <%- else -%>
 UsePAM no
@@ -149,13 +153,13 @@ UsePAM no
 
 HostbasedUsesNameFromPacketOnly yes
 
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
 AllowTcpForwarding yes
 <%- else -%>
 AllowTcpForwarding no
 <%- end -%>
 
-<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%>
+<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
 AllowAgentForwarding yes
 <%- else -%>
 AllowAgentForwarding no
@@ -163,7 +167,15 @@ AllowAgentForwarding no
 
 ChallengeResponseAuthentication no
 
-<%- unless real_sshd_allowed_users.to_s.empty? then -%>
+<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= real_sshd_allowed_users -%>
+AllowUsers <%= sshd_allowed_users -%>
 <%- end -%>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
 

templates/sshd_config/Gentoo.erb

@@ -10,14 +10,14 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless real_sshd_port.to_s.empty? then %>
+<%- unless sshd_port.to_s.empty? then %>
-Port <%= real_sshd_port %>
+Port <%= sshd_port %>
 <%- else %>
 Port 22
 <%- end %>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
 ListenAddress <%= address %>
 <% end -%>
 #AddressFamily any
@@ -47,46 +47,46 @@ Protocol 2
 #LoginGraceTime 2m
 PermitRootLogin without-password
 
-<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then %>
 StrictModes yes
 <%- else %>
 StrictModes no
 <%- end %>
 
-<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= real_sshd_permit_root_login %>
+PermitRootLogin <%= sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
 #MaxAuthTries 6
 
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then %>
 RSAAuthentication yes
 <%- else %>
 RSAAuthentication no
 <%- end %>
 
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
 PubkeyAuthentication yes
 <%- else %>
 PubkeyAuthentication no
 <%- end %>
 
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
 <%- else %>
 AuthorizedKeysFile %h/.ssh/authorized_keys
 <%- end %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
 RhostsRSAAuthentication yes
 <%- else %>
 RhostsRSAAuthentication no
 <% end -%>
 
 # similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
 HostbasedAuthentication yes
 <%- else %>
 HostbasedAuthentication no
@@ -97,28 +97,28 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts no
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
 IgnoreRhosts yes
 <%- else %>
 IgnoreRhosts no
 <% end -%>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then %>
 PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
 PermitEmptyPasswords yes
 <% else -%>
 PermitEmptyPasswords no
 <% end -%>
 
 # Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
 ChallengeResponseAuthentication yes
 <%- else %>
 ChallengeResponseAuthentication no
@@ -145,20 +145,20 @@ ChallengeResponseAuthentication no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then %>
+<%- if sshd_use_pam.to_s == 'yes' then %>
 UsePAM yes
 <%- else %>
 UsePAM no
 <%- end %>
 
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
 AllowTcpForwarding yes
 <%- else %>
 AllowTcpForwarding no
 <%- end %>
 
 #GatewayPorts no
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then %>
 X11Forwarding yes
 <%- else %>
 X11Forwarding no
@@ -183,7 +183,11 @@ X11Forwarding no
 #Banner /some/path
 
 # override default of no subsystems
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
 Subsystem	sftp	/usr/lib/misc/sftp-server
+<%- else %>
+Subsystem      sftp    <%= sshd_sftp_subsystem %>
+<%- end %>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
@@ -191,6 +195,16 @@ Subsystem	sftp	/usr/lib/misc/sftp-server
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
-<%- unless real_sshd_allowed_users.to_s.empty? then %>
+<%- unless sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= real_sshd_allowed_users %>
+AllowUsers <%= sshd_allowed_users %>
 <%- end %>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
+
+

templates/sshd_config/OpenBSD.erb

@@ -8,14 +8,14 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless real_sshd_port.to_s.empty? then %>
+<%- unless sshd_port.to_s.empty? then %>
-Port <%= real_sshd_port %>
+Port <%= sshd_port %>
 <%- else %>
 Port 22
 <%- end %>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
 ListenAddress <%= address %>
 <% end -%>
 #Protocol 2,1
@@ -39,13 +39,13 @@ ListenAddress <%= address %>
 # Authentication:
 
 #LoginGraceTime 2m
-<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= real_sshd_permit_root_login %>
+PermitRootLogin <%= sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
 
-<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then %>
 StrictModes yes
 <%- else %>
 StrictModes no
@@ -53,33 +53,33 @@ StrictModes no
 
 #MaxAuthTries 6
 
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then %>
 RSAAuthentication yes
 <%- else %>
 RSAAuthentication no
 <%- end %>
 
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
 PubkeyAuthentication yes
 <%- else %>
 PubkeyAuthentication no
 <%- end %>
 
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
 <%- else %>
 AuthorizedKeysFile %h/.ssh/authorized_keys
 <%- end %>
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
 RhostsRSAAuthentication yes
 <%- else %>
 RhostsRSAAuthentication no
 <% end -%>
 
 # similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
 HostbasedAuthentication yes
 <%- else %>
 HostbasedAuthentication no
@@ -90,28 +90,28 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts no
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
 IgnoreRhosts yes
 <%- else %>
 IgnoreRhosts no
 <% end -%>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then %>
 PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
 PermitEmptyPasswords yes
 <% else -%>
 PermitEmptyPasswords no
 <% end -%>
 
 # Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
 ChallengeResponseAuthentication yes
 <%- else %>
 ChallengeResponseAuthentication no
@@ -127,14 +127,14 @@ ChallengeResponseAuthentication no
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
 AllowTcpForwarding yes
 <%- else %>
 AllowTcpForwarding no
 <%- end %>
 
 #GatewayPorts no
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then %>
 X11Forwarding yes
 <%- else %>
 X11Forwarding no
@@ -159,10 +159,17 @@ X11Forwarding no
 #Banner /some/path
 
 # override default of no subsystems
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
 Subsystem	sftp	/usr/libexec/sftp-server
+<%- else %>
+Subsystem	sftp	<%= sshd_sftp_subsystem %>
+<%- end %>
 
-<%- unless real_sshd_allowed_users.to_s.empty? then %>
+<%- unless sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= real_sshd_allowed_users %>
+AllowUsers <%= sshd_allowed_users %>
+<%- end %>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
 # Example of overriding settings on a per-user basis
@@ -170,3 +177,7 @@ AllowUsers <%= real_sshd_allowed_users %>
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>